Spam and phishing reports

Spam Evolution: April 2008

Spam in mail traffic

Spam in mail traffic averaged 86.2% in April 2008. A low of 68.6% was recorded on 28 April, while a high of 93.9% occurred on 9 April. The share of graphical spam declined considerably in April compared to March and was only 13%.

Spam by category

In April the top five leading spam categories remained unchanged from the previous month:

  1. Medications, health-related goods and services (16.4%)
  2. Education (15.6%)
  3. Fake designer watches (11.6%)
  4. Travel and tourism (9.8%)
  5. Computers and the Internet (4.3%)

The Medications, health-related goods and services category maintained its leading position. The lion’s share of spam in this category is English-language adverts for viagra, which is so popular because no prescription is required to buy it (viagra is classified as a prescription drug in a number of countries). In Russia, however, viagra is freely available at any drug store, so Russian-language adverts for it are rare.

An interesting new trend in April, therefore, was the appearance of Russian-language spam advertising viagra. The text of the message was translated from an English-language version. The site mentioned in the advertisement by the spammers included the caveat “Generic viagra for sale here”, which continued: “exact copy of the world’s most famous medication for male erectile dysfunction”. The fact that Russian consumers are only really attracted by low prices meant the mailing was short-lived.

П.робл.е.ма. п.овышения потенци.и вст.ала в посл.еднее время особен.но остро не то..лько д.ля му.жчин .ста.рше 60-ти лет, но и д.ля 40 и 3.0-ле.тних му.жчин. По данн.ым Всемирной Организации Здравоохранения каждый десятый му.жчина ст.арше 2.1 года с.тра.дает по.ниже.нной по.тенцией, а каждый третий мужчина с.тарше 60 лет не спо.собе.н на половой акт.
По.ниженн.ую п.от.енцию. можно. лечи.ть! В этом в.ам поможет всемирно и.звес.тн.ый п.репарат Виагр.а
.В отли.чие от других с.по.собов .леч.ен.ия. эрек.тил.ьной .дис.функц.ии,. котор.ые .пре..ду.см.атривают .проведение уко.лов в .пол.ов.ой чл.ен или другие медицинские про.цед..уры, Виа.г.ра является прост.ым, удобным. и лег.ко .прим.еняемым пр.епар.атом. При. ис.пользовании “Виагры.” Вы .просто принимает.е одну таблетку тогда, к.огда план..ируете сексуальны.й контакт
Пре.им.ущ.ества .В.иагры
– Эффективна у 91.% .мужчин, в отличи.е о.т а.нало.гов, та.ких как Сеалекс,. Им.паза, Вука..-Ву.ка
– Де.йствует в .теч.ении. 6 часов после пр.иема
– Действует на естественные ме.хани.змы возникновения э.рек.ции
– Применяется у м.уж.чин, страдающи.х эректильной дисфу.нкцией ра.зли.чно.го п.роисхожде.ния (сосудистые, не.рвн.ые р.асст.ройс.тва эре.кции) – Пр.ин.имает.ся н.епос.редстве.нно пере.д половым ак.том
– Практически не. им.еет п.обочн.ых эффект.ов
Приобрести этот пр.епарат .можно зд.есь

A Russian-language advert for viagra. The body of the text is interspersed with full stops that break up the individual words.

As the school year draws to an end, spammers actively exploited the theme of school leaving exams and higher education entry exams, keeping the Education category in second place. Another popular theme was the option of avoiding entry exams altogether.

У Вас осталось полтора месяца чтобы поступить на дистанционное обучение БЕЗ ЕГЭ!

According to Russian legislation, the results of school-leaving exams are only valid for a year. Entering a higher educational institution after that period means the exams have to be passed once again. The advert above offers a way of avoiding repeat exams: a certificate with the required pass results can be obtained by simply signing up for a distance-learning course and paying a “fee”. Those interested in the offer are told to hurry and apply before June 10, 2008, and also to tell their friends.

Spam messages offering fake designer goods remained in third place. The sale of replica goods also took on an unexpected “political” slant. In the run up to the inauguration of Russia’s new president, spam messages started offering “A watch like Putin’s”. A cheap copy of the outgoing president’s chronometer was not the only thing on offer: lots of other goods of a similar “quality” were also available.

Часы как у Путина
Легендарные часы Раtek Рhilippе В.В.Путина!!! Всего за 325 евро (реплика)! Ты хочешь походить на Президента, но не переплачивать 50000 евро?
Это возможно, причем реплики не уступают оригиналам ни по качеству ни по внешнему виду. Сравните сами:
Часы Patek Philippe Perpetual Calendar (часы В.В.Путина)
Страна производитель: оригинал – Швейцария, реплика – Бельгия
Стоимость: оригинал – 53000 евро, реплика – 325 евро.
Механизм: оригинал – Швейцария, реплика – Швейцария.
Срок службы: оригинал – 10 лет, реплика – 6 лет.
Гарантия: оригинал – 24 месяца, реплика – 18 месяцев
Удобство покупки: оригинал – 2 бутика в России, в Москве. Реплика – бесплатная доставка в любой город России (страны СНГ).
Внешнее сходство: реплика на 100% идентична оригиналу!
Ознакомьтесь {LINK}
тел. 8-800-2000-720 (звонок из России – бесплатный)
Кроме того в Интернет магазине {LINK} в продаже ещё более 189 часов
престижнейших мировых марок:
Rado (от 299 евро), Rolex (от 325 евро), Omega (от 242 евро), Vacheron Constantin (до 1749 евро), Breguet (от 449 евро), Cartier (от 229 евро)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл


A watch like Putin’s

The legendary Patek Philippe watch of V.V. Putin!!! For just 325 euros (replica)! You want to look like the President, but don’t want to pay 50000 euros?
Now it’s possible, and the replica is no different from the original in terms of both quality and looks. Compare for yourself:
Patek Philippe Perpetual Calendar watch (the watch of V.V. Putin)
Made in: original – Switzerland, replica – Belgium
Cost: original – 53000 euros, replica – 325 euros.
Mechanism: original – Switzerland, replica – Switzerland.
Service life: original – 10 years, replica – 6 years.
Guarantee: original – 24 months, replica – 18 months.
Convenient purchase: original – 2 boutiques in Moscow, Russia. Replica – free delivery to any town in Russia (CIS).
External appearance: replica is 100% identical to the original!
See here {LINK}
Tel. 8-800-2000-720 (free calls from Russia).
There are also more than 189 watches of famous international brands at the Internet store {LINK}
Rado (from 299 euros), Rolex (from 325 euros), Omega (from 242 euros), Vacheron Constantin (up to 1749 euros), Breguet (from 449 euros), Cartier (from 229 euros)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл

SMS fraud

More and more spam with offers to pay for goods and services via SMS messages sent to short numbers is appearing on the Russian Internet. Even if the spam message states that the SMS is free of charge, it doesn’t mean it actually is. There is also no guarantee that the user will get what he wanted and that his money won’t just end up lining the pocket of a cybercriminal.

Spammers continue to use logos to make their messages look more respectable. The message below deliberately promotes a dating service because it entails further communication and new contacts. These types of messages usually include an attractive photo, and only mention further down the page that you have to pay to communicate. The very fact that the service is not free should arouse suspicion.

Вам оставлено сообщение на мобильном портале, пользователем
Для прочтения сообщения, отправьте смс со словом tt456734 на номер 4449
Услуга доступна для жителей РФ и граждан СНГ, стоимость услуги 0.3$ + НДС)
Сообщение отправлено 26.04.2008
Спасибо за то, что Вы являетесь пользователем Mail.Ru.
С уважением, администрация Mail.Ru (1518450363)


You have got a message on from

To read the message send an SMS with the text tt456734 to 4449 (the service is available in the Russian Federation and CIS, the charge is $0.3 including VAT)

The message was sent on April 26, 2008

Thank you for using

Administration of (1518450363)

Today, even the financial pyramid schemes that used to offer the opportunity of huge online earnings only send out information after receiving an SMS message. For the cost of an outgoing message (5 rubles, or about 20 cents) the user contributes to a business named MLM. It goes without saying that a spammer who promises the recipient “earnings” with no initial investment can hardly be trusted.

посмотри не пожалеешь

Отправьте на номер 7030 SMS следующего содержания: код+25558
Стоимость отправки сообщения в рублях: 5 В ответ вы получите
ссылку на сайт с заработком,без вложений, и практически без
вашего участия.


This is worth seeing

Send an SMS message to 7030 with the code +25558. An SMS message costs 5 rubles. In return you will get a link to the site containing information on how to get money without any investments and with minimal participation. End of translation.

Solutions from spammers: protecting against viruses and spam

On the eve of the 30th anniversary marking the first spam message sent via email, users were being offered equipment not only for sending spam but also to protect against it.

Sympathetic-sounding mass mailings with the theme “Tired of spam? Call us!!!” promoted nothing other than anti-spam and antivirus products from the German company Avira. It is unclear whether this was just another case of black PR, or the Russian representatives of Avira using unorthodox methods to advertise the services of Avira’s dealers in Russia.

In April, Russian-language spam promoting anti-virus products added to the usual English-language advertisements for very cheap software. The main difference was that the Russian-language spam was offering the programs for free.

Users should be particularly careful when downloading “antivirus” files from unknown sources, because they may turn out to be malicious programs.

Kaspersky Key 5 6 7 Ключ Касперский 5 6 7

Ключ Касперский 5 до 9_03_2010 бесплатно

Ключ Касперский 6 до 11_03_2010 бесплатно

Ключ Касперский 7 бесплатно

специально для ХХХХХХХХХХХХХХ

на {site}

Kaspersky 5 Key do 9_03_2010 Besplatno

Kaspersky 6 Key do 11_03_2010 Besplatno

Kaspersky 7 Key Besplatno

spetsial’no dlya ХХХХХХХХХХХХХХХ
na {site}

If earlier spammers offered the option of unsubscribing from unsolicited mailings, the latest trick is the option of unsubscribing by phone. This method is hardly likely to eradicate spam, and if anything will ensure it continues: by phoning, a user is merely confirming an email account is active and ensures that the address remains in illegitimate mailing databases.

We help you to launch your business

Legal company “Consultant” offers the following types of legal services:

  1. Registration of LLC, CJSC, OJSC
  2. Registration of individual business
  3. Registration of equity issue
  4. Legal addresses
  5. Registration of non-commercial organizations
  6. Amendments to constitutive documents
  7. Copies of extracts from the Uniform State Register of Enterprises and Organizations
  8. Consultation on stockholder rights
  9. On demand drafts of constitutive documents
  10. Holding of stockholder meetings
  11. Corporate disputes
  12. Major transaction support
  13. Legal entity dissolution
  14. Bookkeeping assistance
  15. Drafting and expertise of all types of civil documents

Special offer: preparation of documents to be presented in internal revenue service – 1500 rub.

Discount for complex order!

Contact information (495) 951-32-05 783-72-66

If you opened this e-mail, you may need legal advice. If you opened this e-mail by chance and you do not need any legal assistance, please, delete this message. You can unsubscribe from mass mailings by calling 951-32-05 and stating your e-mail address.

Spammer methods and tricks

In order to bypass filtration systems, spammers are willing to modify texts to such an extent that they become unreadable. The flow of spam in April was marked by a wave of messages containing heavily disguised telephone numbers. As seen from the example below, the figures are interspersed with letters, which change from message to message. This method did not gain popularity, however, because only those really interested in the topic would be patient enough to work out the exact telephone number. By the end of the month the technique had already disappeared from the flow of spam.

Английский язык.

Уроки с автором методики

Вы сможете даже думать на английском языке (правда, если будете к этому серьезно относиться) Поймете грамматику.
Не думайте, что у вас “тяжелый случай”. Начните заниматься.
Преподаватель может выехать к вам.

Один академический час стоит – 90$ (45 минут) У вас есть возможность
получить бесплатную консультацию.
(495) xxx-xx-xx



Lessons with methodologist

You can even think in English (if you really make an effort) Understand grammar.
No need to think you’re a hopeless case! Start learning.
A teacher can come to you.
One academic hour costs $90 (45 minutes) You can get a free consultation.

(495) xxx-xx-xx

One new method of obfuscating text is to replace random letters in links with special UTF codes. Each letter in the UTF code corresponds to a certain set of symbols. When sending messages containing one and the same link, spammers replace different letters with codes in each individual message. Because spam filters work with the original message, they do not recognize the link and, subsequently, that the messages belong to the same mass mailing. A mail client then coverts the codes into the corresponding letters meaning the user never notices any of the changes made.

How the original message looks

Summer is coming and it will soon be time to head to the beach.

It’s the perfect time to lose those extra kilos.
How are you going to do it?
I, personally, am not going to go on a diet or start exercising.
There is an easier and quicker method for lazy people like you and me.
Check out this site for information and photos

The message that the recipient sees

Summer is coming and it will soon be time to head to the beach.

It’s the perfect time to lose those extra kilos.
How are you going to do it?
I, personally, am not going to go on a diet or start exercising.
There is an easier and quicker method for lazy people like you and me.
Check out this site for information and photos

Russian-language mailings advertising sites in the .tk domain zone, which belongs to Tokelau, have resumed. Spammers use this free registration zone to create a large number of duplicate pages, thus increasing the chances of evading anti-spam systems.

любви для тебя больше нет. Умерла она, твоя любовь. А вместо нее дадена тебе
соляные фактории, а по берегам темных, глубоких речек, по большей части

Приезжали посмотреть на наши чудеса из столиц и иных краев, хотели и в черную дыру, смотревшую ему прямо в переносицу. Сухо щелкнул курок, потом

Two links that lead to the same Russian-language site selling DVDs of popular films which have been re-dubbed with humorous voiceovers.

April once again saw spammers sending pictures that contained text positioned at various angles (see below), which was meant to prevent such images from being detected.

In a variation of this technique, spammers also sent several mass mailings containing pictures with handwritten text in an attempt to bypass spam detectors.

An image with a handwritten message offering an SMS message service that allows the sender’s number to be masked, making the message look as though it is from another number.

In the first instance it is easy to read the text of the message, though the second picture may pose problems not only for spam filters but also those not used to reading handwriting.


With the approach of the summer holiday season, the amount of spam in mail traffic is declining, and the trend looks set to continue into the summer. However, the fact that spammers are continuing to search for new technologies that bypass anti-spam filters suggests that it will only be a seasonal decline. Moreover, the criminal element in spam is becoming more prevalent, which in turn attracts those who want to profit illegally and further contributes to the criminalization of spam. Unfortunately, the chances of spammers calling a “ceasefire” or “capitulating” in the war on spam are highly unlikely.

  1. The amount of spam in mail traffic fell compared to March’s ( figure and averaged 86.2%.
  2. 0.76% of messages contained malicious files and links to infected web sites.
  3. 1.3% of messages contained links to phishing sites.
  4. The amount of spam containing graphical attachments fell considerably compared to March’s figure and accounted for just 13% of spam.
  5. The amount of unsolicited mass mailings containing offers to pay for services via SMS messages increased.
  6. Spammers used special codes to mask messages.
  7. Spam containing links to advertising sites in the .tk domain zone resumed

Spam Evolution: April 2008

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox