Spam and phishing mail

An animated August

We’ve recently detected yet another new trick being used by spammers.

Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers.

Normally, animated spam has between two and four frames; out of these, only one of them actually contains significant information about the goods or service being promoted. The remaining frames simply act as background, or contain other pictorial elements. The main frame is displayed to the user for up to 10 minutes, while the remaining frames will be displayed for mere tenths of a second.

The screenshot on the left shows the main frame of such a message. On the right is an example of one of the remaining frames (the original message contained three frames in all.)

As far as we can tell, at the moment animation is confined to stock spam (e.g. spam which promotes specific stocks). However, there’s nothing to say that this technique won’t become widespread in the future.

Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn’t yet clear. It’s true that a lot of spam filters don’t analyze the actual graphics in spam. The majority of them analyze the message structure, the text content and so on. Animated spam may well cause serious problems for simple filters which operate purely by analyzing text symbols, and which don’t analyze text in graphical form. However, such filters are ill equipped to cope with any type of graphical spam, animated or not.

On the other hand, although animating the message is a novel trick, better spam filters are able to detect and filter out animated spam.

An animated August

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox