Spam and phishing reports

Spam evolution: April – June 2007

Spammers are continuing to experiment with new ways of delivering graphics files to users. These include PDF attachments which contain spam.

Spam in PDF format and other graphical innovations

Events in the second quarter of 2007 confirmed the previously noted decline in graphical spam (spam in attachments in .gif, .jpeg and other formats).

  • April – 23%
  • May – 19.3%
  • June – 18.8%

Compared to the first quarter this year, the decline has slowed downed somewhat, but the trend is still marked.

The main reason why graphical spam is currently in decline is probably that it has become less effective. Many spam filters already process graphical attachments effectively and are fully capable of blocking graphical spam. Well known antispam developers announced some time ago their success in developing new technologies that analyze the parts of an email which contain graphics. So antispam software can protect against all types of spam, including graphical spam.

Does this mean that spammers will stop using graphics? No. All it means is that they will find new methods for sending graphical spam in addition to .gif and .jpeg formats. In the second quarter of 2007, spammers tested at least 3 new techniques:

  1. Putting graphical files on free hosting websites (such as imageshack.us, imagenerd.com, imgnation.net, hostpic.biz, imgplace.com, etc.). The text of these spam emails includes a link to an address that hosts an image. When a user opens the email, most popular email clients will automatically download the image from the URL.
  2. Using graphics as a background image. Graphics files are not included in the email, but are instead – again – published on a separate website. The message text only contains a URL inside a ‘body’ tag with the attribute ‘background’. As a result, the image may be automatically downloaded by some mail clients, as well as by the web interface of some mail services.
  3. Spam in PDF attachments. This kind of attachment will not open automatically, nor will it be downloaded automatically. In order to see the spam content, a user has to open the attachment manually.

In the first two cases, spammers make sure the spam image was not visible in the body of the message. Using these approaches ensures there is nothing for spam filters to analyze.

In the third case, the image is attached, but the format of the attachment was such that many filtration systems ignore it. As a result, a full analysis of spam content is not carried out.

While the first two tactics weren’t very widely used (at least not yet), the use of PDF attachments in spam mailings has already caused problems for many filtration programs. These problems, however, are easy enough to solve. For example, Kaspersky Anti-Spam is capable of combating spam in PDF attachments and of countering new kinds of spam without the need to make changes to the software.

It’s difficult to say just how long-lived the use of spam PDF attachments will be. That depends on how quickly the developers of spam filter respond, and how quickly users learn to delete such messages without opening the attachment. PDF attacks may turn out to be a short-lived phenomenon. At this point there is no reason to believe that PDF spam will replace the more traditional types of graphical spam. Statistics show that in late June, PDF spam represented 2% – 6% of all spam.

Here is one example of PDF spam:

Here is the spam email
(the message is empty and there is no text)…
…and here is what’s in the attachment.

Spam by category

In the second quarter of 2007, spam remained constant at 70% – 80% of all mail traffic on the Russian Internet. The quarterly low was 62.9%, recorded on 27th April, and the quarterly high was 86%, recorded on 28th May.

The top five spam categories in the second quarter of 2007 were:

  1. Medications, health related goods and services (20.5%).
  2. Education (12.3%)
  3. Computers and the Internet (9.3%)
  4. Computer fraud (9%)
  5. Travel and tourism (8.1%).

This quarter, the medications, health related goods and services category was in the lead. Its percentage of all spam has risen 6.5% from the first quarter.

In addition to the regular English-language offers for Viagra and antidepressants, spam in this category now also includes some Russian-language offers for health related goods and services, such as eye massagers, self-help materials on how to quit smoking, and gym memberships.

The gradual decline in the share of personal finance spam, which began more or less at the start of 2007, has ultimately led to this category falling out of the top five, and it reached a record low of 2.1% was hit in May. It currently accounts for 4.7% of all spam on the Russian Internet.

Malware and spam: birds of a feather

The aim of spam is often not so much to promote a commodity or service, and not even to commit fraud of one kind or another, but actually to target the user’s machine directly. Spam often carries malicious programs or links to malware. By opening an attachment or clicking on a link, a user risks infecting his computer and transforming his computer into a node in a botnet that can be used to launch DDoS attacks – and more. This is nothing new; the criminalization of spam and its fusion with various kinds of malicious activities was noted long ago.

However, the spam-related events in the second quarter of 2007 gave us food for thought and an opportunity to consider just how far this process has come.

Over a three month period there have been a large number of spam mailings with links allegedly leading to revealing photographs, interesting websites, etc. However, these links actually led to a source that attempted to download Trojans to users’ machines. These spam mailings exploited the basic human desires for freebies and sex. But now spammers have decided to take advantage of yet another weakness: voyeurism – the desire to eavesdrop on others’ lives. In early June 2007, the Russian Internet saw a new spam message offering software allegedly capable of downloading text messages from other people’s cell phones. In truth, the user ended up downloading a remote administration Trojan: Backdoor.Win32.IRCBot.abc. This spam caused some alarm among mobile phone users. Cellular providers were forced to respond to questions from subscribers and explain that actually there aren’t any programs that can intercept text messages or download them from a third party’s SIM card.

A bit later, users on the Western Internet fell victim to a similar spam ploy, but the incentive to click on the link that downloaded the malware was altogether different. The spam was disguised as a notification from Microsoft recommending the user to download the latest security update.

This seems a good time to issue the usual warning: spam is dangerous. Be sure to follow the rules of basic computer hygiene, and don’t open attachments in spam. Don’t forget that neither Microsoft nor Bill Gates, nor any banks or any other large organizations are going to send email about software updates.

Overview

  • Spam reached a quarterly low on the Russian Internet of 62.9% in April 2007.
  • Spam reached a quarterly high on the Russian Internet of 86% on May 28th, 2007.
  • On average, spam accounts for 70% – 80% of all email traffic on the Russian Internet.
  • One-fifth of all spam (20.5%) is made up of advertisements for Viagra and other medications, primarily antidepressants and medications aimed at increasing virility.

Spam evolution: April – June 2007

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox