Spam report: May 2012

May in figures

• The amount of spam in email traffic decreased by 3.4 percentage points compared to April and averaged 73.8%
• The share of phishing emails remained unchanged from April’s figure, accounting for 0.01% of all mail traffic
• Malicious files were found in 3.2% of all emails, an increase of 0.4 percentage points compared with the previous month

Spam in the spotlight

Spam for mom and dad

Two international holidays – Mother’s Day and Father’s Day – are celebrated in May and June. The dates are different for different countries, but in most they fall on the second Sunday in May and the third Sunday in June respectively.

In 2012 quite a few Western European countries, Canada and the USA celebrated Mother’s Day on 13 May. Spammers usually make quite an effort in the run-up to this holiday because, after Valentine’s Day, it is the most popular date for mass mailings by partner programs offering flowers. Another type of partner program also advertised gifts for Mother’s Day.

Distributors of conventional partner spam offering fake designer watches and accessories also took advantage of the holiday. However, they are more interested in Father’s Day. This year in the majority of Western European countries and North America it will be celebrated on 17 June and the spammers have already started offering replicas of expensive watches as presents for fathers and grandfathers.

Chinese spam

Over the last few months spam traffic has regularly included messages offering the chance to cooperate with the manufacturers of various goods from China or with people willing to resell Chinese goods.

The format of these emails usually resembles that of ‘Nigerian’ spam: a short text promising a very profitable partnership with a representative of a rapidly developing market and an email address so potential clients can get in touch.

In May, we received an interesting message from a “Chinese manufacturer”. These sorts of emails don’t usually describe the exact type of production, simply mentioning abstract “plastic items” or “textiles”. However, this particular message was sent on behalf of a “socks manufacturer”.

It is safe to say that these emails from Chinese “manufacturers” or “suppliers” are part of a new type of fraud that is evolving against the backdrop of a strengthening Chinese economy. The fraudsters are actively exploiting the interest shown by investors in the Chinese market. Often, businessmen looking for contacts with Chinese manufacturers end up meeting these scammers who make off with their money and are never heard of again. Even if the fraudsters do use legitimate sources of information, it is unlikely that an honest Chinese businessman would try to find an investor by spreading spam.

Statistical summary

Sources of spam by country

Previously, Kaspersky Lab presented world-wide statistics on the sources of spam by country. In our report for May 2012 we begin publication of statistical data on spam sources for different regions. Below are the Top 20 ratings for the countries that sent most spam to Europe and the USA in May.

Top 20 sources of spam sent to European users in May 2012

In May, almost a quarter of all spam received by European users originated from China (25.4%). Interestingly, only one European country – the UK in 17th place – made it into the regional rating.

More than half of all the spam distributed in Europe came from Asia and about one fifth came from Latin America.

The rating of the Top 20 countries which distributed spam on US territory in May significantly differs from the European one. The USA topped the rating – one third of all US spam is “home-made”. Nearly the same quantity of spam is of Asian origin.

Top 20 sources of spam sent to US users in May 2012

The Top 20 sources of spam sent to the USA in May 2012 includes five European countries – Russia (2.7%), the UK (2.1%), Ukraine (1.1%), Poland (1.1%) and Germany (0.9%). Notably, three out of these five are Eastern European countries.

Malware in mail traffic

In May malicious files were found in 3.2% of all emails, an increase of 0.4 percentage points compared with the previous month.

Distribution of email antivirus detections, by country

Distribution of email antivirus detections by country, May 2012

Since the beginning of 2012 the USA has topped the rating of email antivirus detections. In May, the share of Kaspersky Mail Antivirus detections increased by 0.68 percentage points compared to April.

Vietnam fell back to 4th place after rising two places in April. In May, the share of antivirus detections in Vietnam fell by 4.1 percentage points, while increases in two Western European countries – Germany (+6.1 percentage points) and the UK (+1.9 percentage points) – saw them come second and third respectively. Another European country, Italy, completed the top five after its share grew by almost a full percentage point.

In May, Australia and Hong Kong’s contribution to the total amount of antivirus detections fell by 3.9 and 3.4 percentage points respectively. At the same time, it’s worth pointing out that the combined share of email antivirus detections for China and Hong Kong in May exceeded 8.5%.

The contribution of the other countries fluctuated within a range of 2 percentage points compared to April.

Top 10 malicious programs spread via email in May 2012

Top 10 malicious programs spread via email in May 2012

Rating leader Trojan-Spy.HTML.Fraud.gen accounted for 8.8% of all detections, a decrease of 4.9 percentage points compared with the previous month. This Trojan uses spoofing technology and appears in the form of an HTML page. It comes with a phishing email containing a link to a fake site resembling that of a well-known bank or e-pay system where the user is asked to enter a login and a password.

This rating’s long-term residents Mydoom.m, NetSky.q and Bagle.gt occupied second, fourth, and eighth places respectively in May. The first two mail worms have only two functions – to harvest email addresses and send copies of themselves to these addresses. Bagle.gt, yet another mail worm in the Top 10, in addition to the usual functionality downloads malicious programs from the Internet. Incidentally, mail worms are the most popular type of malware detected in developing countries.

As was the case two months ago, two malicious programs in May’s rating are rogue antivirus programs belonging to the Fraudload family. Their main function is to extort money from the user of an infected computer.

Phishing

The share of phishing emails remained unchanged from April’s figure, accounting for 0.01% of all mail traffic

Top 100 organizations, by sphere of activity, targeted by phishers in May 2012
(based on anti-phishing component detections*)

*This rating is based on our anti-phishing component detections activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.

In May, financial organizations (24.5%) regained their status as the most attractive target for phishers: the amount of attacks on banks and e-pay accounts increased by 0.9 percentage points compared with April’s figure.

Last month’s leader – social networking sites – dropped to 2nd place though its contribution was just 0.08 percentage points less than that of the financial sector. Despite the fact that in May the share of attacks on social networking sites fell by nearly 4.5 percentage points compared to the previous month, around 20% of all phishing attacks targeted Facebook. This underlines the fact that Facebook remains one of the phishers’ prime targets while their interest in other social networking sites is waning.

In May, the proportion of attacks on online games remained unchanged. Meanwhile, online stores and e-auctions bore more of the brunt of phishing attacks (+2.1 percentage points) compared with the previous month.

The share of the other categories changed insignificantly – within a range of 1.5 percentage points.

Spam by category

Spam by category in May 2012

May saw continued growth in the share of the Personal finance category (+3.9 percentage points) which ended the month in 2nd place in the rating, while the share of the Computer fraud category decreased by 2.8 percentage points from the previous month.

The share of the Casino category also fell, by 2.4 percentage points. Overall, in May the amount of fraudulent emails in English-language spam remained high despite a slight decrease.

Considering the holiday season is upon us there was a significant and quite unexpected decrease in the share of the Travel and tourism category (-3.6 percentage points) compared to April.

Conclusion

In May, the proportion of spam in mail traffic decreased considerably. This could be down to a seasonal fluctuation. If that is the case, spam will remain at a low level until August. However, this may be a systemic phenomenon, and in that case the share of spam in mail traffic will soon drop below 70%. In absolute figures a drop of 3.4 percentage points is a serious decline which makes up about 15% of the total quantity of spam emails.

In May, the Travel and tourism category showed some unusual behavior. It is difficult to say whether its share will increase in June: the holiday season has always been a catalyst for this type of spam, but mass mailings offering beach holidays are usually most prevalent in May which didn’t happen this year.

Despite the fact that social networking sites gave way to financial institutions when it came to the most popular phishing targets, about 20% of all phishing attacks were aimed at Facebook users. And it appears that apart from an increase in online gaming and use of social networks, phishers see a link between the start of the summer holidays for schools and universities and online shopping. At least in May the share of phishing attacks on this sector rose considerably.