August in figures
- The percentage of spam in email traffic was down 1.6 percentage points from July and averaged 70.2%
- The percentage of phishing emails remained unchanged from July and amounted to 0.01%
- In August, malicious files were found in 3.9% of all emails.
Spam in the spotlight
Late summer is the most dangerous period
Summer spam is usually much more highly criminalized, with a growing proportion of emails advertising illegal goods and spreading malicious code. At the same time spammers are actively offering their services and the services of other representatives of the cybercriminal business. Thus, criminal spam activity reaches its peak in August.
Malicious attachments become more prevalent
The percentage of malicious attachments in mail traffic increased noticeably in July when the share of such messages accounted for 4.5% of all mail traffic. In August, this figure decreased but the amount of malicious attachments is still high – 3.9% of all mail traffic.
In order to spread malicious attachments the fraudsters used a wide range of tricks. Typically there is a small selection of popular, easily spotted tricks. In August, though, their arsenal was more diverse than usual.
Among the novelties is a trick that had been previously used only by phishers: the spammers threaten to block the user’s bank card, tricking people into downloading a malicious attachment which allegedly contains the details.
Mass mailings with notifications of hotel reservations proved to be a seasonal special. This trick first appeared in June, and carried on throughout the summer holiday season. However, in August there was no offer for fake airline e-tickets.
In August, spammers used some fairly “abstract” techniques to arouse users’ curiosity. These include short emails notifying the user of a received document scan or a message inviting users to check transaction details.
Old tricks remain in vogue – malicious e-cards, reports on undelivered postal packages or fake notifications from Google about receiving a CV from the applicant.
With such an abundance of techniques even the criminals themselves got confused: in the image above (bottom right corner) you can see the fake notification form DHL while the From field named Booking.com as a sender. Another email allegedly from Bank of America (left, center) was “sent” by Fedex. Such confusion was common in August’s spam flows.
The use of legal services
Spammers have long been using legal Internet services for their fraudulent mailings. This has pros and cons: on the one hand materials posted on legal platforms tend to be investigated and removed quickly. On the other hand, there are many advantages – free legal services are available for everyone including spammers, links to legal resources help to bypass antivirus protection, users have fewer doubts about clicking links which lead to familiar platforms.
In August, we registered more phishing emails in which the main spam content was hosted on google.docs. However this segment of fraudulent emails included an “innovation” – so-called “Nigerian” spammers started distributing their messages using Yahoo calendar.
The email above not only links to a legal service, it was also sent with the help of this service, making the technical header of the spammer message absolutely legal.From the technical point of view, of course, this trick is broadly similar to the mailings launched from open mail services such as mail.google.com or mail.ru.
Cybercriminal offers
In August, spammers distributed emails advertising services offered by the other cybercriminal businesses, in addition to their own self-promotion. One prominent mailing was a scheme to make money by using copied bank cards to steal cash. The fraudsters use third parties to withdraw money from an ATM with the help of fake cards. Interestingly, the nature of the scam is not openly described in the email.
There were also emails offering address databases for use in spam distribution in different countries, including those like Iran where spam is seldom seen. We last saw this type of mailing during the 2008-09 crisis, so it is likely that these offers hint at economic problems for spammers at the moment.
Statistical summary
Sources of spam by country
Below are the Top 20 ratings for the countries that sent most spam to Europe and the US in August.
Top 20 sources of spam sent to European users in August 2012
August saw little change in the sources of spam received by European users.The top seven sources of spam sent to Europe remained the same as in the previous month. China increased its contribution by 6 percentage points which lead to a reduction in the other countries’ shares.
Top 20 sources of spam sent to US users in August 2012
Over 40% of all spam received in the US was again “homemade”. The share of these emails grew by 3 percentage points compared with the previous month.
The list of other sources of spam distributed in the USA also remained unchanged. Almost a quarter of the spam came from Asia and about 10% came from Latin America.
In terms of worldwide spam distribution, China returned to the lead with 31.5% of all distributed spam. It is followed by the USA (15.7%) and India (12.4%).
Malware in mail traffic
In August, malicious files were found in 3.9% of all emails, an increase of 0.5 percentage points compared to the previous month.
Distribution of email antivirus detections by country
Distribution of email antivirus detections by country, August 2012
For the eighth month in a row the US had more email antivirus detections than anywhere else. However in August its share of Kaspersky Mail Antivirus detections decreased by almost 3 percentage points compared to July.
Germany’s contribution remained unchanged from the previous month, placing this country second in the rating again.
Among the most noticeable changes was the increase in the share of Kaspersky Mail Antivirus detections in Australia (+2.8 percentage points) and Vietnam (+2.4 percentage points). These countries came fourth and fifth respectively, overtaking the UK.
The other countries fluctuated within a range of 1.5 percentage points compared to July.
Top 10 malicious programs spread via email in August 2012
Top 10 malicious programs spread via email in August 2012
The share of rating leader Trojan-Spy.HTML.Fraud.gen was up 50 percentage points compared with July, meaning the amount of malicious emails used to distribute phishing HTML pages or imitating registration forms of well-known banks or e-pay systems increased by half.
Email-Worm.Win32.Bagle.gt came second in August’s rating. This mail worm has the standard functionality but also downloads malicious programs from the Internet. Its less complicated “brothers” which merely harvest email addresses and send copies of themselves to those addresses – Mydoom.m and Mydoom.l – occupied fourth and tenth positions respectively.
July’s newcomers, the Androm program family, were among the most popular malicious programs spread via email in August: five of the Top 10 belonged to this group. Once these malicious programs are installed on a computer, they start downloading other malware from the Internet.
Phishing
The percentage of phishing emails remained unchanged from July and amounted to 0.01%.
Top 100 organizations, by sphere of activity, targeted by phishers in August 2012
(based on anti-phishing component detections*)
*This rating is based on our anti-phishing component detections activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
The rating of the organizations most often attacked by phishers was broadly the same as in July. Social networking sites (+1 percentage points) and financial organizations (+1.5 percentage points) are still especially attractive to the phishers while the share of attacks on online stores and e-auctions fell by more than 1.5 percentage points.
Spam by category
Spam by category in August 2012
As expected, August saw major shifts in European spam traffic. Despite the fact that the Personal Finance category maintains a high share , it decreased significantly compared to the previous month (-21.5 percentage points). To recap, most of the emails belonging to this category included offers of dubious money-making schemes. August saw the start of a recovery in consumer activity which led to the increase in the number of messages offering different products and services. Nevertheless, spam containing job offers will remain popular for a long time to come. Rising unemployment in Europe means there are more potential victims for these mails – something spammers won’t hesitate to exploit.
In August, English-language spam became more diverse compared to the previous month. In addition to the growing share of “pharmaceutical” messages (+9.2 percentage points), spam traffic also contained quite a lot of emails advertising casinos (+3.6 percentage points) as well as adult content spam, which accounted for about 1.5% of all spam traffic .
About 3% of all European spam contained malicious programs and links to infected sites which appeared in the form of notifications from the tax services.
Conclusion
As forecasted, in August cybercriminals were very active in spam distribution. In this regard, September is expected to be calmer. At the same time, signs of a better business environment have led to a decrease in the number of emails offering dubious money-making schemes.
The lack of changes in phishing attacks reflects the fact that August is a transition period for phishers. On the one hand, schoolchildren and students who spend much time surfing the Internet during their holidays ensure phishers remain interested in social networking sites. On the other hand, business activity starts to resume at the end of the month, causing fraudsters to switch their attention to financial organizations.
We forecast a further growth in the share of attacks on the banking sector while social networking sites will be targeted slightly less.
Spam in August 2012