By Mathew Nisbet
Spammers will try anything to get their spam past your filters and into your inbox. We’ve seen many tricks involving random text hidden in the body, use of images, a message body with nothing but a link to the main message somewhere on the web. This example is one of the more elaborate (but ultimately futile) attempts that I’ve seen.
Recently we have been seeing a run of emails that pretend to be informing the recipient that they have a number of “unread” or “important” messages waiting for them on a well known social network. Over a 3 day period, between October 24 and 26, we saw roughly 18,500 of these. Since then the volume has dropped to less than 100 per day, but we are still seeing them.
The use of a well known social media brand name is the first part of the approach to bypass filters. The message copies the format of common legitimate email subjects and cannot be detected based on a signature related to the subject alone. It is also a piece of social engineering, to try and entice an unsuspecting user into opening the email.
On opening the email, you can immediately see that the email has nothing to do with the social network mentioned in the subject line, but is instead spam trying to get people to buy pharmaceuticals.
At first glance this looks like image spam (where the “text” is actually part of an image), which is usually an attempt to make it readable by humans but not computers. However, in this case there are no images in the email. If we look at the email with html rendering turned off, the plain text section displays a string of legitimate links to genuine companies (which is most likely an attempt to poison spam filters) followed by seemingly random text.
However, if we look at the rendered html again, but this time highlight all the text in the mail, you can see the same, seemingly random, text.
This means that the text isn’t random at all, but is instead intended to disguise the real text of the email, making it much harder to automatically recognize certain words. The use of html tags to change background and font colours allows the spammers to make only the desired characters visible to humans. To a machine, it still appears as simple text in html format, thus making it very difficult for standard filters to spot words. In this case the use of html also makes what appears to be a green cross image.
Spammers can be really creative in their approaches to getting messages through to people. In this case the fact that, aside from a few links, there is no recognizable text in the message automatically makes it suspicious. More advanced techniques, like contrast analysis, can be used to allow a computer to identify that some letters would not be visible to humans, making it possible for the computer to analyze the real message and stop it from reaching any potential victims.
Mathew Nisbet, is a malware data analyst, with Symantec Hosted Services