Spam campaign morphs again

  • Article

I earlier wrote about an eTrade spam campaign that morphed into a Bank of America spam campaign.  Subsequent mutations saw this spammer use the same tactic over and over again, but slightly modify it.  We saw LinkedIn spam and “You have a transaction” spam.

Now, the spammer has morphed again, no doubt because filters updated and blocked it.  The newest technique is the following:

  • The spammer sends mail from a Yahoo account that is either compromised or he registered it himself.

  • The subject line contains something like “Net teller Payment ID” or Websterbank payment ID”.  It next contains a bit of HTML code and then a link to an https://goo.gl shortened URL.

  • The message body is empty.  This means that the entire payload is in the message subject.

  • The subject line is encoded in the ISO-8859-1 (Western European) charset, and uses quoted printable.  This means that a subject line that looks like this to the user:

    W: Re:Websterbank Payment ID,,,,<div class="ëéèhttps://goo.gl/<redacted>}(ìê779765289255

    Looks like this to the spam filter:

    =?iso-8859-1?Q?Re=3AWebsterbank_Payment_ID=2C=2C=2C=2C=3C
    div_class=3D=22?= =?iso-8859-1?Q?=EB=E9=E8http=3A//
    goo=2Egl/<redacted>=7D=28=EC=EA779765289255?=

This is the same guy who has been operating for a month, sending out new spam blitzes every couple of days.  Yet his tactics have changed.  Originally, he sent out spam by using his botnets to connect to a second set of botnets to relay spam directly.  Now his first set of botnets connect to Yahoo and send out spam that way; he has streamlined it presumably in an effort to get around IP blocklists.

The move to the subject line is curious.  If it’s on purpose, and not because his malware is broken, he’s done that to avoid content filtering.  However:

  • Why is there HTML code in the subject line?  Was it copied-and-pasted from previous spam campaigns and not proofread before this one went out?

  • Why is there so much heavily encoded quoted printable in the subject line?  Is this an attempt to evade filters?

  • What is the ROI for putting the http link in the subject line?  Users cannot automatically click the subject line the way they could in the message body.  With this campaign, they have to manually copy and paste it into a browser, and the fact is that the message is not readable.

I really wish Google and Yahoo would catch this guy and shut him down.