The emails seem to stem from “Twitter Support” (firstname.lastname@example.org) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.
After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.
For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.
As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.
Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.
* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “email@example.com”
We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:
PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.
CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.
Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.
© Copyright 2010 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.