Email Spam Re-produce False News Alerts for “Work From Home” Scams

Scammers have been busy these days generating false news alerts through email spam. In this way, they are trying to advertise their so-called rewarding “work from home” business. They are using names of well known news agencies in the email headers to arouse curiosity in the email reader’s mind. Using these names in the Subject and From headers, they want to give recipients an impression of authenticity. In doing so, users may feel compelled to believe in claims made in the email contents and, of course, to click URLs as well. One of the sample subjects below even goes on to blame the U.S. President Barack Obama and his policies for affecting the unemployed.

Some of the sample headers seen in the attack:

Subject: Yahoo! investigates "impossible" claims.

Subject: Need some money? ITV wants to help

Subject: BBC USA investigates: "Change your life in 60 seconds!"

Subject: Change your life in 60 seconds.

Subject: Obama's policies affecting unemployed

Subject: Yahoo!: Stay-at-home Dad Makes 7,208/Month Part-Time

Subject: Fox investigates "impossible" claims.

Subject: Yahoo! breaking news

Subject: CNN USA investigates latest claim.

Subject: Breaking news for Homemaker Father.

Subject: Fox News investigates latest claim.

Subject: Breaking news for Stay home Mother.

Subject: Homemaker Father claims investigated by TBS

Subject: Need some money? CNN! wants to help






From: "Don't pay a penny." <email address removed>

From: "Fox News: Exclusively for Stay home Mother" <

From: "Don't get scammed, free report." <

From: "Breaking news" <

From: "Yahoo!: "You can't miss this"" <

From: "Free report" <

In the recent past, they used “As seen on Oprah”, “As seen on TV”, or also “ As seen on CNN, ABC, CBS NEWS, NBC, and Oprah” in the email headers and contents. But the difference this time can be seen in the subject which says “BBC USA investigates”, “Fox investigates”, or “Yahoo! breaking news”. If the headers do not have the brand names, the URLs inside the messages may use the names of the news agencies:

[newsagency] [randomnumber]


or domains like:



Some sample messages in the form of images:

As seen in the above examples, they come straight to the point in the content, where users are provided with a Web site promoting schemes to earn money and become rich quickly. On the Web site, there are three steps that a user needs to follow, first of which is to give your personal details like full name, email address, phone number and country. After submitting the details, it guides users to a page where they will be asked to buy a kit. Such Web sites show the normal tempting stuff, like an image showing checks earned, or videos of people benefiting from the scheme. Work-from-home scams work the same way – they simply lure victims into “earn money quick” jobs that require a minimal number of work hours. Scammers further testify the successes of such schemes with the help of images or videos on their Web sites. This can seen as an effort to clear any potential doubts in a potential victim’s mind. Needless to say, these schemes often lead to loss of time and money.

After Osama Bin Laden was killed by U.S. forces last week, online readers wanted to know all the facts of the operation. Therefore, a news alert may be opened without suspicion, or just out of curiosity during this time. These emails were in circulation even before the U.S. raid took place, but looking at the continued format of news alerts, we wanted to keep users informed of this type of spam campaign. Symantec recommends users to follow the standard dos and don’ts published in our monthly Symantec State of Spam Report.