It’s the last trading day of 2011 (Friday, Dec 30 – although I am informed that it started yesterday) and what do I come into work to see? Spam spoofing eTrade. Here’s a sample message:
From: <redacted > Sent: Friday, December 30, 2011 7:18 AM To: <redacted> Subject: Etrade Alert: URGENT update More information here <link to an http://goo.gl/ page>
From: <redacted > Sent: Friday, December 30, 2011 7:18 AM To: <redacted> Subject: Etrade Alert: URGENT update
More information here <link to an http://goo.gl/ page>
There is very little content in the message, only a message from eTrade informing recipients of some market condition with a single link in the message body to a goo.gl redirector. Here are some of the subject lines:
Peeking into the message headers, the spam either uses a series of bots to deliver the message. This is a spam campaign where they put in some effort:
As much effort as I put into blocking spammers, they are on the other side tweaking their spambots to hide behind multiple layers of legitimacy. They know we perform URL scanning, so what do they do? They use a legitimate redirector from Google. They know we use IP blocklists, so what do they do? The relay spam from behind multiple bots.
The battle continues.
Not to mention, the content on the redirected page is extremely malicious -- it appears to load JAR, PDF, and SWF files, presumably with exploits. It only runs for 8 seconds and then you can never load it again to try to analyze it.