Spam and phishing reports

Spam Evolution: March 2008

Spam in mail traffic

Spam in mail traffic averaged 90.7% in March 2008. A low of 83.5% was recorded on 27 March, while a high of 97.8% occurred on 1 March.

Spam with graphical attachments made up almost one third of March’s total. In January the corresponding share was only 14% of spam messages, while the figure for February was 20%. An abrupt rise to 28% in March broke all records for this type of spam.

Spam by category

The leading spam categories in March 2008:

  • Medications, health-related goods and services (24.9%).
  • Education (14.8%).
  • Fake designer watches (9.1%).
  • Travel and tourism (6.6%).
  • Computers and the Internet (5.1%).

Spam on the Internet, March 2008

The Medications, health-related goods and services category shows no sign of moving from its leading position. The continuous flow of English-language messages promoting Viagra has been joined by Russian-language versions advertising other similar drugs for men. The main difference is that Russian language messages tend to emphasize the Tibetan or Chinese origins of the alleged medicines.

The Education category’s share has risen as the end of the school year approaches. Offers of extra tuition and preparation for school leaving exams have augmented the numerous spam messages for higher education degree certificates. Also, spammers have not forgotten about post-exam graduation parties for all those school leavers and students. Spam which previously targeted corporate event and party organizers is now aimed at final year students, which, combined with an emphasis on the upcoming May holidays, has placed Travel and Tourism firmly in the top five.

A new category was introduced in March following a recent surge in the number of Russian-language spam messages offering fake designer goods, and in particular, cheap replicas of Swiss watches. Besides replica watches, copies of designer mobile phones were also on offer, with spammers insisting that these inexpensive designer goods were perfect presents which will enhance the lucky owner’s image and prestige.

ЛУЧШИЕ КОПИИ ТЕЛЕФОНОВ, ЧАСЫ и ТЕЛЕФОНЫ, ПОДАРКИ
Vertu – это самый роскошный телефон в мире, о котором долго мечтали истинные
ценители прекрасного:
все новейшиедостиежния выоских технолгоий в сочеатнии с витруозностью исполнения
Копии элитных сотовых телефонов Vertu и наручных часов в десятки раз
дешевле оригинала!
Модели
Vertu Signature,
Vertu Mini
Vertu Signature Full Pave
Vertu Constellation and Ascent – new!
Watches: Vacheron Constantin, Patek Philippe, Rado, Omega и мн.др.
{tel}
Каталог подарков на нашем сайте
{site}

BEST REPLICA TELEPHONES, WATCHES AND TELEPHONE ACCESSORIES
Vertu – the most luxurious telephone in the world that all lovers of true beauty have been waiting
for:
All the latest hi-tech features combined with exquisite finishing
Replicas of Vertu top-of-the-range mobile phones and watches at a fraction of the original cost!
Models
Vertu Signature,
Vertu Mini
Vertu Signature Full Pave
Vertu Constellation and Ascent – new!
Watches: Vacheron Constantin, Patek Philippe, Rado, Omega and lots more.
{tel}
Gift catalogue on our site
{site}

Spammer methods and tricks

In March, spammers regularly included links to Google search results in their messages. This search engine makes it possible to get a link for a specific URL – however, the link is in fact a redirect. When users click on the link they are directed to a site containing spam advertising, even though from a spam filter’s point of view, the link is legitimate. This method is prevalent in both Russian- and English-language spam.

Naked Shakira Clip
Download and Watch
http://www.google.com/pagead/iclk?sa=l&ai=euujxp&num=24252&adurl={site}

In an effort to bypass filtration systems, spammers have modified one of the methods used to create background “noise” in messages. They’ve started putting random selections of letters in the text of a link in off-white. White text on a white background has already been used by spammers, but spam filters have been developed which will detect this trick. Now, the color shade of the selected letters (mostly Latin letters) used to add “noise” to messages is very similar to the color of the background (very light yellows and blues). At the same time the larger advertising texts are in bold colors so the message recipients can easily read it.

An advert offering a range of medical certificates and sick notes that makes use
of barely visible off-white text to add “noise” between the main message text

Obfuscating the link in a message is another method used to bypass spam filters. For example, spammers may replace the dots in a site address with the word “dot”. This method is not very effective, however: a spam filter may not detect such a message as spam, but the link will no longer be clickable, and will additionally be difficult to read.

ЗДЕСЬ ВЫ СМОЖЕТЕ ЗАРАБАТЫВАТЬ ГАРАНТИРОВАННО И ПОЭТАПНО:
Такого стремительного роста НЕ БЫЛО ЕЩЁ НИГДЕ!!!
Присоединяйтесь!!!
Подробнее Вы узнаете на моем официальном сайте
Здесь -> http://{name}точкаucozточкаru
скачать маркетинг-план компании Coopers Corporation можно
Здесь -> http:// {name}точкаucozточкаru/load/0-0-0-3-20
естественно в браузере прописать за место слова точка поставить .
Удачи Вам во всех ваших начинаниях.
Если возникнут вопросы или сложности можете связаться со мной по этим контактам:
ICQ: {number}
С уважением, Максим
Удачи Вам во всех ваших начинаниях.
Если возникнут вопросы или сложности можете связаться со мной по этим контактам:
ICQ: {number}
С уважением, Максим

HERE YOU CAN MAKE GUARANTEED, GRADUAL EARNINGS:
Such dynamic growth HAS NEVER BEEN SEEN BEFORE!!!
Join up!!!
You can find more details on my official site
Here -> http://{name}dotucozdotru
the marketing plan for Coopers Corporation can be downloaded here
here -> http:// {name}dotucozdotru/load/0-0-0-3-20
of course, in the browser type . where it says dot
Good luck in everything you do.
If you have any questions or problems, contact me here: ICQ: {number}
Best regards, Maxim
Good luck in everything you do.
If you have any questions or problems, contact me here: ICQ: {number}
Best regards, Maxim

The tricks described above prove that spammers are ready to sacrifice the readability and appearance of a spam message to make sure it reaches the recipient successfully. Such messages are unlikely to be widely read, except by recipients who have an interest in solving puzzles.

Criminal spam

Malicious mass mailings

Messages containing malicious attachments or links to infected sites continue to be sent to users’ email accounts. In March, for instance, spammers used messages that imitated personal correspondence to spread malicious programs. Interestingly, these messages were mailed simultaneously in both Russian and English. The messages were designed to make the recipient open attachments, which of course contained a malicious file. To make the messages more realistic, they usually mentioned a visit by a friend, a chance meeting in the street or referred to sending some file or other as had previously been agreed. However, any recipient should be put on guard by messages – even those allegedly from a friend – which are sent from an unknown address.

Will you be online today?
Hi, what’s up? If you have time tomorrow, please come over. After midday. By the way, don’t
forget to check the enclosed documents. Bye. See you tomorrow.

Приветик!!! Как настроение?
Hi!!! How are you?
Привет! Я завтра к тебе приеду, ок? Ты во сколько будешь дома? Помнишь ты просил
программу, я её прикрепила к письму, очень полезная, пользуйся. пока…..
Hello! I’ll come round to your place tomorrow, ok? What time will you be home? Remember
that program you asked for – I’ve attached it to this message. It’s really useful. Try it.
Bye…

In March, spammers not only engaged in self-promotion by describing the benefits of spam mailings but also sent messages advertising spamming systems.

Продается Спам Система {name}
Скрипт написан на perl.
Ядро скрипта базируется на движке от {name} (последняя версия)
Система {name}, является главным лидером в своей и более высокой ценовой категории.
В связи с тем, что скрипт базируется на движке от {name}, было принятно решение
создать похожий дизайн, навигацию, и базу управления.
==>ПРЕИМУЩЕСТВА:
– Полностью открытый исходный код.
– Обширные возможности.
– Высокая производительность
.
– Обход спам-фильтров.
– Корректная работа с миллионами шаблонов+макросы.
– Возможность установки, на неограниченное количество серверов/ftp хостов.
– Простота в использовании.
Открытый исходный код позволяет добавлять новые функции, улучшать функционал, и
скорость рассылки.
СИСТЕМА ПОЗВОЛЯЕТ РАССЫЛАТЬ НА МОЩНОМ СЕРВЕРЕ ПОРЯДКА 250 000
ПИСЕМ В ЧАС.
Работать с системой сможет даже новичок, никаких особых навыков она не требует..
СТОИМОСТЬ СПАМ СИСТЕМЫ: 25$
Для наших клиентов по желанию, установка и настройка скрипта БЕСПЛАТНО!
За покупкой обращайтесь в ICQ: {number}
====> P.S: Данное письмо вам было отослано с помощью системы {name} <====
Spam system for sale {name}
Perl script.
Script kernel based on the software engine from {name} (latest version)
The system {name} is the leader in its own and higher end categories. Because the script is based
on the engine from {name}, it was decided to create a similar design, navigation and
management console.
==>ADVANTAGES:
– completely open source code
– extended options.
– high performance.
– bypasses spam filters.
– works perfectly with millions of templates+macros.
– installation on unlimited number of servers/ftp hosts.
– easy to use.
Open source code means new functions can be added, improved functionality, and fast mailing.
APPROXIMATELY 250 000 MESSAGES CAN BE SENT PER HOUR ON A
POWERFUL SERVER.
The system can be used by newbies – no special experience required.
COST OF SPAM SYSTEM: 25$
FREE script installation and configuration on demand!
To make a purchase, contact ICQ: {number}
====> P.S: This message was sent to you using the system {name} <==== end of translation]

In addition to spamming software, there were also offers to teach people how to configure Trojan programs and how to conduct mass mailings.

Negative PR

The advent of spring marked a wave of mass mailings targeting the reputation of well-known companies and sites. The Kommersant publishing house became the first victim of negative (or “black”) PR. The spammers then turned their attention to advertising popular social networking sites in Ukraine. These spam messages used the suggestion of adult content on the sites to tempt users.

Re: I haven’t sent you this
{site} Very young Prostitutions don’t miss!!

Avtogarant insurance company also fell victim to the spammers. The spammers didn’t even bother to alter the text of the mass mailing (http://www.spamtest.ru/news?id=207509084) which had been sent out at the beginning of the year. Recipients of such messages in March were offered insurance with January discounts. This clearly indicates that the spammers were attempting to damage the reputation of the company. It should be noted that although the spammers did not change the text of the messages, they did apply a new method of bypassing spam filters – “noise” was added to the message by means of random off-white text (in the example below it is green, but in the original it was a very pale turquoise).

Spammers with a heart of gold?

In March, one well-known spamming company seems to have decided to improve its image. It started offering help in finding missing relatives or friends by using mass mailings. According to the message, the service is absolutely free.

Screenshot caption: A missing person message providing information about a young lorry driver from St. Petersburg who hasn’t been seen since mid-September 2004. The message gives a contact telephone number for any information concerning the person. At the bottom of the message the company responsible states that millions of users receive their messages and anyone who is searching for a missing relative or friend can make use of their missing person search service for free.

Monthly update

  • The amount of spam in mail traffic rose to 90.7%, a slight increase on February’s figure
  • 2.32% of all mail traffic was made up of messages which had malicious files attached or which contained links to infected web sites
  • The amount of spam with graphical attachments made up almost 28% of all spam in March.
  • Spammers used pseudo white text to create background “noise” in messages
  • Messages with malicious attachments imitating personal correspondence were detected in mass mailings.
  • Messages containing offers of fake designer goods (cheap replicas of watches, mobile phones, etc.) were detected in March.

Spam Evolution: March 2008

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox