Spam and phishing mail

Spam and YouTube: a long-term relationship

We recently noticed a mass mailing among the general flow of spam that at first glance looked just like the usual “forum” junk mail that appears on forums and bulletin boards, and which are sent as email notifications to users of those forums.

Spam and YouTube: a long-term relationship

Spam and YouTube: a long-term relationship

The spam message advertised pharmaceutical goods. However, the links led to YouTube rather than online stores. The videos hosted at YouTube consisted of a background picture with the name of the medication and a link to a pharmaceutical site.

Spam and YouTube: a long-term relationship

Spam and YouTube: a long-term relationship

Spam and YouTube: a long-term relationship

We noticed that the number of views for the different videos ranged from 1 to 40. This once again demonstrates that the response to spam is nowhere near as big as the spammers and their own advertising would have you believe.

I’d like to point out that the use by spammers of YouTube as a video hosting service is nothing new – we first saw it back in 2009. Then, the video promoted spammer services.

When they send out spam like this, the spammers are obviously banking on the popularity of the resource and a semblance of protection from anti-spam filters. In practice, however, the opposite is the case: spammers can’t place lots of videos on YouTube due to the numerous steps that need to be taken to create an account and ensure they are generated by humans. As a result, the number of different URLs in the mailing is very small. This makes it easy for filters to detect the links and explains why this type of spam is not very widespread.

The spammers’ love of YouTube dates back to 2007 when they exploited a vulnerability in the site in order to send spam.

In 2010 spammers offered users the chance to download a YouTube Toolbar that would make it easier to search for videos, but which was actually a Trojan program.

In the first half of this year spammers used YouTube as a cover for their own messages, making them look like notifications from the video hosting service.

Spam and YouTube: a long-term relationship

The links in the messages led to a pharmaceutical site.

Spam and YouTube: a long-term relationship

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox