Sophos Cloud Optix
The Canadian Pharmacy gang has added a new repertoire to their arsenal – this time they’re using Rich Text Format (RTF) files attached to the messages.
The RTFs, when opened, looks like this:
The domain names have a pattern of %randomletters%%randomdigits%.ru. This is a domain pattern we had seen before in the wavy image and mp3 Canadian Pharmacy campaigns. Back then, they were using domains from the .com TLD instead of the .ru TLD.
The text in the RTF is also quite familiar: We saw the same Viagra/Cialis text placed in the “From” address field in a random bodied spam messages back in February.
In terms of the message body itself, we detected 3 different variants.
First up is a variant with random text in the body, multipart/mixed content type with the RTF file placed into the message as an attachment:
The second variant does away with the randomized text and goes with a direct attachment of the RTF – content type is application/octet-stream or application/rtf with a random word as attachment name:
The final variant looks to be a mistake on the spammers’ part. It uses content type text/rtf. When the content type is text/ most mail clients would render it like the following:
This raw rtf content is probably not what the spammers intended for their audience to see.
In all cases, the rtf file name is randomized and multiple spam domains are used in order to avoid detection. I am not entirely sure myself how successful this campaign would be. Unlike images, most mail clients would not automatically render the RTF files and so requires an external program to run. A reader would have to explicitly allow the launching of a RTF reader like Microsoft Word in order for the spam content to show up.
Most readers are already smart enough not to open up spam messages. Even if they did open up the message, I hope they stop when the prompt for using an external program shows up. Otherwise, the attachment could easily have been a pdf containing Mal/Koobface and the recipient would have a much bigger problem than just a spam message.