Ultimate 5 TOP Malicious Spam Subjects

Websense® ThreatSeeker® Network detects millions of spam/malicious email campaigns on a daily basis. Such campaigns are sent in a short menstruum of time, and then disappear for a while. Normally, campaigns will terminal for well-nigh one hr or less, therefore some companies might struggle with blocking these emails.  Below are the top 5 campaigns that we’ve seen over the last several days.

Alarm: If you meet these Subject area lines in your mailbox, please don’t open an attachment or click on a link. Doing so could be dangerous for the wellness of your device.

1. ORDERS

• Order N21560 (numbers vary)

This link redirects to.ru/main.php or.com/main.php URL, which serves the Blackhole exploit kit. These emails are targeting users who just purchased an Adobe CS4 license, which is weird, because version v.5 is already out. The spammers apparently have not done their inquiry and are backside the times.

2.TICKETS

• FW: Re: Compatible TRAFFIC TICKET (ID: 239127922) (numbers vary and subject field might appear without FW: or RE:)
• Fwd: Your Flying Order N125-9487755 (numbers vary)
  
  

Users are lured to click on a“CLICK HERE” link, which redirects to another URL serving the Blackhole exploit kit.  I approximate these types of emails are targeting specific people: a) who accept driven a vehicle in New York and b) who have been cited for a speeding violation recently, and of course c) those who are curious, otherwise why would they click on this link?

3. Delivery COMPANIES:

• USPS Invoice copy ID46298 (numbers vary)
• FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
• DHL Express Notification for shipment 90176712199 (numbers vary)

Fake emails pretending to be invoices or tracking emails accept been around for several years and usually would take an attachment, such every bit a Trojan similar Zeus or SpyEye. Websense Security Labs™ has written several blogs before about like cases.  I just want to point out that such emails are nevertheless beingness sent in majority and are still existence used every bit a vector to infect end users’ computers. The reason why these kinds of emails are yet so popular is because the attachments are beingness repacked for every new campaign; therefore, antivirus products struggle to release new signatures for those and are unable to block them, like in this case. The entrada is known, but VT shows only 8/42 results for an attachment.

4. examination

This email suggests that the attachment is a patch for WoW (World of Warcraft). Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients. Emails with “exam” in the Subject line are commonly used past criminals to spread their malicious software. Users are used to seeing legitimate emails with “test” in the Subject line when an email system is being checked,  and also spammers utilise such techniques to validate an electronic mail accost.

five. Payment/TAX systems:

• FRAUD Alarm for ACH
• Your Wire Transfer
• Wire transfer rejected
• IRS requires new EIN
• IRS Tax study

This type of email appeared in August-September 2011. We wrote an ACH – weblog about information technology. The screenshot of this email was received today though the date notwithstanding corresponds dorsum to August. The spam-bot seem to think it’s still August!

The malicious spam campaigns listed in a higher place accept the same recurring themes which spammers don’t actually change. Notwithstanding, major differences include the following:

• Switching betwixt Attachments and Malicious/Compromised links
• Repacking attachments so they will not be detected by AVs
• Slightly irresolute the template of the email

Websense Email Security and Websense Spider web Security solutions protect against this kind of blended threat with ACE, ourAdvanced Classification Engine.