Spam: quarterly highlights
Spam and legislation
On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients' consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. As well as asking for permission, these emails also contained offers links to lotteries.
Some companies actually used the law as an excuse to collect subscribers' addresses. We came across requests asking users for permission to send them mass mailings even in the addresses of traps that have never been signed up to any mailing lists. Moreover, many of the users who received these sorts of request marked them as spam.
This flow of requests shows that many Canadian mass mailing distributors have never thought about the wishes of users before, but have just sent out their messages to the addresses on their lists.
There are two general views of the new law. On the one hand, an anti-spam law in yet another country will undoubtedly help the fight against spam. On the other hand, legitimate Canadian businesses that use mass mailing fear they may now be regarded as illegal. Microsoft first decided to stop sending out all its security news, but changed its mind a few days later, which is not all that surprising: despite the severity of the law, CASL includes a number of exceptions, and Microsoft's mass mailings don't fall under its jurisdiction. Among the CASL exceptions are mass mailings with various information about a product or service that the user has purchased from a company; mailings aimed at collecting donations; non-commercial mailings, etc.
Playing the market again!
In Q2 2014, we saw a new wave of spam advertising offers to buy stock in small companies. This is a well-known form of stock fraud called 'pump and dump'. The peak of this type of spam was registered in 2006-2007, although fraudsters continue to use it.
Pump-and-dump spam is a form of stock market fraud where spammers buy shares in small companies, artificially inflate the prices by spreading information they were allegedly going to significantly increase in value in the near future and then sell the shares at a higher price.
Interestingly, in addition to these well-known fraudulent tricks, the scammers also applied some time-tested methods to bypass filtering:
- A random set of sentences inserted at the end of each email that use a color close to that of the background (mailings included random sentences from Wikipedia);
- Image spam: the main information is contained in a picture; the color, the text size, the font, the background color and angle of the picture vary from email to email in the mailing.
Image spam was also popular in 2006-2007, and then virtually disappeared, as anti-spam vendors developed graphical analyzers and learned to successfully block these sorts of emails. Also, because of excessive 'background noise', this spam is unlikely to attract many users. These 'stock market' mailings appear to spread in huge volumes: spammers send out hundreds of millions of emails hoping for a minimal response.
Spam and the World Cup
In the first quarter of 2014, the Winter Olympics was the most popular sporting theme for spammers while in Q2 they switched their attention to the FIFA World Cup. You can get more information about phishing and malware attacks that used the World Cup theme from our blog. Apart from dangerous emails, there were messages offering hotel bookings and tickets to the matches as well as adverts for World Cup-related souvenirs and messages inviting bets on the results.
As is usual in such cases, the theme of the World Cup was exploited in spam that had no direct connection to the event. For example, one resourceful German used the theme to advertise Viagra.
"Remain the champion in your bedroom after the World Cup is over," states the advert above.
Sent from iPhone: mobile-themed email
To continue the theme of integration between email spam and mobile devices, we should note that in the second quarter of 2014 mass mailings imitating messages sent from iPad and iPhone were particularly popular. The range of emails was quite diverse – from pharmaceutical offers to messages with malicious attachments. All of them contained the same line in the body of the message: 'Sent from iPhone/iPad'.
In the first example, the link, following several redirects, opened a site advertising medication to enhance male potency; the second attachment contained a malicious program detected by Kaspersky Lab as Trojan-PSW.Win32.Tepfer.tmyd.
The mailings were most likely sent by different groups of spammers as the technical headers (such as Data, X-Mailer, Message-ID) were very different. For example, in some emails the headers were written carelessly while in the others the fields were empty. The only thing they had in common with real messages sent from the iOS-based devices was the phrase in the body of the message. In other emails the headers were not just accurate, they were imitations of the headers used by the real Apple mail client:
X-Mailer: iPhone Mail (9B206)
However, on closer examination, the headers only looked like the real thing (in terms of the number of symbols and the location of hyphens). The fact is that real messages sent from iOS mobile devices use hex code to record Message-ID. The hexadecimal format includes numbers from 0 to 9 and the letters ABCDEF, which means there can be nothing else apart from these numbers and letters in the Message-ID. The fake emails just contained a random set of letters and numbers.
To bypass filtering, criminals often try to hide the address of the site the user is prompted to visit. There are many ways to hide spam links. One of the most widespread is when the links in emails lead to compromised sites from which the user is redirected to the target site. This site may contain an advertisement and/or malicious code. Usually, compromised sites are included in the system redirects simply because cybercriminals can hack them, but sometimes the fraudsters intentionally seek them out. For example, we came across a mass mailing which redirected the user to an advertisement for pharmaceuticals via a compromised site. Moreover, the sites that had been compromised were actually pharmaceutical sites (rxpharmacy *****. com). Cybercriminals use such targeting to make the link appear as genuine as possible to the user.
In addition, we have recently come across a lot of hacked sites belonging to religious societies. It is unlikely they were targeted or subjected to social engineering deliberately – they were probably just poorly protected.
Malicious attachments in email
As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website where a user has to enter his personal data which is then forwarded to cybercriminals. Noticeably, the percentage of this malicious program decreased by 1.67 percentage points from the previous quarter.
Trojan-Banker.Win32.ChePro.ilc. ended the quarter in second position. This banking Trojan mainly targets online customers of Brazilian and Portuguese banks.
For the first time in a while, exploits made it into the Top 10, with one (Exploit.JS.CVE-2010-0188.f) coming straight in at third place. Exploits in email are especially dangerous as they are created in the form of harmless documents rather than executable files. This particular exploit appears in the form of a PDF file and uses a vulnerability in version 9.3 and lower of Adobe Reader. This vulnerability has been known for a long time and poses no danger to users who update their software regularly. However, if the Adobe version is old, the exploit downloads and runs the executable file detected by Kaspersky Lab as Trojan-Dropper.Win32.Agent.lcqs. The dropper installs and runs a java script (Backdoor.JS.Agent.h) which collects information about the system, sends it to the attackers' server and receives various commands in return from the server. The commands and the results of their execution are transmitted in an encrypted form.
In Q2 2014, representatives of the Bublik family occupied fourth, sixth, seventh and eighth places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. These Trojans appear in the form of the .EXE files, although they imitate Adobe documents with the help of an icon. They often download the notorious ZeuS/Zbot to users' computers.
The Email-Worm.Win32.Bagle.gt ranked fifth in Q2. The main functionality of this type of worm is to harvest the email addresses from compromised computers. The Bagle family worm can also receive remote commands to install other malware on the infected computer.
Yet another exploit – Exploit.Win32.CVE-2012-0158.j – ended the quarter in ninth place. It was designed to look like a Microsoft Word document and exploits a vulnerability in the mscomctl.ocx code in Microsoft Office. Its activity results in the installation and launch of malicious programs on the user computer.
The Top 10 in Q2 was rounded off by Trojan-Spy.Win32.Zbot.sivm from the Zbot family. Zbot is a family of Trojans that can execute different malicious operations (their functionality is updated over time) but most often they are used to steal banking information. Zbot can also install CryptoLocker, a malicious program that demands money to decrypt user data.
With regards to the most popular malware families rather than individual modifications, the distribution in Q2 was slightly different:
Bublik (which often downloads other malware, specifically the Zbot family of Trojans), as well as Zbot itself, are far ahead of their competitors in the rating. These two malware families account for over a third of all email antivirus detections. This is because the majority of malware is used to steal money and Zeus/Zbot is one of the most popular and widely available of these programs.
The Androm family is in third place. The Andromeda family of malware consists of backdoors that allow cybercriminals to secretly control a compromised computer. Machines infected by these programs often become parts of botnets.
Targets of malicious mass mailings by country
The TOP 20 countries with the highest number of antivirus detections saw some change from the first quarter of 2014. The percentage of malicious spam targeting users in the US decreased slightly (-3.5 pp). However, this was enough to see it drop from first to third place, allowing the UK and Germany to take the lead. Among the other significant changes was the 2.5 times increase in the proportion of malicious spam sent to Brazil which moved this country up from 15th to fifth place. This was due to the ChePro family banker: over 80% of instances of this malicious program were sent to Brazilian users.
Special features of malicious spam
Cybercriminals often mask spam with malicious attachments in emails from well-known organizations – delivery services, stores, social networks. However, as a rule, all such mass mailings imitate emails regularly received by users (bills, delivery status notifications, etc.). In Q2, we registered a more creative mass mailing supposedly sent by Starbucks coffee house chain that made use of a social engineering technique.
The message claimed that one of the recipient's friends, who requested anonymity, had allegedly made an order at for him at Starbucks. To view the menu, find out the address and the exact time that the order was available, the recipient had to open the attachment, an executable that the cybercriminals hadn't even bothered to mask.
The proportion of spam in email traffic
The percentage of spam in all email traffic during the second quarter the year came to 68.6%, up 2.2 pp from the previous quarter. A peak was reached in April and since then the share of unwanted messages in email traffic has been falling gradually.
Sources of spam by country
Previously our statistical data on the sources of spam by country was based on information received from spam traps in different countries. However, the spam from the traps differs from the spam received by ordinary users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source, and now with KSN (Kaspersky Security Network) we compile statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous quarter would be incorrect.
The US tops the rating of the most popular spam sources, accounting for 13.4% of junk mail sent worldwide. This is not surprising since the US is the country with the largest number of Internet users. Even with high user awareness about the dangers of the Internet, not everyone can avoid an infection on their computer, which can result in the machine becoming part of a botnet that spreads spam.
The distribution of other spam sources by country is quite uniform. This makes sense in that botnets are distributed throughout the world, meaning there are infected computers in almost every country.
Russia came second having accounted for 6% of world spam. Vietnam is in third place (5%).
According to our statistics, in many countries a significant amount of incoming junk mail is "domestic spam", i.e. it originates and is addressed to users in one country. In Q2, 18% of spam sent to Russian users originated in Russia. In the US "domestic spam" accounted for 27.2% of the country's junk mail. The same trend can be seen in other large countries from which a significant share of the world spam is sent. In smaller countries, spam mostly comes from abroad.
The size of spam emails
The distribution of spam emails by size was almost identical to that in the previous quarter. Small spam emails weighing in at under 1 KB are by far the most common – they are easier and quicker to send.
In Q2 we registered some decline in the proportion of 2-5 KB emails (-2.7 pp) and a small growth in 5-10 KB emails. This might be due to the increase in the share of image spam: firstly, there were lots of mass mailings of stock market fraud containing pictures (see above) and secondly, Russian-language spam of the "How to lose weight" and "Fake designer goods" categories also included a lot of images.
In Q2 2014, Kaspersky Lab's anti-phishing component registered 60,090,173 detections. Phishers attacked users in Brazil most often: at least once during the quarter the Anti-Phishing component of the system was activated on computers the of 23.2% of Brazilian users.
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:
|Country||% of attacked users|
Brazil only entered the Top 10 in 2014. The increase in phisher activity targeting Brazilian users may be down to the World Cup being held in the country.
Targets of attacks by organization
The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.
In our previous reports we referred to the TOP 100 organizations when analyzing the most attractive targets for phishing attacks. In Q2, we analyzed the statistics for all attacked organizations.
During attacks on organizations from the Banks, E-pay systems, and Online stores and e-auctions categories the attackers were interested in users' personal information in order to gain access to their e-accounts. As a result, we have merged these three categories into one - Online finances.
Below is a similar chart for the previous quarter:
As in Q1 2014, in the second quarter the Global Internet portals category tops the rating of organizations most often attacked by phishers: its share dropping by just 1.7 pp. This category incorporates portals that combine many services including search and email services. The data stolen from such portal allows fraudsters to access all their services. Most often the phishers imitate the authorization pages of email services.
* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers
Financial phishing accounted for 24.84% of all attacks, a 1.8 pp growth compared with the previous quarter. The percentage of detections on Banks and Online stores increased by 0.93 and 0.85 pp respectively.
Social networks remained in third.
* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers
In the first quarter, Facebook accounted for 79.5% of the total number of user attempts to click on links leading to fake social networking sites. In Q2, the number of phishing attacks on Facebook users decreased significantly (-23.54 pp) while the percentage of user attempts to visit fake pages on the Russian social networks Odnoklassniki (Classmates) (+18.7 pp) and VKontakte (+10.68 pp) rose sharply.
Top 3 most organizations most frequently targeted by phishers
|Organization||% phishing links|
In Q2 2014, the share of phishing links to the pages of Yahoo! services reached 30.96% of all attacks.
Yahoo! topped the rating of the most popular phisher targets in the first quarter of 2014 with 31.94% of all attacks after a sharp increase in the number of such fraudulent links in early January.
In the second quarter there were no peaks in the detection of phishing links to fake Yahoo! pages
In January of this year in its blog, Yahoo! announced the introduction of HTTPS by default for its email service. This security measure, in addition to protecting the transmitted data can help fight phishers: now, in the event of a phishing attack when the domain name in the address bar remains unchanged (for example, the DNS server is substituted), the absence of a secure connection icon in the address bar should alert the user. However, the absence of a secure connection is just one sign of a phishing page, while its presence does not guarantee the site authenticity.
In Q2, Google (8.68%) became the second most popular phishing target outstripping Facebook. Previously, phishers used to imitate the entry page of the Gmail service while now they have switched to the authentication page common to all Google services. This is a highly attractive target for phishers - "One account. All of Google."
In the second quarter of 2014 we came across a very interesting example demonstrating the appetite of phishers who are obviously not satisfied with just targeting Google:
This phishing page imitating the authentication page for all Google accounts provides the owners of AOL, Hotmail and Yahoo email accounts with the option of choosing passwords.
Last year's leader, Facebook, dropped one place and settled in third in the rating of Anti-Phishing component detections (8.02%). The percentage of phishing attacks targeting users of social networks lags far behind that of the visitors to global Internet portals, but the former is still of interest for phishers on the hunt for users' accounts worldwide.
Hot topics in phishing
The main "seasonal" theme for phishers was the FIFA World Cup.
Fraudsters exploited the football theme until the end of the World Cup. The first football-related mass mailings emerged in early 2014 and then appeared regularly throughout the first half of the year. Typically, the phishers imitated messages from well-known organizations (mainly FIFA) and asked the user to follow a link to a site offering the chance to win a valuable prize. The prize, like the example above, was usually tickets to a World Cup match. The user had to enter his personal information including his credit card details, i.e. information that is especially interesting for the scammers.
Additionally, in Q2 phishers turned their attention to the popular fast-food restaurant McDonald's. In April, the attackers tried to lure card data from Portuguese-speaking users. The fake email informed the recipient of the chance to win 150 euros from McDonald's. To do this, he had to follow the link in the email and participate in the survey. The phishing page which opened once the user clicked the link suggested he answer a few questions and enter his credit card data for the alleged money transfer. This was exactly what the criminals were after – many unsuspecting users send their personal information to third parties without being aware of the fraudsters' plans.
Noticeably, the fraudulent email was written in Portuguese and most likely addressed to residents in Brazil and Portugal while the text of the survey was in English, which is quite typical for this type of "survey".
In the second quarter of 2014 we came across a lot of mailings from various Canadian organizations willing to get users' agreement to receive mass mailings before the new anti-spammer law comes into force there. In a bid to attract new users, the companies sent out the requests to email addresses on lists that included many that were not already among the recipients of their mailings. Nevertheless, the law has begun to yield some favorable results even before it comes into force.
One of the most popular spam themes in Q2 was the stock market spam used in fraudulent "pump and dump" schemes. Interestingly, the distributors of this time-tested theme tried to bypass filtering using some well-known methods – image spam and "white text".
The mobile theme in spam continued with fake notifications sent from iOS-based devices. Most imitations did not take into consideration the details and specifics of this operating system, meaning these mailings were easily detected.
In Q2 2014, Fraud.gen remained the most popular malicious program distributed via mail. This malicious program was designed to steal users' banking data. Second came Brazilian banking Trojan ChePro. Among the most popular malware families were Bublik and Zeus/Zbot. Interestingly, after a long break the TOP 10 welcomed back two exploits, one of which went straight in at third place.
The World Cup theme was actively exploited both for advertising goods and for malicious and phishing spam. The percentage of malicious spam sent to Brazil in Q2 increased 2.5 times compared with the previous quarter (mainly due to the Trojan Banker family ChePro). Brazil also came first in the rating of countries most often attacked by phishers. The Global Internet portals category took the lead among the organizations most frequently targeted in phishing attacks.
According to KSN statistics, the US topped the list of the most popular spam sources by country. Russia was second followed by Vietnam. Interestingly, in many large countries a significant portion of spam received by their users originated from their own territories.