Kaspersky Security Bulletin. Spam Evolution 2011

Kaspersky Anti-Spam protects users all over the world. The Anti-Spam Lab processes more than one million messages captured by our honeypots every day. Content filtering, technical header analysis, unique graphical signatures and cloud technologies are all employed to ensure users are protected, with our analysts creating new signatures 24 hours a day, 7 days a week.

  1. Kaspersky Security Bulletin. Malware Evolution 2011
  2. Kaspersky Security Bulletin. Statistics 2011
  3. Kaspersky Security Bulletin. Spam Evolution 2011

The year in figures

  • The percentage of spam in mail traffic averaged 80.26%
  • The share of phishing emails decreased by a factor of 15 and averaged 0.02% of all mail traffic.
  • The percentage of emails with malicious attachments grew 1.7 times and averaged 3.8%.

Trends of 2011

Spam is decreasing

The effective anti-botnet campaign of 2010 resulted in a considerable decrease in the percentage of spam in mail traffic. In 2011 the share of spam averaged 80.26% which continues a downward trend following a peak in 2009.

Spam in mail traffic, 2007-2011

As can be seen from the graph, the amount of spam in mail traffic has been decreasing over the last two years. There are several reasons for this. First, law enforcement and industry expertise continues to close botnet command centers: in 2011, Rustock and Hlux/Kelihos were closed. Secondly, spammers are increasingly focusing on targeted mass mailings. For example, the participants of pharmaceutical partner programs distribute their mailings using address databases typically stolen from men’s web resources. The volume of targeted spam mailings is substantially less than that of the general mailshots, while the feedback is potentially higher. Thirdly, for several years spammers have been taking regional differences into account when advertising their wares. For example, in the USA and Western European countries the percentage of medical spam and adverts for fake designer goods was noticeably higher than in Russia and the CIS countries, even though there is a huge amount of this sort of spam on the Russian sector of the Internet. From this aspect 2011 was a crucial turning point – due to limited resources, members of pharmaceutical partner programs had to exclude RuNet addresses from their databases, reducing the share of partner spam on the Russian segment of the Internet.

Targeted phishing attacks

The year 2011 was marked by the appearance of so-called spear phishing, a more targeted type of spam that sees fraudsters focusing on a pre-selected group of users rather than distributing emails to random addresses.

Spear phishing is not just one specific spammer trick but a whole toolbox of methods which differ in terms of the complexity of their execution and their ultimate goals.

It may be similar to traditional phishing, an attempt to pick up user credentials and get access to their accounts. For example, one of the schemes involves an attack on a group of users that are clients of a specific service. They obtain an exact copy of the official notification used by that service containing a link to a registration page which is also a perfect imitation of the original. It has been claimed that Chinese cybercriminals used this scheme to access the Google accounts of high-ranking US officers. This has a much smaller audience than traditional phishing, but is far more targeted.

It should be noted that spear phishing scams are often much more sophisticated. We are used to an impersonal form of address in phishing emails such as “Dear user” or “Dear client”. However, more subtle methods make use of both a person’s name and even the name of the company they work for or are dealing with. Currently, the phishers have few problems obtaining this information – many users of social networking sites do not hide their data. Using such information makes it much easier to trick an unsuspecting user – after all, the phishing email looks just like the original notifications used by the service in question and even contains the user’s name.

Spear phishing is also used by criminals to target big companies as was the case with RSA, the security division of EMC, attacked in March 2011. Having attacked several groups of the company’s employees, the fraudsters succeeded in making at least one RSA staff member open a file entitled “2011 Recruitment plan.xls.”. The Microsoft Excel file contained an incorporated exploit which used a zero-day vulnerability. As a result the phishers gained access to the company’s systems and stole data belonging to RSA.

Spear phishing can constitute a threat because the messages sent in the course of these attacks are not numerous and sometimes even unique. Antivirus solutions often don’t detect such emails as spam. Organizations targeted by these phishers can be protected by DLP, a security system that prevents data leakage. For individual users the last line of defense on the phishers’ path to their financial, personal or other data is the human factor. Cautious and critical users are perfectly capable of avoiding the danger and escaping the traps set by phishers.

Users should remember that no matter how skillfully the phisher imitates the design of the email and registration form, he still has to use a domain unrelated to the organization which allegedly sent the notification. If you are asked to enter your login information on the website of the bank or any other online service, please don’t follow the link in the email to access the site of the organization. It’s better to go there manually through your browser. It is also important to remember that online services never ask their clients to send their credentials via email.

We expect to see more and more spear phishing attacks in the near future and recommend users to be on the lookout for them.

The year of malicious spam

Even if there is less spam in general, it seems that what remains is more dangerous than ever. In 2011 the percentage of spam with malicious attachments increased more than one and a half times compared to the previous year and reached 3.8% of all mail traffic. In addition to emails with malicious attachments there were also messages containing links to malicious resources.

The proportion of emails with malicious attachments remained consistently high throughout the year.

Percentage of spam with malicious attachments in 2011

As can be seen from the graph below, the last three years have seen a clear trend in mail traffic: as the proportion of spam decreases, the number of malicious attachments increases.

Percentage of spam containing malicious attachments, 2009-2011

Malicious spam and social engineering techniques

Malicious spam is often distributed using social engineering techniques: the fraudsters must entice a user to open an attachment or click a link. In 2011, cybercriminals were quite inventive and came up with various methods to pursue their goals.

  1. Imitation
    Malicious emails imitated notifications from social networks, delivery services, Federal Tax Services and credit companies.

    Malicious emails imitated notifications from social networks, delivery services, Federal Tax Services and credit companies

  2. Intimidation
    Phishing emails were aimed at intimidating users by playing on their fears: they threatened to block their accounts, to infect their computers or to use their accounts for spam distribution, and tricked users into handing over their logins and passwords on phishing sites.

    Phishing emails were aimed at intimidating users by playing on their fears

  3. Enticement
    The promise of gifts, free coupons, activation codes for different products and other goodies was enough to persuade some users to open a attachment or click a link.

    The promise of gifts free coupons activation codes for different products

  4. Other tricks
    More often than not the fraudsters exploited the users’ curiosity or gambled on the recipient’s lack of caution. The attachments imitated a scanned copy of a document, e-tickets, email password recovery instructions, etc. Sometimes a user was asked just to open an attachment.

    More often than not the fraudsters exploited the users

The story of one mass mailing

In Q4 2011 fake notifications from the National Automated Clearing House Association (NACHA) appeared regularly in users’ inboxes. NACHA is a big not-for-profit association which develops the operating rules and practical issues of conducting business for Automated Clearing House (ACH). It also manages other issues related to electronic payments. In its turn ACH manages the world’s biggest network of the electronic movement of money and data.

Fake notifications from NACHA invited users to open an attachment or to follow a link in order to cancel transactions.

Fake notifications from NACHA invited users to open an attachment or to follow a link in order to cancel transactions

It is clear why this sort of approach is used – the cybercriminals are trying to cover a wider audience spreading emails on behalf of a controlling authority rather than a bank. In fact, very few people know that NACHA does not have the right to control ACH transactions, let alone cancel them.

On clicking the link in the email, users were taken to a web page infected with javascript code redirecting visitors to a malicious resource containing exploits. Interestingly, the fraudsters were overcautious: one web page contained four redirects to one and the same malicious site, simply because such redirects were mostly located on compromised legitimate sites. The owners of the sites might notice the intrusion and delete the script at any time. In addition, the company’s IT security service usually reacted quickly and blacklisted such URLs.

On clicking the link in the email users were taken to a web page

All redirects led to the same malicious resource where the fraudsters had set up one of the most popular and effective exploit kits – BlackHole.

Spammer methods and tricks

Redirects and other links

When launching a mass mailing spammers always try to hide their client’s contacts – the telephone number, the site, etc.; otherwise, any spam filter can put such contacts on a black list and block all mass mailings where it is mentioned. In an effort to bypass filtration systems, spammers use a variety of methods – they create background “noise” in messages using extra symbols or image distortion, write numbers in words, add HTML tags invisible to users, place contact information on “noisy” images, etc.

In 2011, the spammers’ favorite trick for hiding a link to advertising or malicious sites was redirection: the email contained a link to a web page which redirected the user to the main site.

URL shortening services

The easiest redirect technique is to use URL shortening services such as tinyurl.com or bit.ly. Their initial task is to make long and inconvenient links shorter in length. Spammers use such services to make each link unique. These short links can mask both the links to the sites and the links to downloadable images.

This is how the email looks on a user’s computer:

This is how the email looks on a users computer

This the initial code of the html part of the email:

Therefore, the message which the user sees as images with links to the site actually contains non-recurring links and random text.

Infected sites

Another redirect technique uses compromised sites where cybercriminals insert iframe or javascript code or use other HTML (or TCP/IP protocol) opportunities to redirect users to their site. One example of such a redirect was described in the section above ‘The story of one mass mailing’.

SQL injections

This redirect technique is quite new and still not very common. A spam email using this method contained a link which led to a legitimate site vulnerable to SQL injections.

This redirect technique is quite new and still not very common

The link contained the SQL request which in return gave the javascript code: