From Russia with Spam

[My colleague in Spain, Josep Albors, reports that Ontinet has been noticing lots of emails with links to forums. Following the links leads to a forum full of spam products, from replica watches to viagra. He's published a Spanish language blog on the topic, but here's a rough translation.]

Sending out unsolicited email on a massive scale is a common practice for certain "businesses"  located in Russia or in neighbouring countries. For years this approach has been working quite well for them: using botnets to send mails in question keeps the cost for these companies very low. In our laboratory we regularly monitor mail campaigns of this type, and basically, they basically consist of sending emails containing web links where the unsuspecting visitor is likely to be offered all kinds of dubious products and services.

But this week we have seen a change of pace in this type of campaign, which have started to feature many forums specifically created in order to publish posts that continually advertise such products. It all starts with an innocent email that may contain various topic and types of content but always invites us to follow a link. Let's look at an example:

In this particular case, after clicking on the provided link, we are redirected to a post published in a forum, where a beautiful young lady presents us with photos and personal information, with the alleged intention of finding a partner. Obviously, this is an example of the so-called Russian bride scam, where some poor innocent believes he has found a possible soul-mate, and an exchange of emails with the alleged Miss ensues, culminating in a request for money to enable "her" to travel to see him. Once "she" receives the funds, of course, the conversation is likely to die away abruptly.

However, being curious to see what kind of posts are published such a forum, we decided to investigate further and analyse what sort of material was being published. We soon realized that the Forum itself was being used to promote all kinds of spam, offers as you can see in the screenshot that we show below:

During analysis and comparing it with other forums, we note that most of these forums were created last weekend, and the only content published offers these products and services of dubious provenance. Today we find many, many messages created with this type of post: in just one of the forums we investigated, over 50 pages of posts were published in only 3 days). To give just two examples of advertised products, there are classic products with effects similar to Viagra:

Or luxury items such as handbags or replica watches: 

As you can see, the creators of this type of spam seem to have found a rich new vein to mine in the creation of such forums. It is now relatively easy for anyone to create their own forum, and with the ease of automation and the resources that are now availale to those behind these criminal activities, we are likely to face the creation of thousands of forums of this type in a short space of time.

ESET's laboratory at Ontinet.com recommends that users who receive messages like this delete them without accessing the provided link. Also if you come across a similar message in a reputable forum, it is advisable to inform the maintainers of the forum so that they can remove malicious posts. Only in this way will we avoid an escalation in this type of campaign that might well evolve in a massive spread of malware.

Josep Albors
 

An interesting twist...

David Harley CITP FBCS CISSP
ESET Senior Research Fellow