Spam and phishing mail

Changing characters: Something exotic in place of regular Latin script

Spammers use all types of tricks to bypass spam filters: adding ‘noise’ to texts, inserting redirects to advertised sites, replacing text with pictures – anything to stop the automatic filter from reading the keywords and blocking the message. Recently, we’ve been seeing a trend to replace Latin characters with similar-looking symbols from other alphabets. This “font kink” is especially typical of phishing messages written in Italian.

Non-Latin characters are inserted in place of similar-looking Latin characters both in the “Subject” field and in the body of the message. Here is an example of what headers obscured with ‘foreign’ symbols look like:

rubinstein_latin_01

And here is an example of a phishing message using the name of the PayPal payment system and using the same trick. Words containing non-Latin characters are underlined in the first lines; the reader can take a magnifying glass and search for more in the remainder of the text:

rubinstein_latin_02

Thanks to the UTF-8 coding system, characters from many types of writing systems can be combined within the same email. In the above examples, we saw Cyrillic and Greek characters as well as phonetic (IPA) symbols. Spammers use this as a trick to bypass spam filters. However, the spam filters in Kaspersky Lab products are designed in such a way that they cannot be easily deceived, even if Greek letters or phonetic symbols are used.

Changing characters: Something exotic in place of regular Latin script

Your email address will not be published. Required fields are marked *

 

  1. kenneth ridgeway

    thank you for information.

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox