Spambot Tried to Play Cupid Ahead of Valentine’s Day

Spammers often use a variety of obfuscation methods in an attempt to bypass anti-spam filters. We did some follow up analysis on a recent dating spam attack in which the spammers made use of URLs in the message body with spaces inserted in between characters in the URL. Although this obfuscation technique has been much used in the past, it has not been as prevalent in recent times. This particular spam attack was active during the last week of January and lasted until the first week of February, 2011. Approximately 12,000 spam messages were observed in this attack.

The subject and message body in this spam attack were randomized in addition to the URL obfuscation.

Sample subject line variations observed in this attack are:

Subject: Svetlana Martyushova appeared in the chat

Subject: Tatyana Zhivkova - waiting on you

Subject: Kazak Avrora thinks about you

Subject: Alina Lebedkova wants to see you

Subject: Dobrolyubova Liudmila appeared online

Subject: Nataliya Kostyuka wants you to come

Subject: Alesja Durchenko appeared in a video chat

Sample URLs observed in this attack are:

hxxp://kleopatraoefi.blog spot.com

hxxp://barkovaeminevy.blog spot.com

hxxp://fin pr ep online.com

hxxp://backfin group. com

hxxp://back fing roup.com

hxxp://egorichevkiripo.blogspot.com

hxxp://finp reponline.com

hxxp://bluef   inkids.com

hxxp://finpr eponline.com

hxxp://kleopatraoefi.blog spot.com

hxxp://fi nprep    online.c om

hxxp://barkovaeminevy.blog spot.com

hxxp://backfin group.com

The domains used in some of the URLs were registered in United States to the same person, and on the same day in August last year. As seen in several URLs in this attack, the spammers also made use of blogspot.com to re-direct the Web pages.

The email implies you are a registered user at a dating website and includes a link (broken) that claims to be either an application form or a questionnaire a Russian girl. However, most of the links ultimately redirected to roma.animoney.net - a Russian dating Web site, associated with Anastasia’s Affiliate Program. Moreover, as expected, redirection to the Russian dating site occurs only if the unbroken link is opened in a Web browser  by removing the spaces inserted in between characters. Through such spam emails, spammers attempt to instill a sense of curiosity amongst users who might be interested in interacting and/or meeting these Russian girls, from whom the email appears to come from. All above links are now inactive.

We found that these messages were originating from diverse geographical locations, suggesting that this is most likely a botnet attack. Further examination of specific IPs confirmed that they are indeed infected machines, and are part of multiple botnets. Although some IPs involved in the spam attack were identified as part of the Cutwail botnet, there were also traces of infection from the Lethic botnet in other IPs in the attack.

Thanks to Paresh Joshi for the spam samples contributed to this blog.