Spam and phishing mail

Spammers all geared up for Euro 2016!

Major football tournaments such as the World Cup and the European Championship, traditionally attract a lot of spammer activity. Euro 2016 will be held this summer in France, and it’s not only the fans and players who are getting ready but also Internet fraudsters. The latter have started sending out fake notifications about lottery wins dedicated to the upcoming tournament. Their emails often contain attachments adorned with graphic elements including official emblems, the Euro 2016 logo and those of its sponsors.

Spammers all geared up for Euro 2016!

The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information. We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same. The fraudsters also use different email addresses and change those used in the body of the message and the attachment.

We have also come across advertising spam in different languages, for example in Dutch, asking recipients to buy a 2-euro commemorative coin issued specifically for Euro 2016.

Spammers all geared up for Euro 2016!

We expect to see a growth in football-themed spam as the start date of Euro 2016 approaches. This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.

Spammers all geared up for Euro 2016!

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox