Posted by: Barracuda labs
While perusing my spam folder today, I came across the following run-of-the-mill pharmacy email:
From: Hilda McIntyre < email@example.com >
Date: Tue, Jun 30, 2009 at 8:20 AM
Subject: Unbeatable Pharmacy Offers!
To: < redacted >@gmail.com
An Incredible Canadian Pharmacy is available at your Fingertips!
*No~Doctor~Needed*! Browse our Site Today! -> hxxp://skincarry.com
skincarry.com currently resolves to IPs (e.g., 188.8.131.52) that map back to hundreds of other domains (e.g., *.fnueukej.cn, *.fbaiuaao.cn) hosting the same fake Canadian pharmacy website; the domains exist in part to help spammers get their solicitations past email filters. Not surprisingly, no part of the order process on this site uses SSL (so credit card information, etc. is sent from the browser as unencrypted plain text). However, the wholly fraudulent nature of the site and the operators behind it is not what I wanted to talk about today.
At the top of the site is a picture of fireworks, with text underneath that offers preemptive congratulations on the upcoming July 4th holiday.
July 4th Banner
While above banner is a slightly boring twist on an all-too-familiar social engineering tactic, its presence should serve as a warning. For the past several years, most major holidays in the United States have been accompanied by waves of malicious email that leverage a given event's popularity to compromise the systems of unsuspecting users. Independence Day is no exception: past uses have included campaigns by botnets as ubiquitous as Storm. Users should be especially diligent when handling holiday-related emails this weekend, as invariably, some will receive messages whose sole purpose is to place malware on their computer.