Spam that contains MP3 files which directs to a Canadian pharmacy website selling cheap Viagra has been detected by several vendors

News by Dan Raywood

Security vendors have reported a resurgence of 'MP3 spam' that aims to promote a Canadian pharmacy website selling cheap Viagra.

Security vendors have reported a resurgence of ‘MP3 spam' that aims to promote a Canadian pharmacy website selling cheap Viagra.

Dan Bleaken, malware data analyst of Symantec Hosted Services at MessageLabs, claimed that the spam uses used voice-synthesised MP3 files which are about five seconds long and contains a message that names a web address; while in the background a recording plays of what appears to be the sounds of a woman recreating ‘that scene' from the film ‘When Harry Met Sally'.

However on visiting the website referenced in the MP3 audio, the recipient of the spam is taken to the well known Canadian Pharmacy website (but hosted on a new domain), which at the moment is Christmas themed.

Bleaken said: “This latest spam run began at 3.30pm GMT on 16 December 2009 and ended at 10am GMT on 17 December 1009. During the period midnight-10am GMT on 17 December, it accounted for 1.2 per cent of all spam, which in terms of actual volumes, based on Symantec's 2009 average daily spam volume of 107 billion, could be more than 500 million messages sent globally during that period.

“Perhaps today, this could be the most frequently ‘downloaded' MP3 track in the world, whether its recipients want it or not.”

Bleaken also identified that the spam originates from the Cimbot botnet which is estimated to be between 10,000 and 20,000 bots in size with 75 per cent of its bots in Europe, particularly Spain and Italy

“Apart from a relatively small burst of spam between 8th and 9th June, Cimbot has been very quiet in 2009 and didn't feature in the MessageLabs Intelligence 2009 Annual Security Report,” said Bleaken.

Rodel Mendrez, threat analyst at M86 Security, commented that the spam campaign is almost identical with one seen a couple of years ago.

He said: “It has similar headers, plain text, no subject line, no message body and only one attachment; an mp3 file. The file, which promotes a cheap Viagra website in a five second audio clip (complete with sexy background noise) - represents a clever attempt to bypass spam filters.

“While a novel idea, we echo what we said two years ago; it is unlikely to be a long lasting phenomenon. Not only is it hard to discern the message, but people are also leery of clicking on attachments in unsolicted email (or they should be). MP3 spam is altogether too gimmicky to work - even perhaps for diehard internet pill buyers.”

Symantec's Samir Patil reported that ‘as of now there are no malicious threats observed in this spam attack' but recommended that users suppress any curiosity about this .mp3 file and do not open it.

Meanwhile Proofpoint said that the MP3 file itself comes as an attachment with a one-word randomised filename (e.g. ‘flossing.mp3') to make it more difficult for anti-spam solutions to detect.

A company blog said: “Proofpoint's attachment-based spam detection capabilities automatically blocked the vast majority of these messages when the attack first launched. This particular campaign is quite a bit more amusing than last year's penny stock pitch mp3 spam. I wonder: Should we hold a remix competition for this one?”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews