Spam and phishing mail

More stock (s)[p]{m}!

Most recent spammer innovations have centered around “pump and dump spam”. This is what spammers were mass-mailing out in those .pdf and .fdf attachments that we’ve seen recently. And this is the spam that comes in graphics files, with the text often rotated several degrees, and other spammer tricks.

And now we’ve seen the latest innovation, which really had me scratching my head. This spam is designed for die-hard puzzlers: the spammers have taken a very strange approach – splitting key words, such as ‘stock’, ‘buy’ etc. with non-alphabetic characters. The problem is that the plethora of non-letter symbols – curved brackets, asterisks etc. – make it very hard to read the text. In fact, someone would have to be extremely motivated to read such an email all the way through.

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

Chi,na YouT-V <C> [o](r){p}
S,ymbol: [C] <Y> [T](V)

We [h]{a}(v)[e] already (s) <e> <e> (n) CY*TV's m^arket imp.act bef^ore c*l^imbing to {o}(v){e}[r] $2*.00 (w)[i](t)(h) (n)(e) <w> [s]

Pre#ss Re,lease:
Chi^na YouTV^'s C-nBoo (W)(e){b} <s> {i}(t)(e) Ran#ks [N][o][.][1] on Micros
o*ft [L](i){v}(e) Searc#h Engi#ne

Of course, spammers are just trying to get round spam filters to deliver their message to end users. But they seem to have forgotten one very simple rule – it’s not enough simply to get the spam to the mail box, the user has to read it, too! And who is going to plough their way through a strange message crammed with a variety of brackets and other out of place punctuation marks?

If we take a look at the history of spam evolution, we can see that this isn’t something totally new. In 2003, spammers conducted similar experiments, littering their emails with symbols and non-Latin letters, resulting in messages that looked like this:

Vl/GR/| $0.95 /l)0SE
C|/|L|S $2.00 /|)0SE
}{E|||C/lL $0.91 /l)()SE
PR()PECl/|GR/, GLUC()PH/|GR/|GE, V|0} {}{,
CELEBRE}{, |/|ERl|)l/, Z()L0FF, P/l}{lL, LlP|T()R
E ll T E R

The result was almost unreadable emails, which quickly disappeared from the scene. Spammers clearly decided that this wasn’t a promising approach. However, either they got some return on their mass-mailings, or what we’re seeing now is a new generation of spammers who haven’t learnt from the mistakes of the past. We’ll see how long this latest wave lasts.

More stock (s)[p]{m}!


APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox