Spam and phishing reports

Spam Evolution: November 2008

Spam in mail traffic

 
Spam on the Russian Internet in November 2008

The closure of US hosting provider McColo, which hosted the command and control centers of a number of large botnets, resulted in a sharp decline in the amount of spam in November. However, the decline was short-lived and within a few days botnet activity had resumed (e.g. spam made up 83.4% of mail traffic on 16 November, close to the maximum figure for the month).

The graph shows several peaks and troughs mid-month following the closing down of McColo on 13 November. The first of them coincided with www.theregister.co.uk renewed botnet activity on 15-16 November when McColo made use of its backup arrangement with the Swedish ISP TeliaSonera AB. Less than two days later, TeliaSonera AB cut off McColo’s access resulting in a fall in the amount of spam on 17-18 November. A subsequent increase in the amount of spam on 25 November can be linked to an attempt by the operators of the Srizbi botnet to transfer www.pcworld.com their command and control centers to the Tallinn-based Starline Web Services.

The closure of McColo had a clear effect on the volume of spam in November. Spam accounted for 73.7% of mail traffic on the Russian Internet in November, compared to 79.9% in October. A monthly low of 50.5% was recorded on 13 November, two days after the hosting provider was shut down.

Spam by category

 

Top five spam categories in November:

  1. Adult content spam – 24%
  2. Medications, health-related goods and services – 21%
  3. Education – 10%
  4. Travel and tourism – 9%
  5. Fake designer goods – 5%

The amount of Medications, health-related goods and services spam rose significantly from 12.5% in October to 21% in November. The Fake designer goods category replaced Spammer services in fifth place. There were no other changes to the top five categories: Education remained in third place and Travel and tourism in fourth (mainly due to offers relating to the upcoming winter holiday season).

Spammers on politics and the economy

The promotion of various goods and services in November purportedly originated from spammers’ desire to help users weather the global economic storm.

One mass mailing contained links to a lengthy article on how to avoid losing money during the crisis. The spammers’ aim became clear towards the end of the article which expounded the financial benefits of investing in a building project on the Black Sea coast.

Spammers exploited the US presidential elections less than the economic downturn, but some mass mailings did reference the elections, with the winner’s name being used to advertize services. One advert for a seminar in Ukraine proudly announced that “Barack Obama trusts professionals!”

Some English-language mass mailings also offered users the opportunity to purchase coins issued in honor of the new president.

Warning – fake!

The amount of Computer fraud spam rose compared to last month, averaging 3% in November against 2.2% in October.

Scam messages purportedly sent by the popular email service Mail.Ru were among the tricks used. Such messages asked recipients to send an SMS to a premium number either in order to win a lottery or to prevent their accounts from being hacked.

Users also received messages allegedly sent by the SMSexpress payment system demanding compensation for “breach of contract”.

Sometimes it may not be clear if an email is genuine or fake. In order to resolve such issues, open the company’s site by typing the address into the browser (not by clicking on a link in a message) and contact the administrator using the contact details given on the site.

Spammer tricks

In November, spammers used a new technique to disguise contact information: the address of the site being advertized was presented in a vertical column. Spammers seemed to think this would make it more difficult to block spam messages, but it also meant that recipients had to memorize the address and type it into the browser in order to view the site.

Hello,
Who do you consider to be the embodiment of style? You can be too:
You’ll look 100%, spending less than everybody else
Have a nice day!

Another tactic was the use of HTML tags to mask key words. The names of the goods being advertized were put in a table intermingled with random symbols in a less legible font. These pale random symbols alter the way the text is perceived by spam filters but the names of the goods can still be clearly seen by recipients.

Conclusion

Autumn has not been easy for the spammers. In addition to the worsening economic situation, November saw the closure of the hosting provider McColo, which was used to as the command and control center for a number of botnets. The fact that the amount of spam on the Russian Internet fell by two thirds immediately after McColo was shut down suggests that the US provider was widely used by spammers targeting the .ru domain with their mass mailings.

Next month there are likely to be changes in the type of spam being distributed. With the holiday season approaching, adult content messages will probably be displaced by messages advertising party services and fake designer goods.

Recent trends

  1. With the closure of McColo, whose servers hosted the control centers for a number of botnets, the amount of spam in mail traffic fell 7.2% compared to October and averaged 73.7%.
  2. Malicious files were attached to 2.28% of all emails, 0.2% more than in October.
  3. Links to phishing sites were found in 0.76% of all emails.
  4. Graphical spam amounted to 9%.
  5. Fraudulent emails increased by 0.8% to 3%.
  6. Spam offering fake designer goods re-entered the top five leading spam categories.
  7. In order to ensure messages evade spam filters, spammers modified their use of HTML formatting.

Spam Evolution: November 2008

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox