What’s old is new again: Spammers revived old schemes in March quarter

Spammers revived some old scams during the first three months of the year to wrap their tentacles around unsuspecting netizens, according to junk mail fighters.

Meanwhile, spam volumes during the time frame remained flat when compared to the previous quarter.

One technique that saw a resurgence during the March quarter was the use of “white text,” according to Kaspersky Lab’s Q1 2013 Spam Report.

[See also: Cybercriminals are just businessmen at heart]

The method embeds random pieces of text in the spam message. The insertions are typically in a light gray font against a gray background and are separated from the main text of the spam ad with a lot of line breaks.

“The scammers expect content-based spam filters to regard these emails as newsletters and, besides, the use of random news fragments makes each email unique and thus difficult to detect,” Kaspersky reported.

The technique also exploits the fact that anti-spam solutions are designed to block newer spam tricks instead of older techniques, added Kaspersky senior researcher Roel Schouwenberg. “Their detection rates of spam messages from months or years ago may actually decrease,” he said in an email. “This is why we see a resurgence of old techniques occasionally.”

Record performance by the Dow Jones Industrial Average appeared to put new life into “pump and dump” schemes during the quarter. In that scam, an online grifter will buy some “penny stocks” and flood the Net with spam about what a great investment the stock is. The idea is to get investors to buy the stock and send its price higher.

“People do respond to these things and pump the price up,” Troy Gill, a senior security analyst with AppRiver said in an interview. “If it goes up just 10 cents, these guys can make a pretty decent margin.”

“That’s something we used to see a lot of in 2008-2009,” he added. “We really didn’t see much of it for a long time, but it’s been happening quite a bit this year.”

In the SMS spam sphere, another old standby has shown some growth over the last two quarters: work-at-home scams. “We’re seeing it in email as well,” Andrew Conway, a threat researcher with Cloudmark, said in an interview.

The scam is primarily used to recruit money mules, he explained. After being recruited through a spam message, the “mule” is told they’ll receive a sum of money in their bank account — typically under $10,000 to avoid being flagged for federal regulators. The mule then wires the money — minus a handling fee of eight percent or so — to an offshore spammer.

In April, 96 money mules were used to fleece a hospital in Washington state of $1 million. The attack could have been worse, but the attackers ran out of money mules to launder the money, according to cyber security columnist Brian Krebs.

“Coincidently with that attack, we saw an uptick in both SMS and email spam trying to increase money mules,” Conway said.

A more recent spam trend involved the use of links to brand-name services to obfuscate malicious links, Kaspersky reported. The malicious link is masked by two legitimate ones, with spammers using the Yahoo URL shortening service and then processing the subsequent link through Google Translate.

The combination of these techniques makes each link in the mass mailing unique. In addition, use of the two well-known domains adds “credibility” to the links in the eyes of the recipient.

“These are legitimate services,” Schouwenberg said. “So the domains themselves are trusted, even if the ultimate URL shouldn’t be.”

“For anti-spam solutions that don’t perform any deep analysis, it will look like these messages are clean,” he added.

Kaspersky also noted that spam volumes were flat during the quarter, increasing just over half of a percentage point over the previous quarter. On average, it noted, 66.55% of the email on the Internet on a daily basis during the time frame was spam.

“The percentage of spam in email has slowly been declining,” Schouwenberg said. “It’s unlikely that trend will suddenly reverse.”