Spam and phishing reports

Spam evolution: January – June 2009

Half-yearly update

  • The economic crisis has not impacted the volume of spam: spam averaged 85.5% of email traffic.
  • Malicious attachments were found in 0.3% of messages.
  • 0.6% of all messages contained links to phishing sites.
  • Asian and Latin American countries became the main sources of spam, with a shift away from Western European countries, the US and Russia.
  • The amount of spam advertising small and medium businesses declined during the reces-sion.
  • Spam advertising spammer services has partly replaced messages containing offers for concrete goods and services.

Spam in mail traffic


Spam in mail traffic, 1H2009

Spam averaged 85.5% of mail traffic over the first half of 2009. The lowest figure was 72.8% on April 26th, while the highest percentage was 93%, recorded on February 22nd. 0.3% of spam messages included malicious attachments.

The financial crisis, which began in autumn last year, has not had an impact on the overall volume of spam in mail traffic: the figures do not differ significantly in comparison with figures for 1H 2008.

Phishing

Phishing-related spam is experiencing an overall decline.


Phishing emails, 1H 2009

Phishing emails accounted for 0.6% of mail traffic in 1H2009. The number of phishing emails has fallen from month to month (with May being the exception). During Q1 2009, phishing emails made up 0.78% of mail traffic, dropping to 0.49% in Q2 2009.

Anti-phishing systems now offer users better protection than ever against this type of fraud. Consequently, cybercriminals now find phishing a less profitable and less attractive tactic.

The main targets of phishing attacks


Organizations targeted by phishing attacks, 1H 2009

The primary target of phishers is still PayPal, with eBay ranking second among the most popular targets. Over 60% of phishing emails imitate messages from these two organizations. PayPal, eBay, and major banks have been active in providing users with information about the dangers of phishing. As a result, users of such systems have become more cautious, and the phishing attacks targeting them have become less effective. Meanwhile, phishing attacks which target less commonly-used services have not been particularly lucrative. These factors may be contributing to the gradual decline in phishing spam.

Sources of spam on the Russian Internet: regrouping from the West to the East

Countries

The top ten countries which are major sources of spam have changed considerably over the past six months. Less and less spam is coming from Spain and Italy, which previously took 3rd and 4th places, respectively. These countries are no longer in the top ten, with Germany and Ukraine also departing from the ranking. More spam now originates in India, Thailand, Romania, and Poland, all of which are now included in the top ten.


Top ten sources of spam (2H 2008; 1H 2009)

Russia and the US are still the leading sources of spam, but in 2H 2009, they may be dis-placed as the amount of spam sent from these countries is falling. In the second six months of 2008, 22% of all spam was sent from Russia in 2H 2008, but only 11% was sent in 1H 2009. The figures for the US also fell from 16% to 10%.

By June, only 8% of spam was being sent from Russia. Although the fight against spam in Russia has been successful, there has not been an ultimate victory, and it’s likely that spam sent from Russia will account for a stable 8 -10% of all spam.

India has seen a boom in spam mailings. In 2008, this country was the source of 2% of less of all spam, jumping to 4% in Q1 2009. In June, India was responsible for a record 10% of spam on the Russian Internet, and an average of 7% over 1H 2009. The spammers’ focus on India may be due to a range of factors: on one hand, as a developing economy, the country is beginning to enjoy the latest Internet technologies, including widespread Internet access. On the other hand, Indian users are poorly protected, resulting in mass malware infections designed to create botnets for sending spam.

The amount of spam originating from Turkey has also increased: in 2H 2008, spam from Turkey represented just 3% of all spam, but during 1H 2009, this figure more than doubled to 6.6% of all spam.

The list of European countries which are the top sources of spam has also changed. In 2008, the top three sources of spam in Europe were Spain, Italy, and Ukraine. This list is now headed by Poland, Romania and Italy.

Table 1. Top ten European sources of spam

Poland 4,30% 2,30%
Romania 3,00% 2,00%
Italy 2,60% -2,40%
Ukraine 2,00% -1,00%
Spain 1,90% -3,30%
Germany 1,90% -1,30%
Great Britain 1,60% -0,40%
Czech Republic 1,10% 0,70%
France 1,00% -1,60%
Hungary 0,90% 0,50%

 

In general, the amount of spam coming from Western European countries has decreased no-ticeably, while the amount of spam sent from Eastern European countries has increased.

Regions

In terms of the top regional sources of spam, there has been a general transition from West to East. Nearly twice as much spam is now being sent from Asian countries, with an increase of 18% in 2H 2008 to 35% during 1H 2009. There has also been an increase in spam from Latin American and Eastern European countries (excluding Russia). Over the same period the amount of spam sent from Western European countries, compared to 2H 2008, decreased by almost half. In the second half of 2008, Roughly 20% of all spam was sent from Western European countries in 2H 2008, with just 12% in 1H 2009.


Sources of spam: 2H 2008, 1H 2009

This transition from the West to the East results from a number of factors: on one hand, the US and Western European countries have become more proactive in fighting spam. These coun-tries have closed down spammer hosting sites, improved relevant legislation, and some spammers have even been held liable for their actions. This makes sending spam from Western Europe and the US a risky business for spammers. Meanwhile, Asia and Latin America — and Eastern Eu-ropean countries, to some extent (excluding Russia) — are becoming more attractive to spammers; the number of Internet users in these locations is beginning to increase significantly and Internet access is becoming more prevalent. Furthermore, Internet users in these countries tend to be less well protected against malicious programs and less aware of cyber threats.

Essentially, the main sources of spam have more or less transitioned from Western European countries, the US, and Russia to Asia and Latin America. This is probably good news for end-users, i.e. those who do not have any partners in these regions can simply choose not to open messages originating from Latin American or Asian countries. For these people, simple modifi-cations to spam filter configuration could cut the amount of incoming spam by half.

Spam by category


Spam on the Russian Internet by category

Most common spam categories, 1H 2009

  1. Medications and health-related goods and services – 22.1% (+2.4%)
  2. E-advertising services – 16.6% (+10.9%)
  3. Adult content spam – 11% (-8.8%)
  4. Education – 10.4% (+0.8%)
  5. Fake luxury goods – 7.4% (+1.2%).

For the fourth year in a row, the most common type of spam is still Medications and health-related goods and services. Most messages in this category advertise medications such as Viagra and Cialis, as well as diet pills and supplements.

The second place is taken by E-advertising services, replacing the usual leading categories. This category was in seventh place in 2008.

Adult content spam is still in third place, in spite of a considerable decrease in the number of such messages. Compared to last year, the figure almost halved. This is probably due to the fact that most of this type of spam consists of emails designed to lure users to fraudulent websites, where attempts are then made to get money by persuading the visitors to send SMS messages to short, premium pay numbers. This type of trick works well until it is uncovered; consequently, the life span of such scams is limited and the amount of Adult content spam is now on the de-cline.

The economic crisis and its impact on spam

While the primary categories of spam remain unaffected, the economic crisis has affected the distribution of spam categories.

Categories on the rise

First and foremost, the crisis has led to an increase in spammers advertising their own ser-vices. It would appear that the crisis has caused spammers to lose some of their regular clients and have directed their newly available resources at advertising their own services in hopes of finding new clients.


Spam advertising spammer services, 1H 2008/1H 2009

During 1H 2008, before the economic crisis began to affect Russia, e-advertising spam made up approximately 4.3% of all spam. During 1H 2009, this figure skyrocketed to 16.6%.

The amount of Real estate spam has also increased notably in comparison to last year. For the most part, this type of spam advertises rental properties. In April, such offers accounted for 69% of all spam in the Real estate category.


Real estate spam, 1H 2008/ 1H 2009

Having lost tenants due to the recession, landlords have actively been advertising their va-cant properties. Some reputable real estate firms may now be using spam as a relatively inexpen-sive means of advertising their services.

Categories on the decline

Small and mid-sized businesses (a subgroup which falls into the Other goods and services category) appear to have cut spending on spam advertising


Other goods and services spam, 1H 2008/ 1H 2009

On average, the volume of spam in this category fell 4% compared to the same period in 2008.

Prior to the economic crisis, there were a reasonable number of clients ordering travel and tourism spam mailings. Spam in this category account for 8% of all spam in 2008. During 1H 2009, the amount of spam in this category halved, and now represents just 4%. This drop is clearly related to the global crisis. Many people’s financial situation is now worse than in 2008, and they have found themselves cutting spending on travel and vacations.

The Travel and tourism spam category is always susceptible to seasonal changes; however, given the economic background, these were less marked this year.


Travel and tourism spam, 1H 2008/ 1H 2009

Education spam dropped by approximately 25% in the first five months of 2009. In June, however, this type of spam returned to pre-crisis levels due to exams at schools and universi-ties.


Education spam, 1H 2008/ 1H 2009

The economic crisis has clearly had an impact on spam advertising goods and services of-fered by legitimate businesses. This category represents roughly 35% of all spam. In comparison, in 1H 2008 (i.e. before the recession hit), this type of spam accounted for approximately 45% of all spam. Despite the increasing amount of real estate spam, overall the amount of spam advertis-ing goods and services from legitimate businesses has fallen by nearly one-fourth.

Economic conditions have affected the remaining 65% of spam, which includes advertising of grey market goods and services and, to a lesser extent, fraudulent spam. The reasons are clear: firstly, anonymity makes it less risky for cybercriminals to find clients using spam than by other means, and they are unlikely to be bothered by moral concerns. Secondly, some types of fraud (such as phishing) simply could not exist without spam, since spam is an integral component of these schemes. Finally, many cybercriminal groupings have their own botnets and therefore the capability to conduct mass mailings at minimal cost.

Size and type of spam emails


Distribution of spam emails by size

Most spam messages are still 10 kb or less in size. The amount of the smallest spam emails (up to 5 kb) has increased: in 1H 2009, messages of this size represented 58% of all spam, up from 46% in 2006. The overwhelming majority of such emails provide links to websites. The text of the emails and the sites they link to can differ from message to message, even if the messages are all sent in the same spam mailing. Advertising sites are either located on cheap domains (such as .cn), or domains which use free hosting services. Spammers use such tactics in an attempt to by-pass spam filters.

As before, most spam emails (45%) are sent in plain text format.


Distribution of spam emails by type

Graphical spam

Spam containing images now makes up nearly 15% of spam. This is due to the upswing in spammers advertising their own services; most such advertisements are sent in image form. Spammers are striving to achieve two things: to evade spam filters, and make their advertising attractive. It should be emphasized that not only programmers, but also professional designers and marketing experts work on spam mailings.

Images often offer the (fake) opportunity to unsubscribe from mailing lists.


Extract from a spam message

Most emails containing images also contain text. In some cases, the advertising message and contact information are part of the image, and the text is included merely to create “noise” in or-der to increase the chances of evading spam filters. In other cases, the text in the message con-tains contact information (usually a link to a website) and the image is used to draw the reader’s attention and relay the spammer’s own advertising message.

Conclusion

The countries which act as the main sources of spam are now located in the East rather than the West. Countries in Asia and Latin America, as well as countries in Eastern Europe (excluding Russia), are becoming more attractive to spammers since users in these countries are poorly pro-tected against cyber threats.

It is difficult to say just how long this trend will continue. However, it can be assumed that as users in Eastern countries become more aware of security issues, the distribution of infected machines sending spam will level out. Given that computer technologies (thanks to the openness and accessibility of information) are evolving faster than the economy (due to greater transpa-rency and access to information) it is likely that the playing field will level out even before de-veloping regions become highly developed.

In spite of predictions to the contrary, the share of phishing emails has declined. Some may remember that in light of the crisis, these fraudulent emails were expected to increase; as a rule, phishers attempt to use negative situation to frighten users and persuade them into providing per-sonal information. However, it seems that the anti-phishing measures that have been taken by major payment systems and banks and increased awareness of cyber threats have begun to the Internet scammers.

Although the crisis has not affected the overall amount of spam in mail traffic, it has had a considerable impact on the distribution of spam by category. This primarily affects spam adver-tising spammer services, which now makes up a record 16.6% of all spam. Meanwhile, the total amount of spam offering goods and services in the real sector has dropped 10%. The 2008 annual spam report noted that this type of spam acts as an indicator of the ecomonic health of small and medium-size businesses during financially difficult times. And in fact, compared to the same period in 2008, spam mailings contained fewer offers from tourism and educational companies and advertisements for various goods and services. (However, the percentages of these spam cat-egories increased slightly in June). Only time will tell how long these trends will last.

Spam evolution: January – June 2009

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox