Spam and phishing reports

Spam in August 2014

Spam in the spotlight

In August, fraudulent emails exploited global political events and the names of famous people in the Russian Federation. Malicious files were spread via email, including ones that imitated court summons. Spammers who earn money by advertising medications used popular services to attract the attention of recipients. Spammers also actively advertised travel services and collection agencies.

Malicious court summons

In August we registered several mass mailings imitating court summons in various languages. The English-language version informed that the user was being taken to court and should study the case materials to help lodge a defense. Those materials were supposedly in an attachment, which actually contained the Trojan Backdoor.Win32.Kuluoz capable of downloading and running other malware on the victim computer. By comparing several emails from a single mass mailing we confirmed that some details, such as the time, date and venue of the hearing and the names of the archives of malicious files varied from email to email. The sender addresses had been generated from a single template in which the scammers simply entered the words from a pre-determined list. The changes in the text to were intended to provide more individuality and bypass spam filtering.

august-2014_spam-report_en_1

As well as the English-language versions, similar malicious spam appeared in Russian and Czech. The scammers tried to convince users that they had unpaid debts due within 15 days. If they didn’t pay, recipients were warned that their property could be confiscated and their bank accounts frozen.The attached archive contained Trojan-Downloader.Win32.Agent.heva, a malicious file presented by the fraudsters as financial and legal documents. Once the user ran the Trojan, an RTF file was displayed while the malicious program was downloading and installing Trojan.Win32.Tinba.ei, yet another Trojan designed to steal financial information such as bank account credentials and credit card data. The name of the Trojan is an acronym of ‘Tinybanker’. This is a small piece of assembler code, but it has the functionalities of many larger pieces of similar malware.

august-2014_spam-report_en_2

Politics in “Nigerian” spam

In August, we again came across “Nigerian letters” exploiting the events in Ukraine. In the email written in English the scammers used the name of the former President of Ukraine Viktor Yanukovych to sell their story. This time the popular “Nigerian” trick of asking for help in investing money for a substantial reward came from a former financial adviser to the President, whose money had been secretly transferred to the adviser’s personal account in London.

august-2014_spam-report_en_3

After a long silence the name of Mikhail Khodorkovsky was back again. We came across “Nigerian letters” supposedly written on behalf of his inner circle. To trick readers, the fraudsters spun the standard story offering a reward for assistance in transferring and investing huge sums of money. To make the email look more realistic, the body of the message contained the links to official articles about Khodorkovsky. In addition, it was emphasized that all future transactions were legal and did not present any risk to the victim.

august-2014_spam-report_en_4

One email provides minimal information, simply asking recipients to contact the scammers if they finds the offer interesting. Another email provides details of a tempting offer and stories from Khodorkovsky’s life: before the arrest he couldn’t withdraw all money out of Russia and now, after the release, he intends to complete the transfer. However as the disgraced billionaire cannot use his former company to do this, he is looking for someone to help him. Interestingly, “Nigerian” scammers enable recipients to unsubscribe from their mailing list by sending an email to the link at the end of the message. This is how the fraudsters collect a database of active e-mail addresses for the future spam mass mailings.

Medication adverts in fake Google Play emails

Spam messages advertising medications regularly offer pills to lose weight, enhance potency or improve the male sex drive. The body of these emails includes a short text with a link to a website of a store where the advertised product can be bought. Sometimes there is just a link. To send out “pharmaceutical” adverts, the fraudsters often use visual spam. However we sometimes see quite unusual tricks to advertise meds. For example, last autumn we wrote in our blog about a series of mailings which used the names of well-known companies and looked just like typical phishing messages. In August 2014, we noted another similar mass mailing.

august-2014_spam-report_en_5

This time the phishing email looked like a purchase notification from the Google Play app store. To convince the recipient that the email was genuine, the spammers utilized a realistic-looking sender address as well as the store’s official logo. Links in the body text of the email, which often lead to pages on the real website, were inactive this time, even though they were highlighted. It seems that the scammers did not think their fake notifications would get through the spam filters so they made their emails look like classic phishing emails.

Spammers’ Indian summer

The English-language segment of the Internet saw spam mass mailings offering special offer tours to Hawaii or Costa Rica or tropical forests, as well as the chance to book a private jet for business or pleasure. These messages came from various addresses and contained the links to newly created sites where users could compare the prices and select the most attractive offer.

august-2014_spam-report_en_6

We also noted mailings offering to participate in earn-online programs. These so-called binary options, offering quick and easy income to cover all the costs of the vacation advertised elsewhere.

How (not) to repay a loan

Another common theme in August’s spam was debt managements for individuals and companies. Spammers send out colorful messages urging things like “Only pay what you can afford” and promised to wipe out crippling debts. The hyperlink in the email led to a newly created blank site with a name like “Zero-debt-now” with offers of consolidated loans (i.e. to get one credit for paying several others) or favorable credit terms.

august-2014_spam-report_en_7

Various collection and private lawyers, meanwhile, offer the opposite: specialized services to collect unpaid debts without slow and costly court proceedings. The advertising emails provided a brief description of the activities of the organization, the details of its work, a few statistics (number of collected loans, the number of satisfied customers, etc.) and included a contact phone number. The digits in the telephone numbers were often deliberately distorted or noised to bypass spam filters. The authors of the messages promised a successful outcome even in cases where other specialized services already have failed.

august-2014_spam-report_en_8

Statistics

The percentage of spam in email traffic

august-2014_spam-report_en_9

Percentage of spam in email traffic

The percentage of spam in August’s email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The amount of unsolicited email increased throughout the month – in early August the percentage of spam averaged 64.9% while in the end it reached 70.4%.

Sources of spam by country

In August, the USA remained the most popular source of spam (15,9%), up 0.7 percentage points from the previous month. Russia was in second place with 6%; up 0.4 percentage points. China was in third place with 4.7% having produced 0.6 pp less spam than in July.

august-2014_spam-report_en_10

Sources of spam around the world

Vietnam was in 4th position with 4.7% of all distributed spam; its contribution grew by 1.2 pp which pushed this country up four places in the rankings. It is followed by Argentina (4.4%) which saw little change in its numbers and dropped one place in the table.

Germany (3.6%) remained in 6th place with a slight decrease in the percentage of distributed spam. Ukraine dropped to 8th. Meanwhile, Brazil (2.9%) added 0.5 pp to its previous month’s contribution and placed 9th in August’s Top 10, which was rounded up with India (2.8%).

Of note is the slight growth of spammer activity in South Korea (1.9%) which also entered the Top 20 in August.

Malicious attachments in email

The graphic below shows the Top 10 malicious programs spread by email in August.

august-2014_spam-report_en_11

The Top 10 malicious programs spread by email

In August Trojan.JS.Redirector.adf topped the rating of malicious programs most often spread via email. Its name speaks for itself: it is an HTML page containing code that redirects users to a scammer site offering downloads of Binbot, a popular service for automatic online sales of binary options. This malicious program is distributed via email in a ZIP archive which is not password-protected.

Trojan-Downloader.Win32.Upatre.to and Trojan-Downloader.Win32.Upatre.tq were in 3rd and 6th places. These malicious programs are relatively simple, are no more than around 3.5 Kb in size and usually download a Trojan banker from the family known as Dyre/Dyzap/Dyreza. The list of financial organizations targeted by this banker depends on the configuration of the file which is uploaded from the command center.

Trojan-Banker.Win32.Fibbit.rq was fourth. This banking Trojan embeds in Java applications for online banking targeting authentication data and other information, such as keys, transaction replacements and their results.

Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.erom were fifth and ninth in the ranking. Both malicious programs belong to Andromeda – Gamarue, a universal modular bot with features including downloading, storing and running executable files, downloading DLL (without saving on the disk) and plugins as well as the possibility of self-updating and self-deleting. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.

Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx, modifications of the notorious Bublik malware, ended in 7th and 8th positions in August. The Bublik malware family is mostly used for the unauthorized download and installation of new versions of malware onto victim computers.

Trojan-Spy.Win32.LssLogger.bos rounded off the Top 10. It is a multifunctional malicious program which is capable of stealing passwords from a wide range of software. All stolen information is then passed to the fraudsters via email.

august-2014_spam-report_en_12

Distribution of email antivirus detections by country

In August, the UK took the lead with 13.16% of all antivirus detections (+6.26 percentage points).  Germany (9.58%, -1.49 percentage points) and the USA (7.69%, -1.59 percentage points) were 2nd and 3rd respectively.

The most unexpected result arrived from Russia: its share grew by 3.33 pp from July and accounted for 6.73% which moved this country from 8th to 4th position in the ranking.

Italy (3.31%) dropped from 5th to 8th place having lost 1.33 percentage points. Hong Kong outran Australia, Turkey and Vietnam with 2.74% of all antivirus detections (+0.28 percentage points).

Special features of malicious spam

In August, the scammers again used fake notifications from Facebook to distribute malicious attachments. This time, users received a message from an unknown address warning them about the possible deactivation of their accounts. According to the text, over the last few days (and in some emails – months) the social network was attacked by hackers. To avoid any problems, the developers asked the users to install the utility attached to the email.

august-2014_spam-report_en_13

Each email contained a password-protected ZIP archive with an executable file and a unique password needed to unpack it. The attached archive bore the name of the user who the email was addressed (his email account login) and the same name was used to generate a password for the archive. At the end of the email the scammers said that the file could be only opened on a PC running under Microsoft OS. The utility in the archive was in fact a Trojan downloader, a representative of the Trojan-Downloader.Win32.Haze family. This malware downloads other malicious software usually developed to steal the owner’s personal data or to send out infected emails to the address on his lists of contacts.

Phishing

In August 2014, Kaspersky Lab’s anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. This considerable growth was probably caused by the summer slowdown in the demand for advertising spam. Fraudsters who do not want to lose their earnings switch to mass phishing mailings.

Australia topped the rating of countries most often attacked by phishers: during the month the number of Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. Brazil was 2nd with 19.5% of attacked users. It was followed by the UK (15.2%), Canada (14.6%) and India (14.5%).

august-2014_spam-report_en_14

The geography of phishing attacks*, August 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users
1 Australia 24.4
2 Brazil 19.5
3 UK 15.2
4 Canada 14.6
5 India 14.5
6 UAE 14.1
7 Ecuador 13.1
8 Dominican Republic 13.0
9 Austria 12.8
10 China 12.7

Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In August, there was little change among the organizations most often attacked by phishers. Global Internet Portals remained the leading category with 30.8%; its share increased by 1.3 pp. Social networks came second with 17.3%, a 3.3 pp decline from the previous month. These two categories accounted for more than half of all phishing attacks in August.

august-2014_spam-report_en_15

Organizations most frequently targeted by phishers, by category – August 2014

Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems went down 4.9, 1.2 and 0.6 pp respectively.

Top 3 organizations most frequently targeted by phishers

  Organization % detections
1 Google 12.61%
2 Facebook 10.05%
3 Yahoo! 6.38%

In August, Google services were most heavily targeted by phishing links: their share was up 1 pp and had 12.61% of all Anti-Phishing component detections. Second was Facebook, which is traditionally the most popular phishing target. Its contribution increased by 0.4 pp. It is followed by Yahoo! (6.38%). For recap, in July third position was occupied by Windows Live.

In August spam traffic we came across several phishing mailings targeting logins and passwords for Yahoo services! The emails read that Yahoo! administration had registered attempts to enter the user’s account from an unidentified device. This activity caused suspicion and the account would be blocked if the recipient did not confirm the username and password on a special page. The body of the email contained two links for verification of the personal data: the first one – to confirm the password and prevent blockage and the second one – to protect the account in case the entry had been performed ​​by anyone else. Both links had the same address and led to the same phishing page. The text of the messages in different mass mailings remained almost unchanged and the design of the emails used the Yahoo! logo.

august-2014_spam-report_en_16

The phishing page in one mass mailing was an exact copy of the official registration page, but in the other mailing a different background was used.

august-2014_spam-report_en_17

If you look at the HTML code of the phishing pages, it becomes clear that in the first case the victim’s data was sent to the PHP page of the fraudsters while in the second case it was forwarded to an email address registered on a free email service. The HTML code also specified the address which would be entered in the ‘From’ field as well as the subject of the email. This enabled the fraudsters to identify the information about usernames and passwords received from the users within each mass mailing.

august-2014_spam-report_en_18

Conclusion

The percentage of spam in August’s email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The rating of the most popular sources of spam remained unchanged from July – the USA (15,9%), Russia (6%) and China (4.7%).

In August, scammers continued to spread “Nigerian letters” calling for help in the fall-out from the crisis in Ukraine. English-language emails supposedly written on behalf of an associate of the former Ukrainian president Viktor Yanukovych asked for assistance in investing money. Mikhail Khodorkovsky’s on-going story was yet another pretext used by scammers to lure money from the victims.

Malicious emails imitating court summons were often seen in August’s spam traffic. These messages were written in different languages and the attached malicious files were developed both to steal personal information and to extort money for decrypting files on the victims’ computers.

To advertise pharmaceutical spam, scammers used fake notifications from the online Google Play store. The links in them led to pages advertising popular medications.

In August, spammers actively promoted the services of travel and debt collection agencies.

August’s list of most widely-distributed malware was topped by Trojan.JS.Redirector.adf. The long-term leader Trojan-Spy.HTML.Fraud.gen maintained 2nd position in the rating.

In August 2014, Kaspersky Lab’s anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. Australia was the country most often attacked by phishers: during the month the number of the Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. The Global Internet Portals category remained the sector most frequently targeted by phishers (30.8%). Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. Yahoo! entered the Top 3 organizations most frequently targeted by phishers.

Spam in August 2014

Your email address will not be published. Required fields are marked *

 

  1. Henrik Schack

    Much phishing can be avoided by implementing DMARC (http://dmarc.org)
    Mailproviders like Google, Yahoo, Microsoft & AOL supports DMARC.
    Brands like Facebook, Twitter, Netflix, LinkedIn & Paypal protect their domains with DMARC.

    In other words, you wont get any exact domain phish from DMARC protected brands if you have a DMARC secured email provider.

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox