In the past few months, Red Condor has been monitoring a wave of suspicious Canadian Pharmacy spam campaigns. Specific emails in these campaigns spoof Twitter, Apple, Facebook and Amazon. Links redirect users to what appears to be a fairly common Canadian Pharmacy spam web page—all pretty typical stuff. But the use of sophisticated spoofing in combination with the Canadian Pharmacy landing site raised a huge red flag about the spammers’ real intent.
A lot has been written about these campaigns. As one of the first to detect them, Red Condor issued a warning that contributed to some of the coverage. That said, I fear users and security experts haven’t grasped the real issue: A new era in the proliferation of dangerous spam.
Last week, Red Condor detected a spoofed YouTube spam attack that revealed the intent behind this new wave of campaigns: single-click malware installs.
It turns out that the redirect on a compromised website to a Canadian Pharmacy web site is a red herring. When users click on the redirect link (a YouTube or Twitter friend request, a greeting card, or Facebook login page), their browsers download and execute the malicious code–a Trojan virus that’s likely to steal banking credentials, passwords and other private login information.
Here’s the rub: Typical malware campaigns require at least two clicks–the first from the email to a web page, the second on the web page, which downloads the malware. This new trend of the single-exploit click is likely to produce a much higher success rate for malware infection. One click leaves users no time to back out when they realize they’ve entered the danger zone.
So who’s behind these attacks? It’s unlikely that a group of spammers would utilize so many different templates. Historically, spammers create a new campaign with a specific spoof, and then blast it out to millions of email addresses. This new series of campaigns is likely the work of a spam gang and a subset of affiliates who get paid for redirecting traffic to the Canadian Pharmacy pages and tricking people into installing malware.
The spammers appear to have access to a PDF exploit kit, which explains the multiple underlying similarities of each campaign: Canadian Pharmacy, one-click infection, use of redirectors, an iFrame exploit; and the unprecedented randomization and variability. The variety and quantity of templates and spoofs, some highly sophisticated, and highly randomized content make detection by traditional filters extremely difficult.
What’s really scary is this wave of campaigns is probably merely a testing phase for a whole new generation of nefarious spam techniques that will increase in volume and complexity. The convenient infrastructure is in place and the financial incentives are clear.
Just before posting this, Red Condor blocked another campaign that uses a java script component in lieu of the malware install link. The java script redirects not to the Canadian Pharma page, but rather to Ultimate Replica, a site for replica luxury watches. It appears spammers are still testing the waters.