My first article published on Kevin Townsend‘s ITSecurity.co.uk blog: Blog comment spam. Is it worth the effort? or go to this link: http://itsecurity.co.uk/2015/01/blog-comment-spam-worth-effort/
Spam & Phishing
A classical phishing email… Nothing special (same bad English, as always). Dear Valued Customer, Unauthorized access has been detected in your account. Unfortunately, due to this event, our security system has limited the access to your account. Account Limitations prevent you from completing certain actions with your account, such as withdrawing, sending, or receiving money. These limitations are implemented when we see unusual or suspicious activity to help protect both PayPal buyers and sellers. Please verify your account by completing the form which is attached in this email. By doing this, restrictions in your account will be lifted. We apologize…
“There’s a new personal notification message special for Sorin Mustaca” is the subject of the email pretending to come from “Automation LinkedInNotifier”. But then, why is it coming from “firstname.lastname@example.org” ? Come on spammers, you disappoint me 🙂 Anybody can see it is a fake… And “Linked In” ? Not even this is right… It is just an online pharmacy … from Russia “with a lot of Love”:
You unsubscribe from commercial emails that you never requested Remember that spam emails are made to look authentic. This means that they will almost always contain some links which allow you to unsubscribe. But, instead of that they just make you verify that your emailaddress is valid. Don’t unsubscribe! Just mark the email as spam and the email client will do the rest. If you know how to do that, report it to SpamCop or other organizations that deal with spam.
Remember the Spammer’s Compendium (where I have a spam method named after me: (UH!Mustaca!HTML))? There is an entry from 2003 called “Ze Foreign Accent“. Back then it was rather primitive, but now it comes in a much improved (if we can say that) form: The link on “Click here” goes to a Google Drive hosted site which was erased in the meanwhile. Fortunately, GMail detects it as spam as you can see in the picture.
A spam campaign sending emails from an “Auto ImageService” with the subject “Your file has been uploaded” is making its round on the Internet. The content of the email (see below) is very simple and advertises a link to a photo taken with a digital camera (DCIM stands for Digital Camera IMages) which was allegedly uploaded to some online image service. And now to my question: How do you react if you see such an email in your Inbox ? I guess, most people would think: “What file? Oh, a photo? Hmm…” And here it goes: – You know…
It seems that the most research on social engineering is done these days by spammers. Using the text “You haven’t been to Facebook for a few days, and a lot happened while you were away”, the spam message contains the trigger which will make many people click on the message: “Your messages will be deleted soon” Ohhhh, so, if you don’t click on “View messages” then the messages will be deleted?. This is a good one. To all those who really think that something like this is possible: Stay calm, nobody is ever going to delete your messages. And, Facebook…
Stock Spam is back! Did you miss it? I certainly didn’t… What is interesting ? All these emails are unique. They are created for each email address and contain a unique identifier like 7b9212dcf62a731709b131d84f6e1cb8ec6e44d0bba47030be135d9f. This shows to me that they are generated using the same spam generator. They are being sent using compromised accounts and servers. Fortunately, GMail catches all of them.
A German reader that wants to emigrate to the US expects nothing else than an invitation from the US President Barack Obama to participate to a VISA lottery. Or at least this is what the spammers that send this email think. To make things even more interesting, you also get a gratis flight to the US. But just one 🙂 Funny, indeed.
I wrote already about spam impersonating various services just to make users click in order to visit a website. Most of the time, it is about online pharmacies. This time, it is Google’s Support impersonated, as if it would contact the user to restore damaged messages. I leave aside the fact the this is technically questionable. Same as last time, the links point to a .PL file (Perl script) which contains just a redirect to a Russian website. Last time it was bestpillgroup.ru, now it is curingpillsquality.ru. Not surprisingly, they point to the same IP address: 18.104.22.168 which seems to be inactive now….