Spammer’s Magical Gifts this Easter

Easter Sunday is one of the most important festivals in the Christian calendar and it is observed anywhere between March 22 and April 25 each year; this year it falls on March 31. Spam messages related to Easter have begun flowing into the Symantec Probe Network. As expected, most of the spam samples are encouraging users to take advantage of products offers, personalized letters, e-cards, as well as clearance sales of cars and replica watches. Clicking the URL will automatically redirect the user to a website containing some bogus offer.


Figure 1. Spam product offer related to Easter

Spammers are also exploiting the event by sending casino spam email using the name "Easter bonnet". The Easter bonnet represents the tail-end of a tradition of wearing new clothes at an Easter festival.

The following spam sample provides instructions for ways that users can acquire a "bonus".

  1. "Three different bonuses can produce some extra winnings."
  2. "Make your deposit and get free spins."
  3. "Free welcome package up to $500."


Figure 2. Casino spam targeting the Easter bonnet

In the next spam sample, users are encouraged to take advantage of the bogus offers for purchasing a product. By clicking the URL it directs the user to a fake pharmaceuticals website.


Figure 3. Spam website selling fake pharmaceutical products


Figure 4. Personalized letter targeting the Easter festival

Some of the headers observed for Easter related spam can easily be recognized:

  • Subject: XXX, Get your Easter savings on all vehicles
  • Subject: Shop Easter toys, baskets, plush and more
  • Subject: HappyEasterInAdvance,
  • Subject: Fun and Unique Easter Gifts
  • Subject: Celebrate Easter with a Personalized Gift
  • Subject: Easter eCard
  • Subject: Easter flowers at exceptional savings - shop now
  • Subject: Make the Easter bunny jealous! Easter flowers - from $19.99
  • Subject: Challenge Ends Easter weekend
  • Subject: Easter is hopping your way...and so are $19.99 bouquets!
  • Subject: 25-free spins on xxx this-Easter
  • Subject: Letter From Easter Bunny For Your Child

Symantec advises our readers to be cautious when handling unsolicited or unexpected emails. We at Symantec are monitoring spam attacks 24x7 to ensure that readers are kept up-to-date with information on the latest threats.

Wishing everyone a happy and safe Easter!

Lime Pop: The Next Android.Enesoluty App

The gang that maintains Android.Enesoluty has been busy since last summer registering over one hundred domains used to host app sites and sending spam from these domains. It is now apparent that the group is also still busy developing malware variants. Several days ago, Symantec discovered a new variant of Android.Enesoluty.

As is the case with its predecessors, spam with a link to the app page is sent to potential victims.


Figure 1. Spam used to lure potential victims to the app page

The new malicious app hosted on the app page is called Lime Pop, which (not so?) coincidently is almost identical to the name of a very popular game app. Like previous variants, the page has a link at the very bottom to an end user license agreement (EULA) that states that the app may upload personal information from the device. We assume the agreement is there for legal purposes.


Figure 2. App page that includes a EULA

Though this is a new variant of Android.Enesoluty, the only difference from previous variants is the cosmetic changes made to the malware. The GUI has been replaced to look like a game rather than a battery saver, reception improver, or a security app, which were skins used by previous variants. When the app is launched, it states that the game is attempting to connect to the game server. Seconds later, it instructs the user to check network connectivity. While this is happening, the Contact details are uploaded to the scammers’ server.


Figure 3. Skin used by latest variant

The source code is almost identical to other variants and new functionality or improvements have been added.

While this scam is almost entirely limited to people living in Japan, all Android users should still nonetheless be wary of scams such as this one. As you can tell from reading this blog, there are no new tricks involved here.  It is the same old game, but just another new weapon added to the arsenal. When looking for apps, Symantec recommends downloading them only from trusted sources. Think twice before clicking on links in emails and SMS messages that are trying to persuade you to download apps, and install a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device.  For general safety tips for smartphones and tablets, please visit our Mobile Security website.