Home Articles Understanding the New Chameleon Spam Campaign

Understanding the New Chameleon Spam Campaign


According to researchers, the new Chameleon spam campaign is known to often changes email templates. Read on to know more…

According to researchers from Trustwave, cybercriminals are using a high-volume spam campaign featuring phishing messages with randomized headers and changing templates to attack organizations. The new Chameleon spam campaign is known to often changes email templates. Researchers spotted the new wave of various spam campaigns that are from the same spam botnet.

Chameleon spam messages originated from across the globe and had similar unique email header and body characteristics indicating that they were being sent from the same botnet. The subject lines and body of the spam emails are kept brief and meaningful in order to lure unsuspicious victims. Researchers started tracking the spam emails sent from the botnet since August 14, 2019, and observed that this spam campaign often resembles phishing emails, however, the messages have randomized email headers.

• The spam messages originate from geographically distributed sources, however, they used similar unique SMTP transaction commands on connection.
• The spam messages have randomized email headers with meaningless text that are inserted at random positions within the email header.
• The subject lines and body of the spam emails are kept brief and meaningful in order to lure unsuspicious victims to click on the embedded link.
• Most of the URLs embedded in these spam emails appear to be of compromised WordPress sites.
• The email body HTML has random HTML elements inserted at random positions within legit HTML tags.

Working Mechanism
The spam emails included embedded URLs. Upon examining the URLs, researchers determined that the scammers used compromised WordPress sites as intermediary nodes to host part of their infrastructure on. A redirector JavaScript code is hosted on such compromised WordPress sites in order to route traffic onto the malicious infrastructure.

Researchers said that “Clicking and following the embedded links in the spam message we noticed that our test browser was bounced off a couple of redirector sites before it reached the final landing page. Looking closer, we observed that all the spam links pointed to initial redirector pages hosting the same JavaScript content,”

Researchers noted that the spam botnet sent out variants of spam emails, which include:

• Fake job offer emails
• Fake Google personal or private messages
• Fake email account security alerts
• Fake broken or undelivered email messages from a mail server
• Fake LinkedIn message and profile view messages
• Fake FedEx delivery notifications
• Fake airline booking invoice emails

Some of the subject lines used in these spam emails include:

• Hi! do you need a job? (Margarida, ex.colleague)
• Message notification
• You have two broken emails
• Security alert for your LinkedIn profile
• A package containing confidential personal information was sent to you

The Trustwave Secure Email Gateway detects and blocks Chameleon emails and other spam campaigns. This solution offers zero-day protection against phishing, blended and targeted threats, along with business email compromise (BEC) and data loss prevention (DLP) capabilities.

In addition, security awareness training provider KnowBe4 in April released Phishing Reply Test (PRT), a tool that helps organizations determine if their employees will respond to phishing emails. PRT tests employees on common targeted phishing attack scenarios and provides details about the number of employees who fall victim to these attacks.


Please enter your comment!
Please enter your name here

42 + = 50