Security researchers from Avira have intercepted pharma spam emails purporting to originate from Twitter, which use some interesting HTML techniques to trick anti-spam filters.The rogue messages come with a spoofed "From" field to appear as if they originate from Twitter, and have an "
You have 2 urgent messages from Twitter!" subject.
We've seen spam emails posing as unread messages notifications from Twitter before, but they looked exactly as the real thing and usually directed recipients to malware pushing websites.
In this case, the email body displays a green Greek cross, the symbol associated with pharmacies in many countries, particularly in Europe.
This cross is created by using HTML tables and styling and a message displayed next to it in a large font reads: "
buy medications online here or here" (with links on here).
However, this is just a visual trick and not regular text. Each letter making up the words of the message is actually separated by a little "j" character intentionally colored white to blend in the background.
In addition, two empty paragraphs appear above the cross symbol. In fact, these contain white-colored links for google.com, aol.com, amazon.com and yahoo.com repeated several times.
These websites are amongst the most popular on the Internet and offer a plethora of services. By including links to them, the spammers hope to get their emails whitelisted.
Similarly, the message hiding technique, which makes it look as a bunch of random letters to email parses, is used to evade Bayesian spam filters.
According to the Avira researchers, the links attached to the two "here" words, direct recipients to Canadian Pharmacy websites.
This is particularly interesting, because online pharmacy spam has
dropped drastically at the beginning of this month.
This unusual development was attributed to the closure of Spamit, the world's largest online pharmacy affiliate program.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
