Analysis of a Spam Mail

Yesterday the “Deutsche Telekom” put a warning concerning a new spam wave on their website. The spam mails itself look like they’re being send from out of their systems, which makes them so dangerous. This basically made me want to explain how deep the danger currently goes and how Avira can help you stay protected.

First off, I hope I don’t have to tell you that every time you receive such an email don’t click or open any URL or attachment in it. The mail itself looks more or less like this:

spam_01 spam_02 spam_03

You can be absolutely sure that by clicking or opening URLs, attachments, etc. you will NEVER get anything the sender promises. Quite the opposite: It will create a great many problems. Therefore, please keep your eyes open and avoid such mails!

What happens if I click on the link?

Everyone who actually wants to find out what happens when you click on the URL is in luck. I will show you exactly what you want to know, but please remember to never ever do this from your own computer. Because you NEVER know what can happened afterwards. Luckily, we in the Avira Virus Lab have dedicated environments and are prepared for situations like this. 😉

You might have noticed from the screenshots above that the construct of the email body is always the same, right? With wordings like “Check it out” or “Important message” they want to tempt you to click on the URL. The URL itself is randomly generated. That means that you will get a different URL every time. But where does the .php-file lead you once it’s been clicked? Well, it actually re-directs you to “hxxp://7dailynews-tv.com”, another page:

spam_04

The domain is used to promote malware and phishing attacks. Luckily our current ABS (Avira Browser Security) solution is already aware of it and blocks it:

spam_05

But anyways, if you click on this page/URL, you will be send to a “Server not found” page.

spam_06

I believe that the service provider already made sure that the domain is offline so that it provides no further risks.

Summary

I think we can conclude that the spamming campaign is already defeated, but I am sure that the crooks behind it – or some other cybercriminal – will most likely get a new one up and running eventually. We will track this behavior further nonetheless – that’s for sure. And just in case that you find a suspicious email from a new spam campaign, please submit it to the Avira Virus Lab before executing yourself: https://analysis.avira.com/en/submit

Stay protected!

This post is also available in: German

Team Leader Virus Lab Disinfection Service