Researchers at TrustWave Spider Labs have found a new wave of spam campaigns that are from the same spam botnet and has been dubbed “Chameleon,” since it changes its email templates. The researchers began tracking the campaign on August 14th, 2019 and observed that this campaign resembles phishing emails. However, the messages have random headers. The messages may come from different geographic sources, but they use unique SMTP transaction commands on the connection. The name Chameleon comes from the randomized email headers with meaningless text inserted in random positions within the email header. The subject line and the body of the spam emails are kept brief and meaningful to trick possible victims into clicking the embedded link. Most of the URLs used appear to be from compromised WordPress sites. That spam botnet sends variants of emails which include fake job offers, fake airline booking invoices, fake Google personal or private messages, fake security alerts, and many more. Some of the spam messages contain subject lines such as message notifications, shipping notifications, security alerts, and broken email notifications. It is also worth noting that even though the scammers are using compromised WordPress sites to distribute the spam messages, all the malicious links have code in them to redirect information to the attacker’s malicious infrastructure.
As with any email spam campaign, users should adopt a zero-trust policy. A zero-trust policy is simple–if the user does not trust the source, then the email should be verified before clicking any link that’s embedded in the email. If the email cannot be verified then it should be deleted.