Swine flu spam is spreading like a virus of its own and recently turned malicious.
Spam campaigns often start with harmless e-mail messages and slowly build into more serious threats, according to Stephan Chenette, manager of security research at Websense Inc.
“Spammers are generally very well connected with each other and see how well it’s working. It always goes through the test phase,” he said.
They test campaigns with less threatening approaches, share feedback between each other, figure out what works and what doesn’t and then launch increasingly harmful attacks, he explained.
“By us seeing they’ve increased the number of e-mails that are going out surrounding the swine flu, it indicates that so far it’s been a very successful campaign,” he said.
Websense has been tracking this latest trend, which has grown in the past week. The number of e-mail messages with subject lines related to Swine Flu is in the tens of thousands, according to Chenette.
The trend started off with traditional medical spam — or medspam — that didn’t necessarily scam users, he said. “They were enticing the users by scaring them, but there were no malicious attachments.”
Then the spam evolved into money-making schemes, with spammers trying to sell pharmaceuticals, medical devices and PDFs that contain generic information on the swine flu for $20 to $30, he explained.
“Medspam has always been something that spammers have used for making money and the fact that there’s a flu-type symptom that allows them to sell their story in a more convincing way has been good for spammers,” he said.
The first swine flu e-mail with a malicious attachment surfaced this week. Symantec Security Response analyzed the file, which poses as a PDF document of Swine Influenza FAQs.
“When users attempt to access the PDF file, malcode within the PDF attempts to exploit an old Adobe vulnerability (BID 33751) in order to drop malware on the local computer,” said a Symantec report.
Symantec detects the malicious PDF as Bloodhound.Exploit.6 and the dropped file contained in the PDF as InfoStealer, a trojan. Symantec rates it a Level 1 threat — on the low end of the scale.
Users that follow typical best practices don’t have much to worry about, said Marc Fossi, manager of Symantec Security Response.
A patch from Adobe has been available for some time now, antivirus software would detect the threat if it attempted installation and anti-spam software might stop the e-mail in the first place, he explained.
“There’s actually nothing overly unique about it. We’ve seen malicious code using this sort of technique fairly commonly … the social engineering aspect is the real standout here,” said Fossi.
Current events are great triggers for spam and phishing campaigns, said James Quin, senior research analyst at Info-Tech Research Group Inc.
While the underlying malware in the Swine Flu FAQ e-mail is inconsequential, the technique used to get the malware into end machines is interesting, he said.
“What makes this one stand out is the same type of techniques that phishers use are now being used for malware,” said Quin.
But the malicious e-mail doesn’t surprise Chenette. “There’s going to be more malicious attachments and exploits and various kinds of malicious executables attached to these e-mails going out,” he said.
A similar pattern occurred during the SARS outbreak in early 2000, according to Chenette. SARS-related spam led to malicious executables attached to the e-mails, so that’s the direction Websense sees spammers going with the Swine Flu, he said.
Attaching malware to spam isn’t typical anymore, according to Chenxi Wang, principal analyst in Security and Risk Management at Forrester Research Inc.
“In the old days, when spam first came into existence, they carried malicious attachments,” she said. But as companies “became smarter” and started disallowing e-mail attachments, spammers stopped adding malicious attachments to their e-mails, she explained.
It’s more common for spammers to put URLs in spam messages and entice people to click on them, sending them to a Web site that may carry malware or the Web site may link to another site that carries malware, she said.
“I don’t know how successful attaching malware straight in an e-mail would be because unless the malware is very polymorphic … it’s pretty easy to be detected by antivirus software,” said Wang.
Wang also doesn’t consider the malicious e-mail attachment a sign that spammer techniques are changing. “You will still see spam with embedded URLs versus those with malicious attachments,” she said.
While it’s hard to say whether spam related to the swine flu will continue to grow, Fossi said it wouldn’t surprise him. Symantec saw the same pattern occur during the U.S. presidential election and last fall with the economic crises.
Spammers often work with themes, which could include sporting events like the Olympics, but themes that induce fear are often the most successful, according to Chenette.
“Spammers are heavily making use of the theme around the swine flu because there is a big scare. Whenever they are able to scare users, the likelihood of it being successful greatly increases as opposed to sporting events,” he said.
But the amount of spam circulating around the swine flu isn’t unusual for a major event, according to Wang. “I think it’s average in terms of scale,” she said.
“We’ve seen inauguration spam when Barack Obama took office and we saw things like Twitter spam when Twitter became popular,” she said.
