Careful what you read -- spammers are now hijacking legitimate newsletters and electronic advertisements from big-name brands such as the NFL, Amazon, Wal-Mart, eBay, ESPN, US Airways, Kohls, Verizon, and 1-800-Flowers.
"They are trying to mimic a legitimate newsletter as closely as possible, by inserting a single image or a link to one," says Doug Bowers, senior director of anti-abuse engineering at Symantec, which has been closely tracking this growing spamming trend during the past month.
Bowers says he and his colleagues don't have any data on the spammers compromising any machines, but it appears they are using templates to mimic the exact format of these newsletters or e-advertisements. "It seems to be a combination of techniques to sneak through a filter, identifying it as legitimate to confuse the user." Many of the infected newsletters Symantec researchers found read normally at first, and then suddenly pop up with a spammed image.
"One of our researchers calls this 'wait and switch,' where it appears you are looking at a newsletter, but then another [item] appears a few seconds later," he says. One spammed newsletter, for instance, looked exactly like the NFL's fantasy football report -- until, a few seconds later, an ad selling various prescription drugs showed up on the same page.
It's a new spin on an old trick. In the early days of spam, newsletters and e-zines were used frequently by spammers -- and then were often blocked by spam filters, causing an uproar among organizations that couldn't send or receive these communiqués. Spam filtering software responded with fewer false positives, but now may have to raise the bar again to block this new generation of spam -- without hurting "real" newsletters and ads.
Bowers says he and other Symantec researchers have not yet seen any malware contained in the spam messages, but that's something they will continue to evaluate. "The examples we've seen are more product promotion... trying to get their message displayed."
It's a pretty obvious clue the newsletter or ad is compromised when you see a Viagra advertisement pop up on your 1-800-Flowers email ad, but these spammers aren't necessarily trying to remain inconspicuous. "It comes back to a profit motive." Some may be testing the waters to see if it's an effective ploy that dupes enough users to make a little money, and if so, they would increase their volume of the spam, he says.
The best defense against this new exploit for now is to run strong spam filtering software, and to be aware of the latest scams, Bowers says. "This is a technique we are going to continue monitoring in the coming months."
Kelly Jackson Higgins, Senior Editor, Dark Reading