Symantec recently observed a pharmaceutical spam campaign abusing the YouTube brand. Similar spam campaigns abusing popular brands have been seen in the past, but the email volume observed in this particular spam attack has been immense.
Sample From and Subject lines observed in this spam attack are below.
· From: YouTube Service <firstname.lastname@example.org>
· Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
· Subject: YouTube Service sent you a message: Best Unrated Videos To Watch
The spam messages either state that the recipient’s video features as a top video on YouTube, or that the recipient’s particular video has been removed due to a terms-of-use violation.
The text, accompanied by URL links in the message body, as in most cases, is the call to action in this spam campaign. The included URLs which appear to link to YouTube are in fact spam URLs hosted on a hijacked domain. When clicked, all URLs redirect to a Canadian pharmacy Web page (screenshot below) hosted on a recently created domain owner by the spammer. The spammer, ironically, has placed a link to report spam which is just another redirect to the same pharmacy Web page. YouTube is obviously NOT behind this spam campaign, nor does it send out any emails that lead to Web pages endorsing such products.