Spam and phishing

An animated August

We’ve recently detected yet another new trick being used by spammers.

Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers.

Normally, animated spam has between two and four frames; out of these, only one of them actually contains significant information about the goods or service being promoted. The remaining frames simply act as background, or contain other pictorial elements. The main frame is displayed to the user for up to 10 minutes, while the remaining frames will be displayed for mere tenths of a second.

The screenshot on the left shows the main frame of such a message. On the right is an example of one of the remaining frames (the original message contained three frames in all.)

As far as we can tell, at the moment animation is confined to stock spam (e.g. spam which promotes specific stocks). However, there’s nothing to say that this technique won’t become widespread in the future.

Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn’t yet clear. It’s true that a lot of spam filters don’t analyze the actual graphics in spam. The majority of them analyze the message structure, the text content and so on. Animated spam may well cause serious problems for simple filters which operate purely by analyzing text symbols, and which don’t analyze text in graphical form. However, such filters are ill equipped to cope with any type of graphical spam, animated or not.

On the other hand, although animating the message is a novel trick, better spam filters are able to detect and filter out animated spam.

An animated August

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox