Skip to content
Trends

Shockwave Spam – SWFPages

By David Cawley | 2 minute read

A spam, phishing or malware e-mail needs to have a “call to action”. The campaign is only profitable if there’s some way of taking orders, collecting private data or having malicious code execute. The exception to the rule could be the case of a Directory Harvest Attack where blank messages are sent for the purpose of identifying future accounts to target – spammer lead generation!

In the case of Traffic Shaping the actual content of the message doesn’t matter but content filtering often relies on the call to action which is specific to the spam campaign. In many cases the method of choice is to provide a URL as it doesn’t take a lot of bandwidth to send versus attached files. The problem for the spammer is that the domains used become blocklisted within a few hours and are worthless.

A common way to try and get around this issue is the use of redirects. If the domain listed in the message has a good reputation, it’s less likely to be flagged by content filtering. Over the years, many major sites provided open redirects which were abused by spammers but this isn’t as common now. However, in recent months there’s been a move towards more sophisticated style redirects such as the Gheg Botnet using Microsofts Live Filestore system to redirect using javascript.

One of the more interesting redirects is the use of swf (Shockwave Flash Files) to redirect to a spam site. In August there were a number of media stories discussing the use of swf files hosted on ImageShack. I was beginning to think this trend had passed until I recently checked the spam honeypot and saw some new spam campaigns using a similar technique.

The messages received link to a swf file hosted at swfpages.com. Being curious, I downloaded one of the files and decompiled it to see exactly what it did:

movie ‘/Path/90984fiavaky.swf’ {
// flash 6, total frames: 1, frame rate: 50 fps, 971×221 px, compressed

// unknown tag 777 length 3

frame 1 {
this.getURL(‘http://apotheke-total64.com/’);
}
}

As you can see, it renders the content of the website listed which promotes Canadian pharmacy meds. So it looks like this attack vector is here to stay for a little while longer…

Cut your support tickets and make customers happier