07/30/2008

A new spam tactic emerged earlier this week, that makes use of hyperlinks to Macromedia Flash files that automatically redirect to a spammer site. In the initial outbreak, the spammer site was of the “Canadian Pharmacy” type, however the same tactic could be used for any type of spam, or even redirection to malware sites.

The Flash files themselves are hosted on legitimate image-hosting sites (in this outbreak Image Shack was used to host the files). This is one more way spammers experiment with bypassing traditional content-based filters, and it’s probably only a matter of time before similar messages will be used to distribute malware as well.

How: Spam messages containing hyperlinks to Macromedia Flash files (ending .swf). The Flash files contain a function called “getURL” which simply redirects the user to the spam site. The files themselves are hosted on a neutral third-party image-hosting site.

When: The first such messages were intercepted by SpamSentinel on Saturday, July 26, 5:09 GMT

How Much: The messages began in small quantities on Saturday, and by Monday, July 28, had become a massive outbreak. In the last 24 hour period, over 7,000 of these URLs have been created and distributed within millions of spam messages.

SpamSentinel, using CommTouch real-time spam signature checking technology, blocks unwanted email even when new spammer tactics emerge. This technology is based on the fundamental nature of spam and malware, and its distribution en masse.

What will they think of next?