The latest Canadian Pharmacy spam has taken on a new look. While this type of spam has been around for years, the latest campaign is spoofing Apple. The emails, which are HTML based, have subject lines such as “Apple Store Order id:528-183638,” or “Apple AppStore Order #32-8261796″ and the sender is “Apple Store <up-to-date(at)store.apple.com>. The spammers are using the email design as a social engineering trick to get the user to click on the link. In the email, users are asked to “view the most up-to-date status and make changes to your Apple Online Store order, visit online your Order Status.” If clicked on, recipients are sent to an online pharmacy. While the email does not contain an Apple logo, it does include the 1-800-MY-APPLE phone number, which is the real Apple Store order phone number. There does not appear to be any phishing tactics or embedded malware associated with this campaign.
The campaign is using a large database of compromised machines to host the spam sites. This has been an irritating and growing trend as registered domain names seem to be decreasing. This practice is advantageous for spammers because it is cheaper and helps them to avoid domain based RBLs such as SURBL, while simultaneously poisoning such lists with ham host-names.
The volume for this campaign is relatively low, but the compromised host tactic is a much more significant trend that appears to be growing.