November 30, 2012

Personalized Letters From "Scamta" Claus

Carl Leonard Principal Security Analyst

With Christmas fast approaching, the Websense® ThreatSeeker® Network, replete with festive sleigh bells and twinkling lights, has detected a marked increase in spam emails seeking to exploit fans of the big man himself: Santa Claus. While Santa, along with his ever-loyal team of elves, his reindeer, and, of course, Mrs. Claus, are no doubt working their way through the mountain of letters and wish lists from the world’s good little boys and girls, some bad little boys and girls are looking to capitalize on his backlog of correspondence. They claim to offer alternative services to ensure that your "little ones" receive personalized responses from Santa.

As is often the case in today’s unsolicited email world, the links within these emails don’t take you to a reputable and Santa-approved communication facilitator. Rather than being prompted for personal details about your little ones (which in itself poses an interesting discussion of Internet safety and the sharing of personal details with random websites) you’ll probably find that you’re either a winner, or a potential winner, of some new fruit-branded hardware. All you have to do is complete a survey or an affiliate offer.

These methods were discussed in our Black Friday / Cyber Monday Survival Guide, and merely serve to line the scammer's pockets with affiliate referral cash. They also let the scammer harvest your personal data for further use.  While our customers are protected from this and other threats by Websense ACE (Advanced Classification Engine), it would be wise to share details of this campaign with friends and family members that might be more likely to be taken with the idea--especially when Rudolph's(?) "winning prize" carrot is dangled.


Messages of this nature that we are currently detecting and blocking appear to be somewhat consistent. Their techniques include:

  • Hiding blocks of text or keywords in the HTML source in an attempt to appear legitimate to automated processes In this example, the font color is set to white (#ffffff) in order to make it invisible to the person reading the email:

    In this case, the text is taken from the Wikipedia article on Larry Hagman
  • Some of the messages we’ve seen recently deliver the main message as an image loaded from a website. This serves two purposes: first, to make it difficult for automated processes to read the message, and second, the image request confirms that your email address is active, potentially leading to more spam:

    These men can’t both be Santa Claus!
  • Enticing subject lines to catch your attention and elicit a response:
    • Personal Letter From Santa For Your Child
    • (A) Letter From Santa For Your Child
    • Santa Claus Letters
    • A personal letter from Santa for your little ones
    • Custom Santa Letters 

Clicking the "Click Here" links within many of these messages directs you to an official-looking web-browser opinion survey, tailored to the browser from which you are viewing the page:

Simple browser detection and IP geolocation techniques are used to appear convincing

Unfortunately, other than the opinion survey, the only personalized item you’re likely to receive from this point on is more spam, scams or empty offers. No amount of form-filling, survey submissions, or offer completions are likely to result in the desired letter from Santa Claus. Therefore, if you are looking to assist Santa with his letter-sending duties, please stick to reputable organizations. Many charities, for example, provide this service legitimately, and your money is much better off in their pocket than in a scammer's!

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.