Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A week of Cooked Ham and Pork - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A week of Cooked Ham and Pork

There is something in the air at the moment.  It must be mother’s day, or maybe I’ve just been lucky, but my mail box is chock a block full of SPAM this week.   On Gmail I typically get 5-10 per week, now about 500.  On my own mail the anti SPAM throws away a few hundred per week, this week about 2000.   So I decided to have a dig to see what is actually coming in, where from and what they want.

Description

Email Origin

 

Greeting card

Germany

 

URL Link to exe.  28/33 AV products detected the file, three days ago it was 4.

Viagra/Cailis Mesages

Texas
Latvia
Paris
Russia
Chilli

Mount Laurel (US)
US
Italy
Israel

Links to Canadian Pharmacy web site.

Viagra/Cailis Meds

France

 

Web Site Canadian Healthcare

Movie downloads
(in Chinese)

Argentina

 

Nothing no links and nothing nasty, maybe a trial run.

Herbal remedies

USA
Germany
Sweden

Oman
Lithuania
Brazil

 

Products to enlarge body parts.

The message contained a URL to one of three sites hosted in the same address range.

The registrar owns 695 other domains, received 50 of them.

Lottery*

UK
Canada
Greece

 

So far this week I have won  about $500,000,000, not bad for not entering any lotteries.   The majority were sent from UK machines, machines at one particular facility.

Click Fraud

Spain
Bolivia
Poland

 

The links in the message are ad click redirects.

Paypal

US

France

 

The usual phishing exercise aimed at extracting account information.

I am Lonely Tonight

Turkey

 

The usual I’m lonely tonight emails.  If you respond it goes into how she wants to travel and can’t you help her out.  

Fake Goods

Bombay
Russia
Bahrain
Greece
Italy

Turkey
Slovak Republic

Thailand

Fake goods, watches, bags, etc. 

Business Proposal (419 messages)

US
Germany
Los Angeles

United Arab

Emirates

The Netherlands
Japan

Transfer money and get a percentage.

Work offers

Belgium

 

Work for a few hours per week and make thousands,  most of these linked to professional looking sites.   Typically they are recruiting for mules.

Threats

Turkey

Russia

There have been a few variants of these doing the rounds.

 

The bulk of the messages received fall in the medical category.    There was one lonely-hearts SPAM message, which linked to an executable.  Unfortunately the site was already unavailable. 

 From the setup of the emails and the related sites, about 15 different groups sent the above messages.   The typical delivery method is home users, although a number were delivered through mail servers that would allow messages to be relayed.

 It is interesting to see that some of the 419 and lottery messages are still doing the rounds.   There are obviously still people that fall for the scam. 

On the new front there are some new Better Business Bureau messages doing the rounds, so keep your eyes out for those.

 

Cheers

Mark - Shearwater

Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!