In the past few weeks, we’ve seen drastic and noteworthy increases in the number of health-related spam in the wild. Prior to September, this type of spam was relatively rare. However, as September began, these suddenly increased. Over the next few weeks, health-themed spam constituted 30% of the spam we saw, with an average of more than 2 million samples seen daily.
These messages use different forms and templates, including online articles about losing weight, high-profile newsletters, and downright email advertisements peddling fake fitness products. Many of these messages claim to be from reputable news organizations like CBS, CNBC, CNN, the New York Times, and USA Today.
Figures 1 and 2. Medical-themed spam messages
They contain links that may lead users to a variety of dubious sites, including those selling fake products or involved in survey scams. Our research indicates that these messages were sent from a variety of countries, including India (10%), Spain (8%), Italy (7%) and the United States (6%).
Overall, we’ve seen that these spam messages link to almost half a million distinct URLs. However, these multiple URLs resolve to relatively few IP addresses. Two countries – the United States and Japan – accounted for the vast majority of traffic to these IP addresses:
Figure 3. Distribution of user traffic
We continue to look for indicators to determine the cause of this increasing traffic. It’s worth noting that this took place right after the Blackhole Exploit kit author’s arrest and the start of the registration period for the Affordable Care Act/Obamacare in the United States.
Health and fitness is one of the common social engineering themes used by spammers to lure users into their schemes. Aside from the typical pharmaceutical company newsletter and weight-loss types, cybercriminals have tried using topics like Obamacare and even laboratory results.
The continuous presence of this threat shows that spam is still a crucial part of today’s threat landscape. Users should remain extremely careful when opening messages from unverified sources. Relying on an email’s appearance is no longer an effective method for separating the wheat from the chaff. Trend Micro is continuously working to detect these threats.
With additional insights from Paul Pajares