Spam and phishing mail

More stock (s)[p]{m}!

Most recent spammer innovations have centered around “pump and dump spam”. This is what spammers were mass-mailing out in those .pdf and .fdf attachments that we’ve seen recently. And this is the spam that comes in graphics files, with the text often rotated several degrees, and other spammer tricks.

And now we’ve seen the latest innovation, which really had me scratching my head. This spam is designed for die-hard puzzlers: the spammers have taken a very strange approach – splitting key words, such as ‘stock’, ‘buy’ etc. with non-alphabetic characters. The problem is that the plethora of non-letter symbols – curved brackets, asterisks etc. – make it very hard to read the text. In fact, someone would have to be extremely motivated to read such an email all the way through.

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

Chi,na YouT-V <C> [o](r){p}
S,ymbol: [C] <Y> [T](V)

We [h]{a}(v)[e] already (s) <e> <e> (n) CY*TV's m^arket imp.act bef^ore c*l^imbing to {o}(v){e}[r] $2*.00 (w)[i](t)(h) (n)(e) <w> [s]

Pre#ss Re,lease:
Chi^na YouTV^'s C-nBoo (W)(e){b} <s> {i}(t)(e) Ran#ks [N][o][.][1] on Micros
o*ft [L](i){v}(e) Searc#h Engi#ne

Of course, spammers are just trying to get round spam filters to deliver their message to end users. But they seem to have forgotten one very simple rule – it’s not enough simply to get the spam to the mail box, the user has to read it, too! And who is going to plough their way through a strange message crammed with a variety of brackets and other out of place punctuation marks?

If we take a look at the history of spam evolution, we can see that this isn’t something totally new. In 2003, spammers conducted similar experiments, littering their emails with symbols and non-Latin letters, resulting in messages that looked like this:

Vl/GR/| $0.95 /l)0SE
C|/|L|S $2.00 /|)0SE
}{E|||C/lL $0.91 /l)()SE
PR()PECl/|GR/, GLUC()PH/|GR/|GE, V|0} {}{,
CELEBRE}{, |/|ERl|)l/, Z()L0FF, P/l}{lL, LlP|T()R
E ll T E R

The result was almost unreadable emails, which quickly disappeared from the scene. Spammers clearly decided that this wasn’t a promising approach. However, either they got some return on their mass-mailings, or what we’re seeing now is a new generation of spammers who haven’t learnt from the mistakes of the past. We’ll see how long this latest wave lasts.

More stock (s)[p]{m}!


APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox