NSFW: 6 New Malicious Spam Campaigns Coming to an Inbox Near You

Written by david.w.balaban | Published 2019/02/19
Tech Story Tags: security | spam | spammers | cybersecurity | cybercrime

TLDRThe goal of spam distributors went beyond shady advertising and annoyance a long time ago. Many of the junk emails you receive nowadays carry dangerous payloads thoroughly disguised as something innocuous, benign, and eye-catching. Powered by massive botnets, spam is a major source of contamination with ransomware, computer worms, and Trojans.via the TL;DR App

From adult content to crypto ransomware, these are the latest spam schemes cybercriminals are using to booby trap you.

The goal of spam distributors went beyond shady advertising and annoyance a long time ago. Many of the junk emails you receive nowadays carry dangerous payloads thoroughly disguised as something innocuous, benign, and eye-catching. Powered by massive botnets, spam is a major source of contamination with ransomware, computer worms, and Trojans.

Cybercriminals have created infrastructures capable of spewing out millions of these booby-trapped messages at a time. Although such an activity might seem like a shot in the dark, the huge volumes of spam in circulation always end up converting into a bevy of infections. This makes the phenomenon a major heads-up for every computer user. Here’s the lowdown on the recent trends in this sketchy ecosystem.

“Follow the white rabbit” campaign promoting adult sites

A large-scale spam wave with a flavor of X-rated content kicked off in late January 2019. The dodgy emails contain attachments that redirect the recipients to NSFW (not safe for work) sites or web pages hosting malware. The toxic file sent from [email protected] by someone supposedly named Gell is a PDF document that, when opened, entices the recipient to click an embedded hyperlink. This link triggers a series of redirects leading to an adult dating site whose code contains an obfuscated string saying, “Follow the white rabbit” — hence the codename of this wave.

Some of the landing sites are a nuisance, especially if you are forwarded to them when at work and colleagues sees the embarrassing stuff on your screen. Some will harvest the visitor’s contact details so that the malicious operators can take advantage of them in future phishing hoaxes.

Emergency exit map themed campaign with ransomware at its core

Another noteworthy social engineering move of cybercrooks took root in January as well. Rather than promote fishy sites, though, this malspam (malicious spam) con has been pushing a strain of crypto ransomware known as GandCrab 5.1. The logic of this wave has to do with deceptive emails with the subject “Up to date emergency exit map”. The message per se is self-explanatory: it is allegedly a new version of the exit map for the target user’s building.

The recipients’ instinct of self-preservation is quite likely to encourage them to open the attached Word file. This document prompts the user to enable macros to view the content. Doing so fires up a PowerShell script and pulls in the ransomware behind the scenes. Then, the infection encrypts the victim’s data and demands a certain amount of Bitcoin or Dash cryptocurrency for recovery.

Connected printers spammed with unwelcome ads

In December 2018, a questionably legit initiative surfaced whose authors claimed it to be “the most viral ad campaign in history”. Someone launched printeradvertising.com, a service that could allegedly reach every single Internet-facing printer in the world and issue commands to print out a specific advert for $250. Although this might sound like fiction, such interference with IoT devices is quite feasible from a technical perspective. In fact, numerous people discovered the original paper spam ad sticking out of their network printers at that time.

The site of the service includes references to Simon Smith, an Australian cyber forensic investigator who has denied any involvement with the campaign. This fact might be a clue that the whole printer ad scam is aimed at taking revenge on the researcher who might have upset some cybercrooks in the past. One way or another, gaining unauthorized access to other people’s devices is illegal, even if it’s just trolling.

Google Maps app polluted with spam pop-ups

A bizarre spam campaign targeting Google Maps users made its debut in December 2018. It plagued the Android version of the app with obnoxious pop-up notifications about some kind of a prize that the user purportedly won. A few examples of the titles of these messages are as follows: “You have received the free prize” and “Congratulations for winning Pixel”. Interestingly, the ads have a toggle that asks the victim to share their location. Meanwhile, very few of them include a clickable link that leads to some dubious phone case giveaway site.

It remains a mystery what the spam operators request people’s location details for. It could be a promotion of a nearby store, or burglars’ attempt to find out when the victims aren’t at home — the speculations can go on and on. However, this hoax demonstrates that malefactors are able to easily exploit the services of the world’s major software publishers.

“Love you” spam wreaking havoc in Japan

A multi-pronged spam campaign hit numerous Japanese users in late January 2019. It disseminates a combo of different malware strains under the guise of a love letter from a secret admirer. The attachments are lightweight ZIP archives with JavaScript files inside. The tricky thing is that the names of these enclosed objects suggest they are images in JPG format, therefore many recipients rush headlong into opening the pseudo picture in anticipation of a romantic adventure. Furthermore, the spam emails are tailored specifically for the Japanese audience, given that their subject lines contain names of the country’s popular entertainers.

That double-click of a mouse on the camouflaged JS object triggers an infection chain that downloads a blend of malicious payloads from the malefactors-run C2 server. The list of harmful entities promoted this way includes the above-mentioned GandCrab version 5.1 ransomware, a worm known as Phorpiex, a cryptominer, and a system settings changer. That’s quite an explosive mix to have on board a PC, obviously.

Australian Early Warning Network compromised to generate spam

In early January this year, a hacker breached the Early Warning Network (EWN) of the state of Queensland, Australia. The target is a government service used to send emergency alerts to citizens pertaining to natural calamities, evacuation instructions, and other incidents requiring immediate action. The unidentified intruder accessed the network’s user database and sent out bogus alerts saying, “EWN has been hacked. Your personal data is not safe” and recommending that the recipients unsubscribe from the service. It appears that the hacker’s motivation was simply to disrupt the entity’s operation and have fun.

The bottom line

Computer viruses come and go, but social engineering perseveres as an invariably effective way of defrauding users and infecting systems. Spam is so prolific because it exploits human “vulnerabilities” rather than software or hardware flaws. The incidents above show how easy it is to fall for these campaigns nowadays. The rogue emails are designed competently enough to evoke trust, and the malware payloads that lurk in the attachments are becoming increasingly subtle.

All in all, spam is a serious issue and will stay that way. In the meantime, users should learn to identify the telltale signs of these tricky messages. If the sender is unfamiliar and the email contains some kind of a request or recommendation, such as to open an attachment, moving it to the trash is the best reaction. Another tip is to adjust your mail to maximum security level so that it could block any suspicious message. Modern antiviruses also help block spam, so keeping your security software up-to-date is strongly recommended. Privacy-focused people can also read VPN reviews and employ this type of security software to encrypt all their data in transit.


Written by david.w.balaban | Editor
Published by HackerNoon on 2019/02/19