Spam and phishing reports

Spam in Q3 2012

The quarter in figures

  • The percentage of spam in total mail traffic was down by 2.8 percentage points in the third quarter, coming in at 71.5%.
  • The share of emails with malicious attachments increased by 0.9 percentage points and amounted to 3.9%.
  • 27% of phishing attacks were launched on social networks.
  • 26.7% of all spam originated in the US in Q3 2012.

Sign of the times: politics and religion in spam

The most popular personality over the past three months has been Barack Obama, President of the United States. His name was mentioned in emails on a wide variety of subjects: from your typical ads for “watches just like the president’s” right up to denouncing the president’s administration urging US citizens to challenge the current president’s politics (as a rule, these types of emails also contained requests for donations for funding). Fraudulent and malicious emails using the US president’s name were also detected.

 

By late September, the amount of English-language mailings calling for US citizens to change the country’s political course had increased. Clearly, the election campaign was coming to a head: the US presidential elections were scheduled this year for 6 November 2012. Political emails included both criticism of Barack Obama’s actions, and urged recipients to vote for Mitt Romney.

 

It should be noted that in the US, under the CAN-SPAM Act of 2003, only commercial mailings (i.e. advertising) count as spam, and mass political mailings do not.

The scammers also used Barack Obama’s popularity for their own purposes. Not only did fraudulent emails use his name — they also used the name of his wife, Michelle Obama. By sending emails allegedly from the First Lady, Nigerian scammers attempted to gain recipients’ trust: the emails claiming to be from Michelle Obama promised millions of dollars to anyone who would send “her” their addresses, telephone numbers, and $240.

 

In addition to politics, religion was another common spam theme in Q3 2012. It was spam that spread the link to the YouTube video with the scandalously controversial movie “The Innocence of Muslims”. Malicious users will typically exploit interest in hot topics by adding links to malicious resources in these types of emails. However, in this case, the links in the emails led directly to the YouTube video, and no malicious programs were spread through this spam mailing.

 

Nevertheless, some malicious users managed to use the controversy surrounding the film to their own advantage by sending malicious emails tempting users with links allegedly leading to the latest news:

 

The links in these emails took recipients to a hacked website that then redirected them to a malicious resource, pillsearnings.nl. This was the same destination used in the mailing that used the US president’s name and addressed the upcoming elections:

New advertising venues: pros and cons

The share of spam decreases

In the second quarter of the year, we noted that advertising is moving from spam into other venues: banner ads, social networks, contextual advertising, and coupon services. In Q3 2012, this trend remained in force, and the share of spam in total mail traffic fell by another 2.8 percentage points.

The chart above is typical of the summertime reduction in the amount of spam, followed by the usual surge in September. An autumn increase is seen nearly every year, as the summer holidays come to an end, people resume their usual Internet routines, and advertisers attempt to put out more ads, including in spam. Nevertheless, there is still a clear downward trend in the amount of spam.

The “grey areas”

Recently, numerous coupon and discount services have appeared on the Internet, offering users so-called group discounts. These services take advantage of demand around the world, and are now drawing advertisers away from spam. On the one hand, this is a positive process. On the other hand, not all of these services circulate their own advertising in a manner compliant with legal regulations. As a result, we are seeing the emergence of so-called “grey areas” in spam.

Some coupon services send out spam in order to promote themselves and attract new clients, and a portion of their mailings go out to subscribers as well as to a much broader base of addresses. So, if a recipient is not a subscriber, then the mailing is spam, even if it contains news, on-topic articles, or any other relevant information in addition to blatant advertising. Moreover, with legal provisions in nearly all countries and even some specific laws on spam, these advertisers can be taken to court.

In other words, just about anyone can file a lawsuit against a dishonest advertiser sending out spam. While in the case of classic spam, where the sender is anonymous, it can be very difficult to identify and hold a guilty advertiser accountable, the process is much simpler in situations involving these “grey areas”.

Malware disguised as coupon services

Spammers are taking advantage of the growing popularity of new legitimate advertising venues. They are primarily doing so by sending out malicious emails designed to look like official notifications. Kaspersky Lab is seeing more and more malicious spam designed to look like coupon service notifications.

Kaspersky Lab already addressed the use of using coupons in spam in its Q2 2012 spam report. We are revisiting the issue of coupon spam in this report due to the emergence of malicious mailings in spam traffic designed to look like emails from the prominent coupon service Groupon.

Kaspersky Lab experts expected to see the appearance of this type of spam since coupons are very popular among Internet users and they trust coupon services. An email from a coupon service is an ideal disguise for malicious users.

The first such mailing was detected by Kaspersky Lab in July. In that case, the email was made to look like a notification for a new promotion by a major coupon service, and included an attached ZIP file named Gift coupon.exe — an executable file. In fact, the file contained the malicious program Trojan.Win32.Yakes.aigd. All the links in emails with malicious attachments led to the Groupon website, which had no malicious objects seeded on it. Clearly, this was a fake-out on the part of the malicious users in order to gain user trust.

It was a different situation entirely in September. Kaspersky Lab noted that the new mailings allegedly sent by Groupon did not include an attachment, but all of the links in the emails redirected recipients to a malicious online resource with exploits.

 

As we already noted above, the emergence of malicious coupon spam did not come as a surprise, since these services are becoming increasingly common. In these circumstances, our experts would like to advise our readers of the following:

First of all, coupon services will never include attachments in their emails — especially in the form of a ZIP file or an executable.

Second, users can and should always make sure that an email that is apparently from a well-known service should at the very least have the correct sender name in the FROM field, and that all of the links lead to the site that they claim to (check this by hovering the mouse over the link).

Kaspersky Lab has more useful advice on our website.

Variety in malicious mailings

It should be noted that over this past quarter, Kaspersky Lab also recorded an enormous variety of malicious mailings. Nearly all of them were disguised as official notifications: our spam traffic included fake letters from hosting services, banking systems, social networks, online stores, and other services.

 

Incidentally, in the past most malicious users favored fake airfare confirmation notices. These days, the disguise of choice appears to be hotel confirmation notices.

 

In some cases, malicious users combine two social engineering tactics: in order to get users to click their links, fake notices allegedly from well-known sources sometimes announce giveaways.

 

Given the amount and quality of fake emails with malicious links, Internet users need to exercise as much caution as possible: these days, any email could pose a threat!

Statistics

Malicious attachments in email

Although during all three months of the past quarter, the percentage of malicious attachments in email traffic declined, at the end of the quarter, the average percentage of emails containing a malicious attachment increased by 0.9 points compared to the previous quarter, and closed at 3.9%. The chart below illustrates this downward trend month-by-month.


The percentage of malicious attachments in mail traffic, Q3 2012

Spam detection by country

The most remarkable change in the Top 10 countries where spam is detected in Q3 was Germany’s unexpected rise to first place (+3.8 percentage points).

 
The distribution of email antivirus spam detection by country in Q3 2012

The US, which has been in first place for eight months in a row, unexpectedly fell to 8th place in September, which affected the final results of the quarter. As a result, the percentage of spam detected in the US fell by 5.2 points from the second quarter, and took second place, just slightly behind Germany.

The percentage of spam detected in the UK fell by 1.7 percentage points (5th place), while Italy’s spam also dropped by 1.6 points, pushing that country out of the Top 10. The percentage of spam detected in the other Top 10 countries doesn’t exceed 1.5%. The changes in the proliferation of malicious code in Vietnam and Australia are a bit curious, as they were almost exactly the same over the past three months.

 
The percentage of spam detected in Australia and Vietnam: July-September 2012

The Top 10 malicious programs spread by email

Despite the fact that our rating for Trojan-Spy.HTML.Fraud.gen plummeted in late September, this threat still took first place for the quarter, leaving other malicious programs in the dust. This Trojan accounted for more than one-fifth of all email antivirus detections in Q3 2012. As you may remember, Trojan-Spy.HTML.Fraud.gen is a malicious program executed as an HTML page with a registration form allegedly from a financial organization or some other type of online service. The registration data entered in the fields is forwarded to malicious users. The use of this particular threat is just one of the tactics employed by phishers.

 
The Top 10 malicious programs spread by email in Q3 2012

The email worms Bagle.gt, Mydoom.m and Mydoom.I took second, third, and fourth place, respectively, in this quarter’s ratings, while the Netsky.q worm fell to sixth place. Readers may recall that the standard function of an email worm is to collect email addresses on an infected computer and send spam to those addresses. Bagle.gt is the only one of these four worms that is equipped with the additional function of going onto the Internet to download other malicious programs onto an infected computer.

The Androm family that appeared in the Top 10 for the first time in July retained its position throughout the entire summer, and one of the modifications in this family (Androm.kv) took first place in September. According to the Q3 results, this modification took 5th place overall for the quarter. Yet another representative of this family took 10th place. Once installed on victim computers, these threats download other malicious programs onto the system, including spambots.

Trojan-Ransom.Win32.PornoAsset.aauh took 7th place in the third quarter’s Top 10. This is a blackmailer that blocks the operating system and demands that the user pay to have it unblocked. These programs were among the most notable in September: four of the malicious programs in the Top 10 in the first month of autumn were modifications of this family.

The size of spam emails


The size of spam emails in Q3 2012

In the third quarter of 2012, spam emails were generally quite small (1 KB or less). As a rule, the bodies of these emails have one short sentence and a link to a website, which the spammer is hoping the recipient will click on. In September, we noted an increase in the amount of larger-sized emails (2-5 KB). This is because in autumn, we typically see an increase in the amount of spam ordered by SMEs, and typically this type of spam contains more information in the message body. Affiliate spam will definitely contain a link, since the spammer’s income will depend on the number of clicks originating from his emails.

Sources of spam by country and region

In Q3 2012, the percentage of spam emails sent from China and the US increased considerably (+6.7 and +15 percentage points respectively). In total, these two countries are responsible for more than half of all of the world’s spam.

The share of other countries dropped more or less proportionally.

 
Sources of spam by country, Q3 2012

Spam originating in China was sent primarily to the Asia-Pacific region, Australia, and Western Europe, while spam originating in the US was actively sent to the American continent, the Asia-Pacific region, and Australia. As far as Eastern Europe is concerned, the largest amount of spam came from India and Vietnam. India’s spam primarily targeted Western Europe, where the country took second place in the Top 10 sources of spam.

As for the regions where spam originates, thanks to the US, the region of North America rose significantly (+15 percentage points), while Asia’s percentage remained high, with nearly one-half of spam being sent from computers in that region. Western Europe pushed past Eastern Europe and took fourth place, approaching South America’s numbers.

 
Sources of spam by region, Q3 2012

Phishing

 
The Top 100 companies targeted by phishers, by category, in Q3 2012

This rating is based on detections registered by Kaspersky Lab’s anti-phishing component each time a user attempts to click on a phishing link, regardless of whether or not the link is in a spam email, or on a website.

At the end of the quarter, social networks were at the top of the Top 100 companies targeted by phishing attacks with 26.5% of all attacks, or 0.6 percentage points more than in the previous quarter. Financial organizations were in second place, with 22% of all phishing attacks, or 1.6 points fewer than in the second quarter.

Remarkably, in spite of the small number of phishing attacks against online games, over the course of the past three months, Kaspersky Lab registered mailings designed to steal registered user data from battle.net. This leads us to believe that phishers demonstrated renewed interest in Blizzard gaming accounts due to the recent release of WoW: Mists of Pandaria.

Conclusions and Predictions

In Q3 2012, Kaspersky Lab’s experts saw numerous politically-themed mailings, which continued to grow in number right up to the US presidential elections on 6 November. The number of malicious mailings taking advantage of user interest in the elections was also on the rise.

The migration of advertisers from spam to other venues is due in part to the increasing criminalization of spam, with a large number of advertisements for prohibited goods, as well as fraudulent and malicious emails. Over the past year, Kaspersky Lab experts have observed two trends in parallel: a decrease in the percentage of spam and a slight rise in the percentage of malicious mailings. More likely than not, both trends will continue, as the percentage of spam is on the decline due to the migration of advertisers of legitimate goods and services to other venues.

As for the sources of spam, the amount of spam originating in the US rose considerably, but is unlikely to remain at such high levels and will drop slightly in the next quarter. Asia remains the region where most of the world’s spam originates.

Spam in Q3 2012

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox