Spam and phishing mail

Sex still sells

You see all sorts of things from all around the world if you’re a spam analyst. Today I found a German language message with a standard text (“This link was sent to you by [name]”) and a link which looks like it leads to, a popular German tabloid site

If the user clicks on this link s/he ends up on a site which looks very much like in terms of design and content. The text of the linked ‘news’ article is quite attention grabbing: it starts by talking about the financial crisis (again!) but then moves onto something a bit more original – porn makes money!

That might not sound like anything new, but the twist here is that you’re not being told where to download or watch porn for free. The links in the fake article (shown above) lead to genuine articles about the economy on the, a standard porn site, and the site shown below.

This site offers users the opportunity to “Earn money from home in lucrative area of erotica!” It’s “easy!…and FREE!” Just register a domain, set up a partner program on your page, and then advertise it! This site also includes rapturous testimonials from people who were in despair about their lack of cash, but decided to try this as a last resort…and then they just sat back and watched the money roll in. They’re even kind enough to provide instructions on what to do and how to kick start your business.

With the current state of the economy, and spammers ready to offered detailed help and support, the only question left is – why not move into porn and earn millions?

Sex still sells

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox