As the tradition of Valentine’s Day approaches, so does another tradition: Valentine’s Day-themed spam that leads to malware. At McAfee Avert Labs we think everyone by now should know not to click on unlikely links to “love letters” and similar attractions. But we go on doing so. I guess love really does make us blind.  

By looking at the number of times we see the word valentine in spam, we can see how the spammers pump up the volume in the run-up to February 14. The following graph shows results for the month of January.

The current wave of Valentine’s Day spam contains links to domains that carry the Waledac Trojan. We are currently monitoring about 100 of these infected domains. Each of the domains is fast-fluxed, so there are hundreds of nameservers and thousands of IP addresses involved. (For more on Waledac, see the recent post from my colleague François Paget.)

Many of the Waledac techniques and features are very similar to those of the well-known Nuwar/Storm Trojan. At this time last year Nuwar was pumping out Valentine’s spam that looked like this:

And today Waledac spam looks like this:

Subjects such as “Deeply in love with you,” “I Knew I Loved You,” and “I Love Being In Love With You,” followed by a short URL in the body are typical of these attempts, which point to sites that offer a little Valentine’s malware. By all means send love notes to your honey before and on Valentine’s Day, but don’t fall for these transparent, annual attempts that lead only to tears.   

(Thanks to my colleagues Kevin McGhee and Dmitry Gryaznov for their contributions.)