Spam and phishing mail

More stock (s)[p]{m}!

Most recent spammer innovations have centered around “pump and dump spam”. This is what spammers were mass-mailing out in those .pdf and .fdf attachments that we’ve seen recently. And this is the spam that comes in graphics files, with the text often rotated several degrees, and other spammer tricks.

And now we’ve seen the latest innovation, which really had me scratching my head. This spam is designed for die-hard puzzlers: the spammers have taken a very strange approach – splitting key words, such as ‘stock’, ‘buy’ etc. with non-alphabetic characters. The problem is that the plethora of non-letter symbols – curved brackets, asterisks etc. – make it very hard to read the text. In fact, someone would have to be extremely motivated to read such an email all the way through.

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

[u][g]{e} {N}[e][w](s) To Impa_ct <C> [Y](T)(V)

Chi,na YouT-V <C> [o](r){p}
S,ymbol: [C] <Y> [T](V)

We [h]{a}(v)[e] already (s) <e> <e> (n) CY*TV's m^arket imp.act bef^ore c*l^imbing to {o}(v){e}[r] $2*.00 (w)[i](t)(h) (n)(e) <w> [s]

Pre#ss Re,lease:
Chi^na YouTV^'s C-nBoo (W)(e){b} <s> {i}(t)(e) Ran#ks [N][o][.][1] on Micros
o*ft [L](i){v}(e) Searc#h Engi#ne

Of course, spammers are just trying to get round spam filters to deliver their message to end users. But they seem to have forgotten one very simple rule – it’s not enough simply to get the spam to the mail box, the user has to read it, too! And who is going to plough their way through a strange message crammed with a variety of brackets and other out of place punctuation marks?

If we take a look at the history of spam evolution, we can see that this isn’t something totally new. In 2003, spammers conducted similar experiments, littering their emails with symbols and non-Latin letters, resulting in messages that looked like this:

Vl/GR/| $0.95 /l)0SE
C|/|L|S $2.00 /|)0SE
}{E|||C/lL $0.91 /l)()SE
PR()PECl/|GR/, GLUC()PH/|GR/|GE, V|0} {}{,
CELEBRE}{, |/|ERl|)l/, Z()L0FF, P/l}{lL, LlP|T()R
E ll T E R

The result was almost unreadable emails, which quickly disappeared from the scene. Spammers clearly decided that this wasn’t a promising approach. However, either they got some return on their mass-mailings, or what we’re seeing now is a new generation of spammers who haven’t learnt from the mistakes of the past. We’ll see how long this latest wave lasts.

More stock (s)[p]{m}!

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox