It is interesting to see how spammers and malware authors excel with their combined efforts in switching, combining, tweaking, or enhancing their tactics to send out mass emails and phishing campaigns, with an emphasis on localized (confined to one language and corresponding region) as well as globalized attacks.
Websense has discovered an ecosystem representing the combined tactics of spammers and malware authors targeting Brazilian users. This ecosystem comprises automated bots, templates of spam content with links encouraging users to watch a video on YouTube (Brazilian site). Through these email campaigns, the spammers invite targeted users to a fake page that resembles the Adobe Flash Player download site (Brazilian version), encouraging users to download the Adobe Flash installer which is actually a malicious executable.
Screenshot of the site hosting the automated bots and the templates of the spam content:
Screenshot showing the different automated bots:
While some of the spammers are busy harvesting email addresses to be used or sold later on, others are coming up with creative and artistic elements and content for spamming. Observe that spam templates are present in HTML format, with a brief YouTube video description and a corresponding link that has a fake Adobe site link embedded in it.
Screenshot of the different templates containing spam content with links to the YouTube video:
It is also interesting to see how spammers create their spamming templates, with the real video content and the corresponding video link on the YouTube site. Observe that spammers include a popular video and its corresponding information in their templates, including appropriate titles and some information about the person who uploaded the video, to increase their chances of success with their attacks.
Screenshot of the YouTube videos used in spam templates:
Spammers encourage the users to visit the YouTube video link in their mass-mailing campaigns. Upon connecting to the site, users are directed to a page that resembles the real Adobe Flash Installer download site, which attempts to dupe users into downloading and installing a Flash player.
In order to prevent their fake Adobe Flash installer page from being blacklisted or blocked by antispam filters, spammers use the well-known technique of redirection by means of an obfuscated script. The malicious executable originates from a different location from that of the spammed link or the redirected fake Adobe site. These tactics clearly represent the combined efforts of malware authors and spammers to increase the percentage of success with their attacks.
Screenshot showing the entire operation:
The entire ecosystem shows the spammers’ and malware authors’ mindset of developing an efficient system that can be used to reach their prospective customers and target them successfully.
Security Researcher: Sumeet Prasad