Spammers’ Fake Newsletters Slip by E-Mail Filters

A new technique being employed by malicious spammers is testing the ability of e-mail filtering technologies to tell the difference between legitimate newsletter content and messages bearing unwanted advertisements and hidden links to malware sites.

According to researchers at security software market leader Symantec, a new trend is rapidly emerging among bulk spammers where the creators of the annoying and often dangerous messages are disguising their work using real content distributed in genuine electronic newsletters.

By carefully recreating e-mail newsletters and marketing materials sent to customers from well-known sources such as eBay, ESPN and Wal-Mart, spammers have found a new way to circumvent many filtering systems and sneak their work into users’ in-boxes, said Doug Bowers, senior director of anti-abuse engineering at Symantec.

Very often the fake newsletters look exactly the same as the real thing, with the only difference being the addition of hidden adware or malware code, or more frequently links that direct users to phishing sites that attempt to plant viruses on their computers, he said.

While the approach sounds eminently predictable considering the success that malware writers and online fraudsters have had using phishing sites over the last several years, often producing Web destinations that mimic their legitimate counterparts, the emerging spam model is particularly troubling based on all the work administrators and technology providers have already done to help keep authentic e-mail newsletters from being blocked out by their filters.

When spam filters began to gain popularity several years ago, users complained that newsletter and marketing messages they wanted to receive were being unfairly scoured out of their mail, forcing software makers and systems administrators to create new methods for allowing the content.

By cutting and pasting real newsletters and spoofing their distribution addresses, spammers are turning those specialized avenues into an effective means of delivering their own work.

Click here to read about a recent exploit that was released for a critical PC hijack flaw.

"It’s very analogous to the phishing tactics where the creator makes you think their content is something that it isn’t by merely co-opting legitimate content and adding as little as single link to the message to hide their work," Bowers said.

"It’s created a reversal of a problem from a year or two ago when legitimate mailings were getting flagged as spam; these people are embedding their own message next to reputable brands and getting filters, and end users to fall for it."

Among the common types of content used to lure users into opening the spam messages are recreations of newsletters that offer information on health care issues or popular topics such as online fantasy sports leagues.

Next Page: A method to the madness.

Over the last several months, Bowers said that Symantec, of Cupertino, Calif., has observed a growing number of examples of the newsletter attacks. Often times, the spam content is embedded into a single image in a message, and sometimes a carbon copy of a legitimate newsletter appears in a user’s in-box first, and then the spam message inserts itself into the e-mail a few minutes later.

Bowers said there also seems to be a calculated measure of control to the attacks, as they never appear to distribute more than one of the altered messages to any individual e-mail account per day. The attacks hijack the content of a wide range of reputable businesses, versus focusing on one or two legitimate sources.

The research said that Symantec has not been able to prove that the spammers are sending their work to individuals who are known recipients of the newsletters they are copying, but he suspects this could be the next step the criminals take.

Adding to the complexity of tracking down the sources of the newsletter spammers is their frequent use of hijacked botnet computers for distributing their campaigns. Bowers said that botnets continue to play an increasing role in the techniques used by more sophisticated spammers.

"There’s currently a big focus for global networks to analyze botnet traffic and block these types of content," Bowers said. "We have a tremendous amount of insight into the command and control of botnets, but the more distributed the system for spam distribution, the harder it makes it to trace back to the source."

Other researchers are tracking the emergence of a widespread spam campaign that uses messages disguised as breaking news reports to trick users into opening the e-mails, which often carry a Trojan horse desktop virus.

According to malware experts at software maker Sophos, which has its U.S. headquarters in Burlington, Mass., the attacks were being sent out at an alarming pace on Jan. 18, with the Trojan accounting for 67 percent of all malware reports observed by the company’s worldwide threat monitoring network. The news spam attack was so pervasive that at one point it was showing up in 1 of every 200 e-mails inspected by Sophos.

Among the news headlines used in the attacks were stories related to heavy storms in Europe, genocide of Muslim people, murderers freed from prison and the travels of U.S. Secretary of State Condoleezza Rice.

Sophos said that files with names including Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe and Video.exe were most frequently attached to the spam e-mails and contain the malicious code.

"The Trojan is spreading at an extremely rapid rate and overwhelming many inboxes," said Ron O’Brien, senior security analyst at Sophos. "While users will not be affected by simply reading or receiving the e-mail, they must be very careful not to open the attached files. If they do accidentally open one, a Trojan horse will automatically install on their computer."

Check out eWEEK.com’s
Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.