Major Christmas e-Card Spam Campaign

From the Blue Coat Security Blog: http://www.bluecoat.com/blog/major-christmas-e-card-spam-campaign

During the holidays, the Blue Coat Web Filter™ team continues to keep an eye on things, both the results of the various WebPulse™ automated processes and the various data streams that the human analysts monitor. One trend worth remarking on has been a flood of "e-Card" spam in our honeypots. This began a few days before Christmas, and is still continuing.

As it turns out, this will also give me a chance to talk a little bit about a category of software we call "Potentially Unwanted Software". (Or "PUS" for short.)

The spam e-mails' subject line varies, but it's typically something like "[name], Someone sent you a Christmas Card".

The actual body of the e-mail doesn't contain a card, but instead invites you to "Send Cards for Christmas[...] Everyone has email, send them an eCard they'll love, save money on postage."

The spam comes from a variety of constantly changing domains (e.g., familyvalues1b.com, lifepartner1d.com...), and clicking the link inside routes you through about four hidden-relay sites to eventually reach the e-card site.

WebPulse™ already knew about most of the spam relay sites (I've added the new ones), and also has some interesting information about the e-card site.... It turns out to have been on Santa's "Naughty List" for more than six months, when one of our analysts noted that the Toolbar it wants you to install garnered a lot of hits in virus scanners. The majority of those hits were categorized as Adware/Spyware type software, which fits in with our P.U.S. category. This analysis was confirmed by a second analyst a couple of months later, who took a deeper look.

We define the P.U.S. category as "Sites that distribute software that is not malicious but may be unwanted within an organization such as intrusive adware and hoaxes." (Where "not malicious" means something like "doesn't deliberately harm/crash your computer, or steal your banking passwords" -- that would clearly be Malware.)

Adware is software that sits on your computer, watches where you go on the internet, and serves you extra ads beyond those normally found on the web sites, often in the form of pop-up or pop-under ads. (This is something different from web-ad sites that use "beacons" on multiple client sites to track your visits and decide which ads you see as part of the pages you visit. While these may still be a privacy concern for you, if they don't install software on your computer, they're not P.U.S.) Adware may sometimes be a legitimate method of "payment" for "free" versions of software. More often, it's an intrusive privacy risk.

P.U.S. is also frequently criticized for "bloating" your computer (consuming too many resources) and slowing it down.

Due to the annoyance, performance hit, privacy concerns, and an overall "shadiness factor", I always recommend that our customers block the P.U.S. category. (Exceptions may always be made, of course, by "whitelisting" particular sites where you've checked out the software and EULA, and feel that the benefits outweigh the risks -- the customer is always in control of what gets blocked.)

This month, due to their behind-the-scenes involvement in a deceptive and unwanted spam campaign, with fake/junk domains and a series of shady relays, we've added a Suspicious rating to the parent site as well. (Just call it a little "Christmas e-Card" of our own.)