MP3 spam is making a bit of a comeback.
According to security pros, spammers have returned to an oldie-but-goodie in a spate of new attacks. Symantec has been tracking a campaign involving a small .mp3 file promoting a meds domain attached in the e-mail messages. The messages have no subject line or message body – tipoff that should make them immediately suspect. The file itself is a five-second message recorded in a female voice and is heavily distorted with background noise.
Some of the random filenames used include: milsoppy.mp3, enwomb.mp3 and realiser.mp3. According to Symantec, the domain name described in the file is a recently registered domain in China.
“Our analysis shows that the majority of these spam messages originated from Europe (81.5%), followed by South America (8.3%). Asia and North America each contributed just over 3%,” blogged Symantec’s Samir Patil. “Old trends never die, they just resurface from time to time. Case in point, spammed messages that have .MP3 file attachments, which were last seen two years ago, made their presence felt once again today.”
MP3 spam first appeared on the scene in 2007, but never gained much traction.
“I remember the excitement in the MessageLabs anti-spam team when the first spam with an MP3 file was intercepted, back on 18 October 2007,” noted Dan Bleaken, Malware Data Analyst at Symantec Hosted Services, in a post on a Symantec blog. “At that time we were watching particularly carefully for the appearance of new file types in spam. Image spam had been huge over the Summer of 2007, especially images containing randomised pixels (an attempt to bypass traditional signature-based detection)…Back in 2007 it was particularly interesting to discover the use of MP3s in spam messages as it had been the first time that audio was being used to relay the spammers’ messages, and was used in stock spam e-mails (An attempt to ‘pump and dump’ – something we have also recently seen the return of – see http://tinyurl.com/ybmaux8).”
Researchers at Trend Micro reported another MP3 spam campaign pushing Viagra and other sexual enhancement pills. The voice in the message urges users to visit a Web page that points to Canadian pharmacy sites. Sophos also reported seeing the campaign as well. For more on that, read here.
According to Symantec, the spam involved in the Canadian pharmacy scheme originates from the “Cimbot” botnet, which is estimated to be between 10,000 and 20,000 bots in size.
As always, if you see an e-mail from a person or entity that you don’t know or that seems suspicious, don’t click on it.