Spam and phishing reports

Spam evolution: April – June 2008

Spam in mail traffic

In the second quarter of 2008, the percentage of spam in mail traffic averaged 82.5%. By comparison, in the first quarter spam accounted for 88% of all emails. A high of 93.9% was recorded on April 9, with a low of 64.2% on May 3.

Spam on the Russian Internet 2Q 2008
Spam on the Russian Internet: 2Q 2008

The percentage of spam in mail traffic fell significantly in late April and early May. In mid-June, it grew somewhat but did not reach the level of early April. This may have been a seasonal fall. Several years ago, we recorded spam percentages falling in late spring and regaining lost ground in early autumn. However, this trend last manifested itself in 2005: lately, a plunge in the percentage of spam has only occurred during the New Year holidays. Assuming that what we observed in the second quarter of 2008 were seasonal fluctuations in spam percentages, we can hope to enjoy below-average spam-to-legitimate-mail percentages all summer.

The percentage of phishing emails in the second quarter averaged 1.77%. Malicious attachments and links to malicious websites were present in 0.41% of all email messages.

Spam by category

Spam by category Q2-2008
Spam by category: Q2-2008

Top spam categories for Q2 2008:

  1. Medications and health-related goods and services (22.7%)
  2. Education (14.3%)
  3. Fake designer goods (11.3%)
  4. Travel and tourism (9.6%)
  5. Advertising of spammer services (4.9%)

A long-standing leader among spam categories, Medications and health-related goods and services, has noticeably lost ground compared to the last quarter, plunging by almost 10 percentage points to 22.7%. At the same time, the new category, Fake designer goods, has gained popularity and reached third place among the top five spam categories with 11.3%. There were no similar changes among the other spam categories.

Advertisements for fake designer watches have been common in English-language spam for some time, but it has not been a significant element of Russian spam. The idea to sell cheap imitations, which spammers are careful to call replicas, has been appreciated by Russian entrepreneurs. Since this area of business appeared in Russia, the percentage of replica-related spam has grown to such an extent that we had to introduce the Fake designer goods category in March 2008. It should be noted that Russian spammers have their own peculiar way of attracting customers by offering “a watch like Putin’s” or “a replica of Bill Gates’ telephone”.

Variations of criminal spam

In the second quarter of 2008, the variety of criminal-service advertisements, scam and phishing emails continued to amaze. Examples included offers to teach users how to crack email and ICQ accounts, attempts to fool people into participating in money-laundering schemes and, of course, phishing messages targeting users’ money or personal data. The authors of phishing messages use celebrity names to attract users and find new ways of luring them into parting with their money.

Below is an example of an attempt to steal personal data:

We would like to warn all users once again: if you receive a message in which you are asked, under any pretext, to perform any actions that involve sending your money to anyone, the message is likely to be fraudulent. You should be especially careful if the sender demands an urgent payment and threatens to delete your account or apply other similar sanctions. And do not be so careless as to enter or send your personal data simply because you have received a written request to do so.

Spammers paying more attention to the quality of advertisements

Russian spammers have lately sought to make the advertising they send more varied and attractive. This is especially noticeable in messages that advertise the services of spammers themselves. For example, several spammers from Moscow ran a fairly extensive advertising campaign in June that consisted of messages with text only, spam with data tables and spam messages with high-quality pictures being sent simultaneously. Unlike Russian spammers, their foreign colleagues do not aim to impress their potential clients: advertising of spammer services in English usually takes the form of short text messages with no frills.

In addition to different types of layout, spammers use a variety of tricks, such as making the messages they send look like personal correspondence and exploiting an interest in major events taking place in the world.

Below is one of the more striking examples of how spammers responded to events that were of interest to a large number of users: during Euro 2008, spammers actively exploited football to attract more attention to their advertisements.

Translation:Mass mailings that score every time!

For those who order a mailing before June 26: if Russia beats Spain, you get a mailing free.

To order or inquire about the cost, please call

The desire to make advertising more attractive affects the technical methods used by spammers. One challenge faced by spammers is the need to make each message in a mailing unique in order to improve its chances of evading spam filters. Whereas in the past the need to evade spam filters often resulted in messages becoming virtually unreadable, now spammers try not to spoil the way their advertisements look and, consequently, do not use such traditional tricks as text distortion, using double characters, etc. In a previous report we discussed adding random html tags – an alternative method of creating unique messages without affecting the appearance of the advertisements. But this is not the only method.

To make each message unique without distorting its text, spammers modify the link leading to the site advertised in the message by replacing some of the characters in the link with their Unicode values. Since the characters to be replaced are chosen randomly, each link is unique, while leading to the same page as all other links. Some mail clients display Unicode values as the corresponding characters, so when recipients who use such clients open a message, links in it look like an ordinary name or address from a website.

Link in a message where some symbols in the address have been replaced with their Unicode values: Site address without character replacement:
http://%62%65s%74erot%69%63%2enam%65 http://besterotic.name

Email spam has gone far beyond email. While in the past such spam was limited to forum notifications with spammer links, nowadays a much broader range of resources is used.

Blogs and free web-based office applications

Today’s large email systems attempt to increase their popularity by offering additional free services for their users, including blogs, web-based office applications, bulletin boards etc. In the second quarter of 2008, spammers began posting their advertisements to the pages of such free services and sending messages that contained only links to such pages. Spammers hoped that spam filters would not block messages containing links to popular resources such as Google docs or blogs.mail.ru.

Spammers concentrated primarily on new services that appeared recently and still had gaps in their security. Such well-known blogs as livejournal or liveinternet were almost completely ignored because it is difficult to register accounts with these resources automatically and spam journals are quickly blocked.

Social networks

Social networks are another popular resource that takes spam beyond email. Spammers post adverts on social networking sites and then send out spam with links to their advertisements.

Another variety of spam has emerged in response to policies established by administrators of some social networks that allow users to increase their ratings or receive bonuses if other people register on the network at their invitation. In such cases, email spam is used to send invitations to as many people as possible. Links in such messages lead to pages where recipients can register on the network as members invited by the person who ordered the spam mailing.

Cybercriminals have also begun to exploit the popularity of social networks by sending messages that imitate notifications from social network administrators. Users are unaware that such messages can be forged and click on links without suspecting a thing. The links in such fake messages can lead to infected websites or to phishing pages where users are asked to enter their personal data. For example, in the second quarter of 2008, a mailing imitating messages from odnoklassniki.ru (a Russian social network that helps people find their classmates) was recorded. Messages included links to sites with almost identical names, e.g., odnoklass.ru and odnoklassniks.ru. When a user clicked on a link, a malicious program, Trojan.Win32.Agent.qxk, would attempt to download and install itself on the user’s computer.

The popularity of social networks is also exploited to steal money from users. In one mailing, cybercriminals posed as administrators from a social networking site that was offering users the chance to participate in a prize draw by sending a ‘free’ SMS message to a premium number.

In all likelihood, the number of spam mailings taking advantage of the increasing popularity of such resources will continue to grow.

ICQ spam: email spam categories spreading to instant messaging

It has recently become common for adverts promoting spammer services to include offers to send spam via ICQ in addition to regular email spam. However, ICQ spam remains different both in terms of the system’s technical aspects (users can only send short text messages) and in terms of the spammers’ target audience.

Traditionally, ICQ has not been viewed as a business communication channel. The majority of ICQ users are young people who spend long periods on the Internet. Because of this, ICQ spam is dominated by advertisements for different kinds of entertainment: ‘adult’ spam (25.9%), invitations to visit entertainment sites (18.9%), as well as spam advertising browser-based online games and game servers (8.9%). Overall, this type of ICQ advertising accounts for over 60% of spam messages.

In addition to those listed above, the top five spam categories for the second quarter of 2008 include offers related to making money on the Internet (‘clicks’ on advertising, visiting sites and other online sources of income) and spam messages related to ICQ itself (promotions for ICQ 6.x, offers to buy or sell UINs, etc.).

ICQ spam by category: 2Q2008

The leading email spam categories – ‘medical’ spam and advertisements for various goods and services – are at the bottom of the ICQ spam ranking. At the beginning of 2008, advertising of medications and various goods and services via ICQ was very rare and offers of goods and services were limited to mobile phones and computer-related services. However, in early spring offers of medications and various goods and services began growing in number (offers of mobile and computer-related goods and services are analyzed separately and are not included in this category). In June 2008, these two categories accounted for over 9% of all ICQ spam.

Individual categories in ICQ spam traffic

Individual categories in ICQ spam traffic

‘Medical’ spam and advertising of goods and services account for up to 90% of email spam and are the primary source of income for spammers. Judging by the dynamics represented in the diagram, professional spammers specializing in email spam are turning to instant messaging systems and gradually broadening the range of services they offer to their clients. Whether or not ‘serious’ spam takes root in ICQ will depend on how effective the advertisers judge it to be. In any event, in the coming months ’email’ spammers will continue their experiments in ‘territorial expansion’, and the share of those categories that used to be present only in email spam will grow in ICQ spam.

Conclusion

The results for the second quarter of 2008 suggest that the war on spam is currently in a period of relative calm. Spam filters are coping well with run-of-the-mill junk emails, while spammers are unable to come up with innovative technological solutions capable of breaking through anti-spam defenses and have to be content with the existing levels of effectiveness. This is why players in the market for spammer services have started competing in terms of the quality of advertising rather than the ability to come up with new tricks to evade spam filters.

In addition, spammers continue to develop new channels for distributing adverts. They have used forums for some time now, and social-network spam is no longer a new phenomenon. To these have been added web-based office applications (Google docs) and mail system blogs, where spammers post advertising links which are subsequently included in spam messages. Another area being actively developed is ICQ spam, which is gradually converging with email spam in terms of the subjects advertised.

Spammers are often quick to use new, emerging services. This love of new services is due not only to their popularity among users but also to the fact that they often lack sufficient protection.

Although the situation is relatively stable, spam remains a serious threat, especially to careless users. Fraudsters of all kinds, phishers and virus writers make skillful use of spam to achieve their goals.

With the coming of autumn, we can expect the percentage of spam in email traffic to rise. No doubt, after a brief lull spammers will conduct their technological experiments with renewed energy. We do hope, however, that spam filters will continue to reliably protect users from unwanted advertising.

  • The percentage of spam in email traffic declined compared to the figure for the first quarter of 2008 and averaged 82.5%.
  • In the second quarter, the percentage of phishing emails averaged 1.77%. The percentage of messages containing malicious attachments or links to malicious websites was 0.41%.
  • A new advertising category – fake designer goods – has become prominent in Russian spam.
  • Spammers are working hard to improve the quality of their advertising.
  • Spammers are making use of popular Internet resources to display advertising.
  • Subjects typical of email spam have appeared in ICQ spam.

Spam evolution: April – June 2008

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox