Spam and phishing mail

Changing characters: Something exotic in place of regular Latin script

Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures – anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.

Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:

rubinstein_latin_01

And here is an example of a phishing message using the name of the PayPal payment system and using the same trick. Words containing non-Latin characters are underlined in the first lines; the reader can take a magnifying glass and search for more in the remainder of the text:

rubinstein_latin_02

Thanks to the UTF-8 coding system, characters from many types of writing systems can be combined within the same email. In the above examples, we saw Cyrillic and Greek characters as well as phonetic (IPA) symbols. Spammers use this as a trick to bypass spam filters. However, the spam filters in Kaspersky Lab products are designed in such a way that they cannot be easily deceived, even if Greek letters or phonetic symbols are used.

Changing characters: Something exotic in place of regular Latin script

Your email address will not be published.

 

  1. kenneth ridgeway

    thank you for information.

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox