Microsoft Word Document Spam

McAfee Avert Labs has recently seen spammers start to use Microsoft Word documents and HTML attachments to deliver their advertising payload. By moving the advertising content, most importantly the URL link, into an attached document rather than the body of the email message, spammers are able to evade some of the Anti-Spam vendors’ content filtering techniques. This is because most vendors don’t scan content inside attachments because this has previously not been necessary.

Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor. This is the format chosen recently by a spammer, Leo Kuvayev / BadCow, who is plugging pharmaceuticals using web sites hosted in China. This spammer sends out what appears to be an invoice/bill:

When recipients click on the attachment, they get the spam payload, which advertises the spammer’s pharmaceutical site:

We saw the first samples of this in our traps around the 22nd August, and we are still seeing them today. As expected, the spammer is varying the attachment file name, email body text and subject in nearly every batch of the messages sent, for example:

Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED

Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.

Subject: Confirm amount of charges for Claim #59703
“Invoice” hence shall mean the invoice attached to this Agreement.
You MUST show and review the UCAR Invoice Number.

Subject: Filed under your account via Statement #67345
This is to acknowledge receipt of your letter (with attached invoice) of August 2006.
Potential fraud alert, please review invoice to prevent further action on your account.

The attachments for these samples have filenames similar to: Bill90023.doc, Invoice25826.doc, Claim59703.doc and Statement67345.doc, but the attachments remain the same so simple checksums are effective for now.
We may see this technique adopted by other spammers, and it may also spread to other popular formats such as PDF. While there are plenty of other characteristics of this spam that can be used to block it, it is yet another incremental step by spammers to attempt to make detection harder. To keep up with this, Anti-Spam vendors may need to add attachment scanning to their solutions, which would require additional processing power on customers email servers. In addition, the attachments mean spam is getting bigger. The messages in the current campaign are only 35k in size, but Word documents are well known for growing very quickly in size. A rise in document spam would mean recipients’ mailboxes and servers clog up faster, worsening the burden that spam puts on us all.