Spam Evolution: September 2008

Spam in mail traffic

The amount of spam in mail traffic increased by 1.9% compared to August’s figure and averaged 82.2%. A low of 71.6% was recorded on 15 September, while there was a high of 95% on 13 September. The share of graphical spam once again remained unchanged, accounting for 9% of all spam.

Percentage of spam in September 2008

Malicious messages and phishing

Malicious files were attached to 1.09% of all email messages, 0.39% more than August’s figure.

Links to phishing sites were present in 0.62% of messages. Several limited attacks by the RockPhish group were detected in September. In most cases about 100-300 fake URLs were used.

The majority of phishing attacks targeted PayPal (36%) and eBay (18%).

 
Organizations targeted by phishing attacks

Russian phishers continued to attack users of the popular Russian email services Mail.ru and Rambler and the Yandex.Money e-payement system.

Spam by category

 
Breakdown of spam categories on the Russian internet in September 2008

In September, the top five categories were Adult content spam (28%), Medications, health-related goods and services (19%), Education (12%), Fake designer goods (6%), Travel and tourism (6%)

The Adult content spam category took first place from the Medications, health-related goods and services category, the first time there has been a change at the top since April 2007. The upturn in fortunes of the adult content category and its impressive 9% lead was mostly due to Russian-language spammers advertising pornographic websites. The mailing of pornographic spam has recently become so aggressive that it may account for more than half of all emails sent to the addresses listed in spammers’ databases.

Spam is still being used for negative PR. Earlier, the use of spam as a negative PR tool was limited mainly to election campaigns. Now, however, those initiating such mailings are distributing information designed to discredit certain companies or businessmen, by warning the user of their supposed unreliability. These types of messages started to appear in the middle of the summer and show no sign of letting up. It reminds us once again that by trusting the information contained in unsolicited messages from unknown senders, the recipient is allowing complete strangers to influence his own opinion.

Spammer methods and tricks

Spammers didn’t make any real new technical innovations in September. HTML tags and “invisible” text (white letters on a white background) were used to “hide” adverts from context filters, while the site addresses in messages advertising adult content were “drawn” using various symbols with a certain amount of spaces and paragraphs between them.

Even if spam messages reach users’ mail boxes, in most cases the messages are deleted by the recipients. Spammers, therefore, use social engineering to ensure that recipients notice their emails and believe the message content.

Social engineering is used extensively by spammers when spreading malicious programs. One mass mailing offered users the chance to download a new antivirus solution; the message was allegedly sent to 100 “lucky” addresses which had been chosen at random. The message also recommended that any antivirus protection installed on the user’s machine should be disabled before downloading the new program. When a user tried to download Antivirus Raptor, Trojan-PSW.Win32.LdPinch was downloaded instead.

In another email, supposedly sent by a former student missing his classmates, the recipient was asked to look through the list of graduates attached to the message. Instead of a list of ex-students, however, the attachment contained a malicious program: Trojan-Dropper.MSWord.1Table.gm.

Emails imitating legitimate messages from popular Internet resources became a common feature of spam mailings in September. Russian spammers spreading malicious programs already have experience of sending out emails that appear to be messages from social networks. In September, spammers started sending out emails that imitated messages from non-Russian resources of this type. Recipients were asked to visit the site of a school friend which actually turned out to be the spammer’s webpage.

The majority of these fake messages were mailed during phishing attacks that targeted the users of popular Russian online services. This approach was not limited to phishing attacks, however; it was also employed by fraudsters attempting to extort money from users by getting them to send SMS messages to short numbers.

In some cases, spammers resorted to masking their messages to make them look like automatically generated replies from email robots. Below is an example of this type of message which combines expressions from a standard automatic reply with advertising jargon.

Spammers are skilled in the use of social engineering methods, which increases the threat posed by spam. That is why, before responding to offers made by spammers, users should first think about the possible consequences of doing so.

Summary: recent trends

1. The amount of spam in mail traffic increased by 1.9% compared to August’s figure and averaged 82.2%.
2. 1.09% of email messages contained malicious files. Links to phishing sites were included in 0.62% of all emails.
3. For the first time since April 2007 there was a change in the leading spam categories, with Adult content spam heading the list of categories with 28%.
4. There was an increase in mass mailings imitating system administration messages from popular resources.
5. Spammers sent out spam disguised as auto-reply messages.
6. HTML tags were used to bypass spam filters.