Spam evolution: March 2010

Recent trends

• The amount of spam in email traffic decreased by 3.2 percentage points compared to February’s figure. The total average being 82.9% for March.
• Links to phishing sites were found in 0.03% of all emails, a decrease of 0.84 percentage points when compared to February.
• Malicious files were found in 0.5% of all emails, a decrease of 0.68 percentage points compared with the previous month.
• March saw a considerable increase in the quantity of messages in the Personal Finance category.
• In order to bypass filtering spammers continued to use various pictures and colored boxes in HTML tables.

Spam in mail traffic

The amount of spam detected in mail traffic averaged 82.9% in March 2010. A low of 78% was recorded on 5 March with a peak value of 90.1% being reached on 20 March.

Spam in mail traffic

Sources of Spam

Sources of spam

In March, the USA (14.7%) and India (7.3%) maintained their positions as the prime distributors of spam; however, the rest of the Top 5 looks different. Russia jumped from fifth to third place with 6.9% of spam distribution worldwide (+2.3 percentage points), whilst Vietnam and Romania came fourth and fifth respectively having distributed 4.8% of the total quantity of spam each.

Korea, which occupied third place in March, moved five places downward to take up eighth position with 4.1% of the spam distribution total (-3.4 percentage points).

Brazil, which used to be in the Top 3, comes in at ninth for the second month in a row with 3.1% of spam originating from there.

China, which regularly used to make it into the Top 10, is near the bottom of the rating for the second month in a row, accounting for just 1.6% of all the spam distributed.

Ukraine comes sixth having distributed 4.2% of spam worldwide (+1.2 percentage points). In general, the total average of spam distributed from the territory of the former USSR (14.8%) is equal to the quantity of spam originating in the USA.

The UK moved up one place with 0.57% of February’s spam total distributed from there.

Phishing

Links to phishing sites were found in 0.03% of all emails, a decrease of 0.84 percentage points when compared to February.

PayPal and eBay remain the most popular targets for phishers, with 45.4% (-8.6 percentage points) for Paypal and 15.4% (+1.4 percentage points) for Ebay. In March, Facebook with 7.7% (+1.6 percentage points) and HSBC with 7.5% (-0.2 percentage points) swapped their previous month’s positions, to become third and fourth place respectively.

Organizations targeted by phishing attacks in March 2010

Additionally, in March the phishers continued to attack users of the well-known online game World of Warсraft. Their messages are inaccurate copies of genuine notifications from Blizzard Entertainment and contain an account lockout notice and a link.

In the example above the link appears to lead to the World of Warсraft home page, but in fact it redirects a user to http://*******.worldofwarcraft**.com/ where they are required to verify their account. A careful user will give this procedure a miss.

Google comes fifth in the Top 10 of the most popular phishing targets. However, one of its competitors is also in danger – during March Yahoo users found the following messages in their email boxes:

Interestingly, in addition to the standard form which a user is instructed to complete in order to avoid a supposed account lockout within 72 hours, the phishers asked users to enter the code from the above picture into the CAPCHA form used to prevent automated verification.

The banks did not escape the phishers’ attention during March either. The following bulk mailing targeted users of the Bank of America’s online banking system:

Notably, the word “Member” in the heading of the message contains a spelling mistake.

Malware in mail traffic

Malicious files were found in 0.5% of all emails, a decrease of 0.68 percentage points compared with the previous month.

Malware found in spam messages during March 2010

This month’s leader in the malicious programs Top 10 is again Trojan-Spy.HTML.Fraud.gen. This Trojan’s main purpose in life is to collect users’ credentials.

The lion’s share of all the Trojans of this type – nearly half of them – originated from the UK.

Second comes Trojan-Downloader.Win32.FraudLoad.gmx, which when downloaded to a victim’s computer is detected by Kaspersky Lab as Trojan.Win32.Sasfis.ajil.

Three Trojans in the Top 10 represent the Trojan.Win32.Agent family, occupying fourth, seventh and ninth places. A total of 7% of the malicious programs distributed in spam messages during March belonged to this family.

Interestingly, the eighth and tenth positions in the Top 10 were occupied by Trojan.Win32.FraudPack.aolb and Trojan.Win32.FraudPack.apee found in 2% and 1.84% of spam messages respectively. These malicious programs are fake antivirus solutions which try to extort money from users. They also download other malware to users’ computers by imitating the installation of updates.

The NetSky mail worm which featured in August, September and December 2009’s rating of the most widespread malware found in spam messages has entered the Top 10 again. This time as the Email-Worm.Win32.NetSky.q variant which occupied sixth position in March.

Spammers continue to use bulk mailings sent on behalf of UPS and this type of attack is constantly changing. In March, fake UPS messages contained malicious programs belonging to the Trojan.Win32.FraudPack and Trojan.Win32.Agent families.

The spammers haven’t neglected that other popular trick for malware distribution either – the body of the message contains a password and the attached archive, according to the fraudsters, includes an extremely important confidential document which they allege, cannot be sent by any other means. Interestingly, the name of the document in the archive ends with .txt or .doc (see below).

In fact the archive contains Email-Worm.Win32.Beloy.a, a mail worm included into our antivirus databases in 2007. In March this worm was not very widespread: it was only detected by our mail antivirus programs in Romania and the USA.

Spam by category

The Medications and Health-Related Goods and Services category retained the lead for English-language spam. In March this category’s share averaged 35%, whilst for a time during the third week of that month it even exceeded 40% of the total amount of spam.

Traditionally, spammers distribute Viagra by decorating their web pages with all the trimmings normally associated with the forthcoming Easter break.

However, the Easter theme was not only exploited by the distributors of cheap medication. Evidently the same spammers who had offered personal letters from Santa Claus in the run-up to Christmas decided to offer similar letters, but this time from the Easter Bunny! Looking at the style of the message and its price strongly suggested that the letters from Santa and the Easter Bunny came from one and the same source.

Generally, the share of the Other Goods and Services category, which includes the above message, decreased considerably (-3.4 percentage points). This is caused by the seasonal nature of such bulk mailings. In December they are dedicated to Christmas, in January and February – to St. Valentine’s Day. However, the spring months are not rich in holidays, leaving the spammers somewhat short on ‘seasonally-themed’ advertizing.

During March the amount of messages falling into the Computer Fraud category decreased by 1.4 percentage points when compared to the previous month, although it still remained quite high at around 18%.

Interestingly, March saw the considerable growth of bulk mailings which belong to the Personal Finance category. Nearly 7.5% (+5 percentage points) of spam were messages that contained offers to obtain a loan or a credit card or to get a free credit report and score. This trend may reflect the stabilizing economic situation – with people able to access loans again.

Spammer methods and tricks

In March spammers proceeded with their tried-and-trusted methods – various pictures and colored boxes in HTML tables.

In order to advertise Viagra, spammers used pictures containing ‘noise’.

As can be seen, in addition to the picture, the spammers included part of a literary text which also varies in each new message. In our previous reports we have already mentioned that the use of these pictures deprives those ordering the spam mailing from reaching a part of their target audience, i.e. all those who do not want to enter the address manually.

The message below advertising a dating site illustrates one of the most popular spammers’ tricks – colored boxes in HTML tables. Normally they use this method to write the name of the website; however, in this particular example the boxes simply form the text of the message with the link written in the usual manner.

Conclusion

During March the percentage of phishing messages found in mail traffic decreased considerably. The amount of malicious attachments in mail traffic reverted to January’s level. The quantity of spam in the Computer Fraud category also saw a mild decrease. Therefore it appears that the trend is very slightly towards an overall reduction in the amount of spam demonstrating criminal intent.

In order to bypass filtering, spammers do not often invent new tricks, preferring to use their time-honored methods. This situation will probably remain unchanged for quite some time to come.