Spammers are now using 'wait and switch' techniques with templates of your favorite newsletters served with a spam popup

Careful what you read -- spammers are now hijacking legitimate newsletters and electronic advertisements from big-name brands such as the NFL, Amazon, Wal-Mart, eBay, ESPN, US Airways, Kohls, Verizon, and 1-800-Flowers.

"They are trying to mimic a legitimate newsletter as closely as possible, by inserting a single image or a link to one," says Doug Bowers, senior director of anti-abuse engineering at Symantec, which has been closely tracking this growing spamming trend during the past month.

Bowers says he and his colleagues don't have any data on the spammers compromising any machines, but it appears they are using templates to mimic the exact format of these newsletters or e-advertisements. "It seems to be a combination of techniques to sneak through a filter, identifying it as legitimate to confuse the user." Many of the infected newsletters Symantec researchers found read normally at first, and then suddenly pop up with a spammed image.

"One of our researchers calls this 'wait and switch,' where it appears you are looking at a newsletter, but then another [item] appears a few seconds later," he says. One spammed newsletter, for instance, looked exactly like the NFL's fantasy football report -- until, a few seconds later, an ad selling various prescription drugs showed up on the same page.

It's a new spin on an old trick. In the early days of spam, newsletters and e-zines were used frequently by spammers -- and then were often blocked by spam filters, causing an uproar among organizations that couldn't send or receive these communiqués. Spam filtering software responded with fewer false positives, but now may have to raise the bar again to block this new generation of spam -- without hurting "real" newsletters and ads.

Bowers says he and other Symantec researchers have not yet seen any malware contained in the spam messages, but that's something they will continue to evaluate. "The examples we've seen are more product promotion... trying to get their message displayed."

It's a pretty obvious clue the newsletter or ad is compromised when you see a Viagra advertisement pop up on your 1-800-Flowers email ad, but these spammers aren't necessarily trying to remain inconspicuous. "It comes back to a profit motive." Some may be testing the waters to see if it's an effective ploy that dupes enough users to make a little money, and if so, they would increase their volume of the spam, he says.

The best defense against this new exploit for now is to run strong spam filtering software, and to be aware of the latest scams, Bowers says. "This is a technique we are going to continue monitoring in the coming months."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights