Spam and phishing reports

Spam in July 2014

Spam in the spotlight

Festive spam in July was largely dedicated to the holy month of Ramadan. Unwanted correspondence also included offers to send promotional messages to users’ phones and email boxes. We also came across fraudulent emails asking for help with investments. There were offers of beauty products and services too.

Ramadan

In July, spammers continued to exploit the holy month of Ramadan by offering mass mailing services. The emails were written in English. The subject and the text of the emails attracted readers with special offers and discounts in honor of the main Muslim holiday. Mass mailings advertising SMS distribution to residents of the United Arab Emirates were sent from free email services and designed in the same style. The emails used different text fonts and provided different contact details: for example, the phone numbers in the body of the message and in the subject of the email were different. Some emails indicated the site of a company engaged in SMS-marketing.

July-2014_Spam-report_en_1

“Nigerian” scammers did not bother to invent anything new either and tried to attract users’ attention by wishing them a Happy Ramadan both in the subject of the email and in the body of the message. Fraudulent emails that offered impressive rewards for help in investing money in a business project were circulated in both English and Arabic.

Current spam flows often include emails in different languages. In particular there has been an increase in the number of messages in Semitic languages, including Arabic, over the year. At the same time the scammers use English in the subject of the emails rather than Arabic. This is probably because English is more widespread and they hope an English subject will attract more readers.

One of the emails was written allegedly on behalf of a Muslim mother. It mentioned the complicated political situation in Syria and explained that this made it impossible to safely invest money at home. In this case, the content of the message suggests the author must know Arabic so a text in this language can be used to make it look more credible.

July-2014_Spam-report_en_2

Spam beautiful

Among July’s major mailings there was a notable campaign offering a variety of skin care products for women as well as promotions for beauty clinics. Spam mailings were used to sell different cleansers, anti-wrinkle creams, “elixirs of youth” and other cosmetic products. The scammers offered product samples to convince the user of their merits and promised to return the money if the results were unsatisfactory. The fraudsters tried to encourage potential customers by promising quick and free shipping to any country.

July-2014_Spam-report_en_3

Beauty clinics were actively offering laser hair removal procedures at considerable discounts or even free of charge to supposed lottery winners. The sales pitch, complete with pictures, focused on the pressing need for this procedure before relaxing on the beach. Sometimes these emails were “noised” with texts that had nothing to do with the advertised goods and services. In some cases, this “noise” took up half the message (see the example below). The senders’ names in these emails were a randomly generated combination of letters and numbers. The names of advertised centers and clinics were also mentioned in the body of the message to make it easier to find them via the search engine. However the links in the emails led to spammer parked sites registered on newly created domains. Sometimes they offered similar goods or services; sometimes they promoted completely different ones.

July-2014_Spam-report_en_4

Heat-busting spam

The heat of the summer has warmed up the market for products that help us to cool down: spam traffic actively promoted sun-protected foil for windows, fans and air conditioners, including repair and maintenance services. We often came across emails advertising water coolers and bottled water. Water was offered with special summer discounts and free delivery to homes and offices, while an extra bonus promised a free basket of fruit with every order in July or August. Making an order is as simple as calling the number in the advert.

July-2014_Spam-report_en_5

Sunglasses were among the most popular summer offers. Knock-offs of designer sunglasses were offered at huge discounts compared to the original. Such emails often contained the designer logos and included icons of different social networks where the company is officially represented. However, these icons were merely decorative and offered no link to these sites. They were simply intended to make the email seem more realistic. Once users clicked on the link in the email, they were redirected to a newly created online sunglasses store. The names of the sites often included the words ‘glasses’ or ‘sunglasses’. Sometimes you could even visually identify the distorted name of the glasses brand in the random set of letters and numbers which comprised the address of the site.

Statistics

The percentage of spam in email traffic

The percentage of spam in email traffic averaged 67%, which is 2.2 percentage points up from June. The highest spam levels were seen during the second week of the month (67.6%), and the lowest levels were seen in the first week (66%).

July-2014_Spam-report_en_6

Percentage of spam in email traffic

The geographical distribution of spam sources

In July, the list of the most popular sources of spam around the world looked like this:

July-2014_Spam-report_en_7

Sources of spam around the world

The USA took first place (15.3%) after its percentage increased 2.2 percentage points from the previous month. Next, Russia came in second place with 5.6%; the amount of spam originating in that country was down 1.4 percentage points. China was in third place with 5.3% having produced 0.3 pp less spam than in June.

Argentina was in 4th position with 4.2% of all distributed spam; its contribution remained practically unchanged but the country still climbed one place in the rankings. It is followed by Ukraine (4.1%) with a 0.9 pp rise compared to June.

In July, we saw the 1.8 pp reduction in the amount of spam from Vietnam (3.5%) which pushed this country from 4th to 8th place.

France rounded up the Top 10 with 2.63% of all distributed spam having pushed India (2.59%) to 11th position.

Malicious attachments in email

The graphic below shows the Top 10 malicious programs spread by email in July.

July-2014_Spam-report_en_8

The Top 10 malicious programs spread by email

This time the rating was topped by Trojan.Win32.Yakes.fize, the Trojan downloader Dofoil. This program downloads a malicious file on the victim computer, runs it, steals the user’s personal information (especially passwords) and forwards it to the fraudsters.

The notorious Trojan-Spy.HTML.Fraud.gen dropped out of top spot for the first time in many months. Readers may remember that this is the threat that appears as an HTML phishing website and sends emails disguised as important notifications from banks, online stores, and other services.

Next came Trojan.JS.Redirector.adf which is the HTML page containing code to redirect users to a scammer site offering downloads of Binbot, the service for automatic sales of binary options which are currently very popular in the Internet. This malicious program is distributed via email attachments.

It is followed by Backdoor.Win32.Androm.enji. This malicious program is a modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.

Fifth position is occupied by Trojan-Banker.Win32.ChePro.ink. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.

Trojan-Ransom.Win32.Cryptodef.ny ended 8th in July. This malicious program encrypts files on computers, blocks the screen and asks the user to pay to restore the files.

Rounding off the Top 10 was Trojan.Win32.Bublik.cran. The main functionality of the Bublik malware family is the unauthorized download and installation of new versions of malware onto victim computers.

July-2014_Spam-report_en_9

Distribution of email antivirus detections by country

July’s Top 3 remained unchanged from June. Germany accounted for 11.7% of all antivirus detections and topped the rating (+4.71 percentage points). The USA was second with 9.82% (+0.28 pp). The UK was third with 6.9% (+0.10 percentage points).

India (5.16%) overtook Brazil (3.94%) and came fourth having increased its share by 0.54 percentage points. Italy moved up two steps to 5th in the rating (+1.2 pp).

Russia increased its contribution by 1.37 percentage points averaging 3.40% of all antivirus detections and climbing from 13th to 8th position.

The UAE saw a noticeable drop in antivirus detections – a 1.09 pp fall saw it lose six places on the ranking.

The July Top 20’s newcomer was Poland which occupied 19th place with 1.42% of all antivirus detections.

The percentage of email antivirus detections in other countries did not change significantly in June.

Special features of malicious spam

In July, we saw an increase in the number of fake Portuguese language notifications = sent on behalf of the popular smartphone messenger WhatsApp.

One example featured messages warning users that they had violated the terms of use and were in danger of having their accounts blocked. The message claimed another user had reported prohibited content coming from the recipients’ accounts. The authors of the email claimed that in response to an increasing number of these complaints they could temporarily suspend the offending account for up to 90 days while the sender’s IP address was confirmed. At the end of the email the user was invited to view the terms and conditions of using the application by clicking on the appropriate button. This link downloaded Trojan-Downloader.Win32.Genome.a , a downloader appearing in the form of a .cpl applet (a component of the control panel) which in turn downloaded a Trojan-Banker.Win32.ChePro modification. In addition, the banker could download Virus.Win32.Hidrag.a to infect executable files in the system.

July-2014_Spam-report_en_10

In another case, the fake message notified the recipient that after months of hard work WhatsApp for PC could now enable users to chat with friends in real time via their computer. To add to the intrigue the message claimed that 11 people had already sent friend request to the recipient. To find out who these 11 people were, the user had to download the latest version of the Messenger for PC by clicking on the link in the email. Noticeably, we have been registering different versions of this message since the beginning of 2014.

As in the previous cases, instead of the desired program the user received a ZIP-archive which contained the dropper Trojan-Dropper.Win32.Dapato.egel. Its task is to connect to a remote Brazilian host then download and run a Trojan banker designed to steal the user’s financial data. The dropper also copies itself to C:\Documents and Settings\Administrator\Local Settings\Application Data\ under the name of BaRbEcuE.exe. There it creates a file called windataup.inf, in which it indicates its presence and states the current date. Finally it writes itself into the AutoRun, ensuring it is launched automatically.

Phishing

In July 2014, Kaspersky Lab’s anti-phishing component registered 20,157,877 detections.

Phishers attacked users in Brazil most often: at least once during the month the Anti-Phishing component of the system was activated on computers of 18.17% of Brazilian users. This surge in activity is probably related to the football World Cup that took place in the country in June and July.

July-2014_Spam-report_en_11

The geography of phishing attacks*, June 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users
1 Brazil 18.17
2 India 12.99
3 Australia 11.10
4 France 10.73
5 Kazakhstan 10.62
6 UK 10.15
7 UAE 10.14
8 Dominican Republic 10.11
9 Canada 9.61
10 Ukraine 9.53

Targets of attacks by organization

The statistics on phishing targets is based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.

In our previous reports we referred to the Top 100 organizations when analyzing the most attractive targets for phishing attacks. In July, we analyzed the statistics for all organizations that were attacked.

In July, the Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.49%) although its share decreased by 2.67 pp. Social networks came second with 14.61%, a 3.2 pp decline from the previous month.

July-2014_Spam-report_en_12

Organizations most frequently targeted by phishers, by category – July 2014

Below is a similar chart for the previous month:

July-2014_Spam-report_en_13

Organizations most frequently targeted by phishers, by category – June 2014

Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems was up 2.25, 2.64 and 2.29 pp respectively. The most significant spike affected PayPal (3.24%) up 2.27 pp in July.

We came across an interesting example of PayPal phishing at the end of the month. The fraudulent email informed the recipient about an incoming payment from a Craiglist user (most likely, it is the incorrect spelling of Craigslist, the site of e-ads) but the money could not be transferred because of an error with a PayPal account.

July-2014_Spam-report_en_14

The email arrived from the address which does not belong to PayPal. In addition, it is impersonal which is a typical feature of a phishing email

To solve the problem, the user was asked to immediately download the attached form, open it and fill it in.

July-2014_Spam-report_en_15

The form was created using the design elements of the PayPal site

The attackers are phishing for the user’s email address and a password for it, his full name and date of birth, his mother’s maiden name, his address, his credit card number, its expiry date and CVV as well as any passwords for Verified by Visa or MasterCard SecureCode. This detailed personal information would make it easy for fraudsters to rob the user of all electronic savings.

July-2014_Spam-report_en_16

If you look at the HTML code of the page, you can see that all the data entered in the form will be sent to a page that has nothing to do with PayPal.

Top 3 most organizations most frequently targeted by phishers

  Organization % detections
1 Google Inc 11.64%
2 Facebook 9.64%
3 Windows Live 6.28%

In July, Google services were most heavily targeted by phishing links: their share made up 11.64% of all Anti-Phishing component detections.

The number of fraudulent links to Windows Live, the global portal of the Microsoft services (including Outlook), grew significantly in July. The attractiveness of this resource for fraudsters is easily explained because of the popularity of the MS services and especially with the fact that they are accessed from a single account. Phishing pages are usually designed as an entry page to Outlook (currently there is also a fake login page to live.com).

July-2014_Spam-report_en_17

An example of the phishing page imitating the Outlook entry page

Interestingly, many recent phishing pages still use the old Hotmail design despite the fact that Outlook replaced it as far back as the beginning of 2012. However, it does not seem to worry users very much: they still jump at the bait of such phishing pages.

July-2014_Spam-report_en_18

An example of phishing on live.com using the outdated Hotmail design

Conclusion

The proportion of spam in global email traffic in July increased 2.2 percentage points and averaged 67%.

Spam emails advertising services that would send messages to users’ phones and emails tried to capitalize on the Ramadan festivities while new customers were lured with holiday discounts and favorable offers. “Nigerian” scammers spread emails in English and Arabic asking for assistance in investing money. There were also offers of beauty products and services.

In July, the list of the most popular sources of spam around the world was topped by the US (15.3%), Russia (%5.6%) and China (5.3%).

In July 2014, Kaspersky Lab’s anti-phishing component registered 20,157,877 detections. Phishers attacked users in Brazil most often: 18.2% Brazilian computers flagged at least one phishing alert during the month. The Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.5%). Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month.

The rating of the most popular malicious attachments distributed via email was topped by Trojan.Win32.Yakes.fize. Germany remains the country with the highest number of antivirus detections (11.7%).

A significant number of malicious attachments imitated fake notifications in Portuguese allegedly sent on behalf of the popular smartphone messenger WhatsApp. These attachments targeted the financial data of users in Brazil and Portugal.

Spam in July 2014

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox