Spammers pin campaign on swine flu

Swine flu spam is spreading like a virus of its own and recently turned malicious.

Spam campaigns often start with harmless e-mail messages and slowly build into more serious threats, according to Stephan Chenette, manager of security research at Websense Inc.

"Spammers are generally very well connected with each other and see how well it's working. It always goes through the test phase," he said.

They test campaigns with less threatening approaches, share feedback between each other, figure out what works and what doesn't and then launch increasingly harmful attacks, he explained. "

"By us seeing they've increased the number of e-mails that are going out surrounding the swine flu, it indicates that so far it's been a very successful campaign," he said.

Websense has been tracking this latest trend, which has grown in the past week. The number of e-mail messages with subject lines related to Swine Flu is in the tens of thousands, according to Chenette.

The trend started off with traditional medical spam -- or medspam -- that didn't necessarily scam users, he said. "They were enticing the users by scaring them, but there were no malicious attachments."

Then the spam evolved into money-making schemes, with spammers trying to sell pharmaceuticals, medical devices and PDFs that contain generic information on the swine flu for $20 to $30, he explained.

"Medspam has always been something that spammers have used for making money and the fact that there's a flu-type symptom that allows them to sell their story in a more convincing way has been good for spammers," he said. "

The first swine flu e-mail with a malicious attachment surfaced this week. Symantec Security Response analyzed the file, which poses as a PDF document of Swine Influenza FAQs.

"When users attempt to access the PDF file, malcode within the PDF attempts to exploit an old Adobe vulnerability (BID 33751) in order to drop malware on the local computer," said a Symantec report.

Symantec detects the malicious PDF as Bloodhound.Exploit.6 and the dropped file contained in the PDF as InfoStealer, a trojan. Symantec rates it a Level 1 threat -- on the low end of the scale.

Users that follow typical best practices don't have much to worry about, said Marc Fossi, manager of Symantec Security Response.

A patch from Adobe has been available for some time now, antivirus software would detect the threat if it attempted installation and anti-spam software might stop the e-mail in the first place, he explained.

"There's actually nothing overly unique about it. We've seen malicious code using this sort of technique fairly commonly ... the social engineering aspect is the real standout here," said Fossi.

Current events are great triggers for spam and phishing campaigns, said James Quin, senior research analyst at Info-Tech Research Group Inc.

While the underlying malware in the Swine Flu FAQ e-mail is inconsequential, the technique used to get the malware into end machines is interesting, he said.

"What makes this one stand out is the same type of techniques that phishers use are now being used for malware," said Quin.