The Big Business of Spam: Stay clear of these “too-hot-to-miss” sale opportunities from your Facebook Friends

We’ve previously warned about deals that are too good to be true (https://barracudalabs.com/2015/05/the-big-business-of-spam-dr-ozs-brand-new-trick-to-shed-27-pounds-in-just-one-month/) – and with summer in full swing, the Barracuda Labs team has seen more and more false domains like (rb-to.com, raybanglassesofhot.com and summer-raybans.com) popping up in feeds and social media timelines. Our Labs team ran a background check on the domains and many of them appear to be registered in China, including the domain listed above. While browsing your Facebook or Twitter timelines, you may have come across “sponsored ads” that seem too good to be true. Most can be spotted immediately and swiftly ignored; however, you may have been tagged in a post or received a message on your personal timeline posted by a friend, directing you to a killer sale. See figure 1 for an example. Figure 1. The example above shows an ad for Ray Ban, a popular sunglass retailer whose classic sunglasses range from $155 to $200, that looks as though it was shared by a regular user or even a friend on Facebook. The ad targets unsuspecting consumers looking to score the name brand sunglasses for up to 80% off. Figure 2. The idea here, like any scam, is to entice unknowing consumers to jump on the hot deals and “buy” the Ray Ban’s at such low prices. Once the links are clicked on, the consumer is redirected to what looks like a legitimate discount website that is offering deals with up to 80% savings on multiple styles, see Figure 2 and Figure 3 for examples. Figure 3. The phisher hopes that the deal is too good for the consumer to pass up and engages in purchasing the product. Here, the phisher is hoping the consumer will enter their personal data like first and last name, emails address, personal home address and credit card information, to then flip and sell to third parties. It is always smart to use best practices when shopping online. Here are a few tips: Do a bit of research and go...

read more

The Big Business of Spam: What Caitlyn Jenner Uses to Prevent Wrinkles and Stop the Aging Process

The cover for Vanity Fair’s July 2015 print issue was publicized on the Vanity Fair website June 1, and revealed the newly transformed, Caitlyn Jenner. The cover photo went viral reaching over 46 million people across Vanity Fair’s website and social media – with the internet virtually exploding. Jenner even beat President Obama’s record for reaching 1 million Twitter followers in just under five hours. With Jenner’s name in the headlines this week, it’s no surprise that spammers have jumped on the opportunity to try and use her likeliness to trick users into visiting sites to push beauty products in hopes to gain monetary value. So far, we’ve seen over 100K samples and variants of spam emails using Caitlyn Jenner as the lure to get people to click on compromised links. The emails all have different subject lines, but include the same content in the email body. The spam appears to be coming from possible compromised machines, most of which trace back to IP addresses in the United States. Figure 1 below is an example of the emails that are being sent out in large quantities, hoping to entice users into clicking on spammy links. The embedded links in the email titled “Caitlyn swears she just used this” and “Here is what went down” redirects users to the following website – http://www.goodbodyhealthtips.org/index.php?aff_sub=1394&aff_sub2=190076&aff_sub3=1021342e9d6b955d9a9c66e5ed3293 (labeled “wrinkle miracle”) – that pushes an anti-aging facial cream to prevent wrinkles, revealed by Dr. Oz called Dermakin Anti-Aging Cream. Figure 1 As shown in Figure 2 below, once on the page, the user will see the headline “Revealed by Dr. Oz! Jen’s Closely Guarded Secret For A Wrinkle Free Face” that is said to be featured in Yahoo!, Woman’s Day, VANITY FAIR, TIME, People and Aol. Figure 2 Figure 3 below shows that while on the page, the user will see “before” and “after” photos of stars like Ellen DeGeneres, Katie Couric, Goldie Hawn and Barbara Streisand who have allegedly used the wrinkle cream. Figure 3 At the bottom of...

read more

The Big Business of Spam: Dr. Oz’s Brand New Trick to Shed 27 Pounds in Just One Month!!

With a high obesity rate in the United States, people are looking for hope to find a miracle cure for weight loss. Unfortunately, spammers understand this and why it’s no surprise that Barracuda Central has picked up about 6,000 diet spam type emails since the beginning of 2015. With the Memorial Day holiday just passing, signaling bikini season, it’s also no surprise we have seen a rise in the volume of diet spam – showing just how intelligent spammers’ planning around the timing of certain types of spam are creating the big business of spam. Figure 1 One name that is often seen in the media in relation to cures for weight loss is Dr. Oz, who is no stranger to being scrutinized. Spammers often take advantage of his namesake and people’s hope for a weight loss miracle cure. In this specific email (figure 1), when a user opens a link, they will be directed to a news webpage that describes Dr. Oz’s weight loss discovery. This type of spam often displays names and pictures of well-known people, to try to entice the reader even more – Rachel Ray is used in the example below (figure 2). The site claims that “Pure Forskolin Extract,” (see Ad in Figure 3) which was actually introduced on the Dr. Oz show, is a “miracle pill” weight loss solution. It claims to burn body fat, and leaves the person with only lean muscle. Figure 2 Although the website is fake, part of the website’s content make it look legitimate to users. The first thing that the user will notice is the video of Dr. Oz advertising the Forskolin supplement that causes belly fat to melt. The website also uses content from healthierlivingdecision.com to make it look legitimate and mask the true nature of the site. But if the user clicks on any of the links on the website, including the registration link, it will direct them to the product page where they are prompted to enter their personal...

read more

Better Call Saul… New Crypto Ransomware using Breaking Bad Theme Emerges in Australia

According to reports from ABC Australia (http://www.abc.net.au/news/2015-05-11/new-computer-ransomware-encrypts-files-asks-for-up-to-1000/6461606) a new crypto ransomware threat is circling Australian’s email inboxes. You probably remember the Cryptolocker Trojan, as it is one of the scariest bits of malware we’ve seen in a while. Cryptolocker is ransomware that restricts access to a victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files. Read more about Cryptolocker in this blog post, http://blog.barracuda.com/2014/01/09/are-you-prepared-for-cryptolocker/ This latest version of Cryptolocker takes on the branding of the late, great, popular tv show, Breaking Bad. It uses the “Los Pollos Amigos” name, which is the restaurant that provided money laundering and was the base for other functions on the show. The ransomware also links to a video that shows victims how to use bitcoin, which was likely included to help the victims pay the ransom. Researchers believe that the ransomware is spread via email, and downloaded through an infected zip attachment. Barracuda Email Security Service and Barracuda Spam Firewall customers are protected from these types of emails. Ransomware a is particularly sinister attack, because it forces you to interact with the criminals in order to get access to your data. This particular version even includes the phrase “the one who knocks” in the email address, which is just insult added to injury for those who are familiar with Breaking Bad. Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker.  This Breaking Bad version gives you a good opportunity to revisit your Cryptolocker defense plan, including security software, your backups, and the overall state of your network. Are your users protected from malware, and ransomware in particular? Is there anything more you can do? If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points: Even police departments and governments are paying the ransom Untraceable...

read more

The Big Business of Spam: Scammers once again, looking to capitalize on a tragic natural disaster

Tragic events such as the 7.8 earthquake that hit Nepal last week has brought a tremendous outpouring of help from countries all over the world. Unfortunately, it has also been used as a ploy to try and dupe users into falling for monetary scams. Spammers looking to capitalize on the best intentions of others have begun their campaign of deception by following a well-known scam known as “419,” a scam that promises a victim a significant amount of money, but only after a payment has been made to ‘verify the identity’ of a would be victim. Online versions of the scam originate primarily in the United States, the United Kingdom and Nigeria. The number “419” refers to the section of the Nigerian Criminal Code dealing with fraud. Once the information is given, the next steps of collecting the relief fund are then sent. The potential victim is instructed to send a wire transfer fee via Western Union to receive the funds that have been promised to them. Sadly, this isn’t the case and victims are left with their money and sensitive data in the hands of scammers. The FBI has set up a phone number (866) 720-5721 to report any such instances of this and more information regarding these types of attacks as well as good information to stay safe can additionally be found here: http://www.fbi.gov/sandiego/press-releases/2015/fbi-warns-public-of-disaster-scams. This is yet another example of how scammers are building a big business around the use of various spam techniques. Yesterday we shared with you a scam in which spammers are using the recent Bruce Jenner interview as a way to drive users to potentially malicious websites that sell weight loss drugs. As always, we recommend that no unsolicited donations be made or sensitive information be shared online with persons that are not familiar. As a natural rule of thumb, it’s probably best to keep in mind, that if it sounds too good to be true, it most likely is. For more in this Barracuda Labs blog series,...

read more

The Big Business of Spam: Bruce Jenner’s untold confession and allegations of abuse of the Kardashian Sisters

The rise in third-party affiliate spam that markets pharmaceutical products is one of the more alarming trends we have seen. In fact, we have seen pharmacy spam increase 20 percent so far in 2015 compared to what we saw in 2014. Although the products are legal for purchase and use, they have not been vetted or approved by the FDA. This presents a double risk for victims: the dubious business practice may result in financial loss and identity theft, while the use of the product may result in a serious health problem. In this blog series, The Big Business of Spam, Barracuda Labs will explore the various business opportunities created using different spam techniques. The media has covered the Bruce Jenner special with Diane Sawyer more than it has covered the recent tragedy in Nepal, where a magnitude 7.8 earthquake hit, taking the lives of over 4,000 people. That makes it a perfect topic for spammers, who are always willing to take advantage of a positive story about personal triumph and use it to steal from curious readers. Spam using various subject lines such as ‘Kardashians beaten by Bruce Jenner’ and ‘Bruce Jenner posts naughty photos of Kardashian sisters’ have been distributed with links that redirect consumers to a website for pills with the extract Caralluma, a plant from India that is often used in the suppression of appetite. [Spammers often use celebrities to promote products in hopes to make them look more legitimate to consumers.] Barracuda Central has detected over 750,000 instances of these emails being sent from botnets and individually infected hosts around the world. These emails lead to several different domains, which all lead back to a single purchase page for Caralluma. This attack is similar to the recent Pope / Neuroflexyn email, in that it uses sensational topics and spam to market what appears to be a legitimate product (https://barracudalabs.com/2015/04/the-pope-makes-shocking-admission-he-takes-pills-for-what/). In this case we have not yet observed infected attachments, phishing attempts, or drive-by downloads. However, spam is a big...

read more