Internet Security Systems - AlertCon(TM)

Image spam - reborn and trying to rejuvinate YOUR health!

Posted by Ralf Iffert & Holly Stewart on May 04, 2009 at 12:59 PM EDT.

As we reported in the 2008 Trend & Risk Report, 2006 was the boom year for image-based spam.  It started declining in 2007, and practically went into extinction by early 2008 when it rarely exceeded 2% of all spam.

In October 2008, image-based spam hit 5% just before taking the biggest dip ever seen, going down to less than 1% of all spam after the McColo shutdown.  That small uptick was perhaps foreshadowing of changes to come.

Hello Spring 2009!  What was once old is now new again.  Since March 20th, we have been witnessing a rebirth of image-based spam.  At first, we saw a small trial of image-based spam, reaching 5-10%.  Then, in late April, we saw another blast (this time a much bigger effort) reaching 15-22% of all spam.

Let’s have a closer look at the properties of this newly-introduced image spam:

  • Most of them are of pharmaceutical nature, advertising drugs, pills, etc.
  • Only a few of them use random pixels, and many of them even have identical binaries.
  • Many of these spam messages contain random text below the image.
  • Most of them do not contain any web links that the user can click.
  • Most of them ask the user to visit a .com Web site with a domain name consisting of six digits like 123456.com, and the user has to manually type that URL into the browser.

Technically, there are no new techniques in this spam.  Thus, most anti-spam filters should block them, for example, by using fingerprints (like Proventia Network Mail Security System does)

From the WHOIS information of the domains shown on the images, all of them have similar WHOIS registration information. The domains are registered at registrars that are infamous for URL spam, like:

  • 35 TECHNOLOGY CO., LTD
  • CENTROHOST CLOSED JOINT STOCK COMPANY
  • XIAMEN ENAME NETWORK TECHNOLOGY D/B/A ENAME.CN ENAME.COM
  • XIN NET TECHNOLOGY CORPORATION

Regarding the content of the spam, there is only one major difference in comparison to the image spam of 2007.  Two years ago, most spam focused on stock trading.  With the financial crisis happening, stock spam probably isn't a lucrative option for spammers.  The focus on drugs is possibly an attempt at preying on people that want to "feel better" during desperate times.

So, why would the spammers return to an old technique especially when getting a successful bite requires a user to actually type the URL into the browser themselves?  Perhaps they are trying to mask their URLs through these images.  In their trial run near the end of March, did they see that some anti-spam systems were losing their edge when it came to image spam? We don’t think so.  Are they simply running out of new ideas and rehashing old techniques?  Maybe
It will be interesting to see what comes next... maybe we will see another resurgence of PDF spam (considering the focus PDFs have received from an exploitation standpoint, it seems likely), MP3 spam, or even spam with hidden, random text (white text on white background).

Have we somehow hit a plateau of spam techniques?  Who knows?  We can tell you that from the monitoring perspective, it all feels a bit strange.  It's like sitting down to watch the storyline progress in your favorite TV show only to find that the directors have inexplicably substituted an 80's-style montage in its place.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.