Cybercriminals Use .Avi and .Mp3 Extensions in Pharma Spam Links

[Matsuda]

Symantec researchers have come across an interesting spam campaign that’s designed to lure users to rogue pharmacy websites.

It all starts with emails that bear subjects like these:

- Here Comes the Sun 1969
- Soldier of Love (Lay Down Your Arms) 1963
- For No One 1966
- Misery 1963
- Lucy in the Sky with Diamonds 1967
- From Me to You 1963
- Look! I found this!

In many cases, the body of the email contains just a link that appears to point to YouTube. If users hover with the mouse over the YouTube URL, they’ll see that it points to something like domainname.fr/32131.mp3 or domainname.com/fox.avi.

Here are some other URLs identified by Symantec:

www.[DOMAIN].com/Fox.avi
www.[DOMAIN].com/Yamamoto.avi
www.[DOMAIN].vn/Larue.avi
www.[DOMAIN].com/McAlear.avi
www.[DOMAIN].ru/87342.mp3
www.[DOMAIN].ru/327182.mp3
www.[DOMAIN].fr/472738.mp3
www.[DOMAIN].com/165137.mp3


Most of the domains were registered in Europe, the websites being hosted on servers located in Ukraine. According to experts, this technique is used for two main reasons: to bypass spam filters and to trick users into thinking that they’re about to access a media file.



Source