Spam and phishing reports

Spam in August 2013

August in figures

  • The percentage of spam in email traffic in August was down 3.6 percentage points and averaged 67.6%.
  • The level of phishing increased tenfold compared with July, and averaged 0.013%.
  • Malicious attachments were found in 5.6% of all emails, an increase of 3.4 percentage points compared to the previous month.

Spam in the spotlight

In August 2013, spam became much more dangerous: the number of fraudulent and malicious emails increased significantly against a noticeable drop in the overall percentage of spam.

In the run-up to the new school year, ‘Back to School’ became one of the most popular themes for the spammers – in August we detected adverts for all kinds of school supplies. There was also a lot of spam relating to sports and healthy lifestyles. Auto traders also resorted to the spammers’ services with car sales, along with related services and accessories, also prominent in mass mailings.

Spam for motorists

For many people an automobile is not just a means of transportation – it’s almost a way of life, demanding substantial time and money. Spammers are eager to exploit people’s interest in cars: in August, we registered a number of promotional mass mailings which, in addition to the standard offers of sales and repairs, included some very original auto-related offers. For example, the authors of one mass mailing invited recipients to join a master class on making cakes in the shape of a car.

However, English-language spam most often contained advertisements of cheap car rental services and sales of leading auto brands.

 

Labor Day

On the first Monday of September the United States celebrates Labor Day. Most Americans consider it the symbolic end of the summer and a traditional time for summer sales and discounts. Of course, spammers are quick to take advantage: throughout August, they actively spread emails advertising discounts on cars and medications. To attract more attention and convince users not to postpone a purchase, the spammers sent out messages containing a special code promising an extra discount.

 

Back to school!

As might be expected, for spammers around the world August’s motto was “Back to School”. The beginning of the new school year became the theme of the month as all kinds of school supplies were promoted online.

However, in some cases, the advertised goods had nothing to do with the education process – the spammers simply used this topic to attract attention to whatever it was they were advertising. For example, we registered a mass mailing offering skincare products. Perhaps looking to ensure the yummiest of mummies on the school run, spammers offered fast-working cosmetics which claimed to effect miraculous changes before the first bell rang. These emails contained a long link which redirected users to a site where they were asked to select the region of delivery. In turn, the selection of the region activated a page with the seller’s contact details. At the same time, the domains used in the redirections did not operate for more than one week after the launch of the mass mailing.

 

“Are you still brown bagging school lunches?” read the header of another mailing. This mailing exploited the school theme to advertise special packages designed to keep food fresh. The authors of the message promised that the pack could keep food cold and fresh for up to 10 hours. The links in the emails consisted of single domains created within the previous month.

 

In August, we continued to register mass mailings advertising online education. But instead of the mailings from previous months which offered master’s and doctoral programs, the run-up to the new school year saw offers for failed pupils to complete their high school studies online.

 

The authors of the unsolicited emails highlighted flexible schedules and the opportunity to work from home as the key advantages of online education. For more information, the recipients were redirected to a foreign website where, in addition to degree programs, other non-educational services were presented.

Medical spam

A significant share of August’s spam contained health-related messages.  Weight-loss pills remain one of the most popular themes. Last month we came across mass mailings linked to these both on the RuNet and on the English-language Internet.

English-language mass mailings advertising weight-loss pills typically contained a link based on a recently created domain. This link varied from email to email. By clicking the link the user was redirected to a site with detailed information about the pills, the purchase terms, etc. The text came with a promotional video which demonstrated the miraculous properties of the pills and offered endorsements from people who had allegedly tried them.

 

Russian-language messages generally contained a short link redirecting the user to an advertising site. They often provided contact data for ordering goods.

 

The geographical distribution of spam sources

In August 2013, the Top 3 sources of worldwide spam looked like this: China remained in 1st place with 21% of all distributed spam, a decline of 2.4 percentage points from the previous month; the USA came 2nd, having distributed 19% of world spam, an increase of 1 percentage point compared to July; South Korea was 3rd, averaging 15.4% (+0.4 percentage points). In total, these three countries accounted for 55% of global spam.

 

As in July, Taiwan occupied 4th place, contributing 5.5% to the world spam flow, up 0.1 percentage point. Russia’s share grew by 2 percentage points, accounting for 4.3% and moving it from 10th to 5th overall.

Japan (1.8%) also moved up five places after a rise of 0.9 percentage points lifted it to 11th. If that growth trend continues in the coming month, Japan might break into the top 10 most active distributors of global spam.

The other Top 10 members maintained their positions in the rating with negligible fluctuations in their contributions.

 

In August, South Korea remained the leading source of spam sent to European users (60%): its share grew by 2.6 percentage points. It was followed by Taiwan (4%) and the US (3.9%).

Russia (2.8%) occupied 4th position in August’s rating: its share grew by 1.8 percentage points – enough to climb 10 places. Vietnam’s contribution (2.7%) fell 0.7 percentage points compared with the previous month and meaning it fell to 5th place in the rating.

The Top 10 also included Indonesia (1.7%) which was in 8th position in August while Romania (1.4%) left the rating having dropped from 6th to 11th place. Germany (1.5%) came 10th with almost no change from the previous month.

In August the spam flows from the Asian region became slightly more active, seeing Thailand (0.9%), Singapore (0.6%) and Japan (0.6%) enter the rating of the 20 leading sources of spam sent to European users.

 

In August, Asia (55.2%) remained the leading regional spam source. As in the previous month, the Top 3 also included North America (21%) and Eastern Europe (14%): there was no serious change in the amount of spam originating from these countries except for North America where the share grew by nearly 1 percentage point. Western Europe (4.6%) and Latin America (3%) came 4th and 5th respectively.

Malicious attachments in email

In August, malicious attachments were detected in 5.6% of emails, an increase of 3.4 percentage points from July.

 

Trojan-Spy.html.Fraud.gen remained the most widespread malicious program (8.1%). It appears in the form of HTML pages which imitate the registration forms of well-known banks or e-pay systems and are used by phishers to steal user credentials for online banking systems.

Our August rating included four Trojan-Ransom.Win32.Blocker modifications. Three of them – Trojan-Ransom.Win32.Blocker.byxx (3%), Trojan-Ransom.Win32.Blocker.bzbh (1.8%) and Trojan-Ransom.Win32.Blocker.bysg (1.4%) – occupied 2nd, 5th and 7th positions respectively. These malicious programs are designed for blackmailing and extorting money from users. They block the work of the operating system and display a banner that gives instructions on how to unblock the computer. For example, the user is told to send a text message with a specific text to a premium-rate number.

Email-Worm.Win32.Bagle.gt (2.3%) ended the month in 3rd place. This mail worm is distributed in the form of an email attachment which sends itself to the addresses in the victim’s contact list. It can also download other malicious programs onto a user’s computer.

Fourth place was occupied by Trojan-Spy.Win32.Zbot.nyis (2.2%), a modification of one of the most popular Trojan-spies Zbot (ZeuS) designed to steal confidential information including credit card details.

Worm.Win32.Mydoom.m (1.4%) remained 8th in August’s rating. In addition to self-proliferation it sends hidden search requests to search engines thus increasing the traffic and ratings of sites downloaded from the fraudsters’ servers.

Yet another modification of the Mydoom family, Email-Worm.Win32.Mydoom.l (1.4%), completed the Top 10 most widespread malicious programs. This worm is distributed via the Internet in the form of an email attachment. Its main functionality is to harvest email addresses from infected computers so they can be used for further mass mailings. It also has backdoor capabilities.

 

In August, Germany (12.3%) topped the rating of countries most often targeted by malicious emails pushing the previous month’s leader, the USA (10.1%), into 2nd place. The UK came 3rd with an 8.7% share of antivirus detections.

India (6.08%) dropped from 3rd to 5th position. Russia (3.48%) gained 1 percentage point and finished in 9th place in August. Australia’s share declined and averaged 4%. Canada completed the Top 10 with 2.2% of antivirus detections.

The share of antivirus detections for other countries did not vary significantly.

Special features of malicious spam

The vacation season may have been winding down, but the scammers kept up a continuous bombardment of fake messages announcing non-existent airline and hotel reservations, with the spammers using some of the biggest names in these industries. Well-known companies such as booking.com and Delta Air Lines are constantly being imitated by spammers and in August we recorded more fraudulent mailings with fake notifications from these companies. The senders’ addresses often look very convincing, which can result in recipients opening this type of email.

The email sent allegedly on behalf of booking.com informed the user that his hotel booking was confirmed and provided the order details including the date of check-in and check-out as well as the total cost of the hotel room. This scam email was designed in the style of the official website which distinguished it from a similar one imitating notifications from Delta Air Lines informing the recipient that his credit card payment had been accepted and also provided the details of the number, date and cost of the flight. Recipients were asked to click the link to print out a ticket but if they did so, a malicious file was downloaded onto the computer. The message, allegedly sent from booking.com contained a malicious file in the attachment. In both cases these were malicious files of the Trojan-PSW.Win32.Tepfer family used to steal usernames and passwords.

In August, after a long lull the scammers started sending out malicious notifications again from the Royal Caribbean International cruise line. The fraudulent email informed users that the e-documents for an allegedly ordered cruise were ready. These documents contain “important information” the passenger should know before boarding the ship and should be kept and taken on board together with the passenger’s passport and documents. In fact, the email contained the malicious Backdoor.Win32.Androm.qt file, a Backdoor.Win32.Androm modification used to secretly control the user’s computer and add it to a botnet.

 

Fake notifications often utilize the names of popular international delivery services such as FedEx, UPS and DHL. They tell recipients that a courier failed to deliver their parcel due to an incorrect delivery address. To get the parcel, the recipient should print out the attached document and call the company’s office or confirm specified data, including the delivery address. Malicious files can also hide in fake documents supposedly containing detailed information about the parcel, which does not in fact exist. Spammers try to make their fake notifications look legitimate and typically use not only an apparently real sender’s address but provide non-existent order information, genuine contact details from official websites and a copy of a privacy notification letter.

The attached archives usually contain malicious files from different families. For example, the archive FedEx Invoice copy.zip attached to the fake FedEx notification contained the executable file FedEx Invoice copy.exe with a Trojan from the ZeuS/Zbot family. This malicious program is used to steal users’ personal information and passwords for their payment and banking accounts. The fake notifications sent on behalf of UPS contained Trojan-PSW.Win32.Tepfer.pnfu, designed to steal user logins and passwords. Yet another malicious program belonging to the Backdoor.Win32.Androm family was discovered in a mass mailing allegedly spread on behalf of DHL. The fraudsters used it to get full access to the victim’s computer.

 

Phishing

August saw a decline in business activity so  spammers got fewer orders for advertising and enthusiastically switched to fraudulent messages. As a result, the percentage of phishing emails in global spam traffic increased tenfold compared with July, reaching 0.013%.

Distribution of the Top 100 organizations targeted by phishers, by category*

This rating is based on Kaspersky Lab’s anti-phishing component detections, which are activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.

The most attractive targets for phishing attacks did not vary significantly in August. Social Networking Sites continued to top the list, with that category’s share not changing from July – 29.6%.

Email and Instant Messaging Services (17.2%) remained second: the share of attacks on this category decreased by 0.4 percentage points. Meanwhile, the figure for Search Engines (16.1%) grew slightly which saw that category remain in 3rd place.

Financial and E-pay Services (13.8%), IT vendors (8.4%), Telephone and Internet Service Providers (7.8%), Online Stores and E-auctions (5.4%) and Online Games (0.7%) occupied positions 4-8.

In August, Apple found itself among the main phishing targets. We frequently came across emails that supposedly came from the official address of the company, but which in fact were phishing messages designed to deceive users and steal their logins and passwords. For example, some emails gave the user 48 hours to confirm the details of an iTunes account. To unblock the account, the recipient had to click the link in the email and follow the instructions on the site. The spammers tried to lull the user into a false sense of security, pointing out that the message had been created automatically. However, both the request to confirm the account information on third-party sites and the absence of a personal address should alert users to the risk of fraud.

 

Conclusion

In August, the proportion of world spam dropped to 67% which might have been caused by the annual decline in business activity during the summer period and a decrease in the amount of advertising spam. However, we registered a lot of mass mailings dedicated to renting or selling cars, and to medicine and healthy lifestyles. In addition, spammers exploited the themes of the new school year and the US Labor Day holiday to advertise the sales of various goods.

During the summer, spam becomes more criminalized and the number of fraudulent messages containing malicious files increases. In August, Trojan spies designed to steal financial information were widespread in malicious spam traffic. However, the Trojan-Ransom.Win32.Blocker family of worms was also very popular with the scammers and several modifications could be found among the most frequently detected malicious programs.

During the holidays spammers continued to actively spread fake messages on behalf of companies involved in booking hotel and airline tickets. Courier firms also attracted the fraudsters’ attention, with their names being used for both phishing and spreading malware.

Phishers used popular Apple products and services to steal user logins and passwords. On the RuNet, scammers used spam to create and promote online services imitating the official services of public organizations in order to extort personal information and money from users.

August’s rating of the most attractive targets for phishing attacks did not vary significantly. As expected, Social Networking Sites and Email and Instant Messaging Services maintained their leading positions. In the last month of summer the activity of school children and students on social networking sites and email services remained high and ensured that phishers remained interested in this sector. However, in September when business activity starts recovering this interest will pass from social networking sites back to financial institutions and the number of attacks on the banking sector will increase. At the same time, the proportions of fraudulent and malicious mailings will most likely decrease.

Spam in August 2013

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox