During the weekend our spamtraps received large amounts of emails pretending to come from Twitter. This time, the social engineering twist lies within the subject of the email: It is “You have 2 urgent messages from Twitter!”, creating psychological pressure by some kind of emergency within in the social surroundings of Twitter users. This way the spammers try to increase the rate of the users that are opening the email and click on the links.

meds-new

In the email there are actually two different links pointing to two different domains. The targets do nothing else than to redirect the browser to the final website, hosting a fake Canadian Pharma website.

From the source html:

code

The spam filter bypassing technique is even more interesting. Written with white font color on white background, we see some domain names at the beginning of the email. Not any domain names, but the most popular websites on the Internet: google.com, yahoo.com, amazon.com and aol.com.

meds-new-selected

We can observe that between the characters which make up the readable text there are extra characters inserted. The green cross is also created using HTML tables.