Spam in July 2012

July in figures

• The percentage of spam in email traffic was down 0.1 percentage points from June and averaged 71.8%.
• The percentage of phishing emails remained unchanged from June and amounted to 0.01%.
• In July, malicious files were found in 4.4% of all emails, a 50% increase compared to the previous month.

Spam in the spotlight

Dangerous coupons

Coupon services, online projects that offer users collective discounts, are popular all over the world. The main trends in spam-related coupon services have already been outlined in our spam report for Q2 2012.

A malicious mailing in July raised the issue of coupon spam once again. A message imitating a notification about a new Groupon promo action included a zip archive that contained the file Gift coupon.exe. The file was in fact the malicious program Trojan.Win32.Yakes.aigd.

Interestingly, all the links in the emails containing the malicious attachments led to the Groupon site where there were no dangerous objects. This was obviously a deliberate ploy to arouse as little suspicion as possible among users.

We have already written about the coupon theme being used by spammers to attract users to their more traditional adverts for Viagra or fake designer goods. There is also such a thing as coupon spam distributed by small coupon services: in order to increase their customer base they send offers to users who are not subscribed to their mailings. The appearance of malicious spam exploiting the coupon theme was inevitable given the popularity of the services with users.

Crisis spam

In mid-summer the number of emails exploiting the economic crisis grew noticeably. The majority of offers currently touching on this subject are adverts for seminars on coping with the crisis.

Spam traffic also included lots of emails offering goods at “anti-crisis” prices. This approach is used most often to promote fake designer goods.

Spanish spam also saw the appearance of messages promoting investments in real estate as a way of safeguarding money from the vagaries of the economic downturn.

Scammers continued to exploit the difficult financial situation. English-language spam now contains an unprecedented amount of dubious money-making schemes, while offers of quick loans were made in all the major European languages in July. These kinds of messages will only increase in the coming months because of the growing level of unemployment across Europe.

The Olympics

Spam exploiting the Olympic Games in London was present in the mail traffic for several months in a row. The majority of spam mailings exploited the Olympic theme with fake notifications announcing big money wins in lotteries allegedly held by the Olympics Foundation. The aim of scams like these is to entice the user into paying a so-called commission or taxes on the non-existent winnings.

Another type of Olympic spam was that of ticket offers. Most of these messages were sent by fraudsters with the intention of targeting the users’ financial data. In some cases the tickets were genuine but sold at a much higher price than the face value.

Ramadan

In the second half of July the Muslim world began observing the holy month of Ramadan. This usually coincides with a multitude of related links flooding email traffic. Muslim restaurants were responsible for spreading most of the adverts this year, inviting customers to visit them after evening prayers. We also recorded emails offering various Muslim goods including a “mobile Koran” for believers who always want to have the holy scripture to hand.

Statistical summary

Sources of spam by country

Below are the Top 20 ratings for the countries that sent most spam to Europe and the US in July.

Top 20 sources of spam sent to European users in July 2012

In July, the top four leading sources of spam sent to Europe remained unchanged. China remained in first place despite its share falling by 4.4 percentage points. India, in second place, accounted for 14% of all spam received by European users. It was followed by the US which contributed 6.5% of all junk email received in Europe. The amount of spam originating from Brazil did not change compared to June, with just under 5% of spam sent to Europe coming from the South American country.

62% of all the spam distributed in Europe still comes from Asia.

Top 20 sources of spam sent to US users in July 2012

Over 40% of all spam received in the US was “made in the US”. The share of such emails grew by 2 percentage points compared with the previous month.

Almost a quarter of the spam distributed on US territory came from Asia and every tenth unsolicited email came from Latin America. It comes as no surprise then that the top four sources of spam targeting users in the US included the host nation itself, China (7.9%), Brazil (5.7%) and India (4%).

Malware in mail traffic

In July, malicious files were found in 4.4% of all emails, an increase of 1.4 percentage points compared to the previous month.

Distribution of email antivirus detections by country

Distribution of email antivirus detections by country, July 2012

In July, the US topped the rating of email antivirus detections again. Its share of Kaspersky Mail Antivirus detections decreased by 0.75 percentage points compared to June.

For the third month in a row Germany came second in this rating (+0.7 percentage points). It is followed by the UK with an increase of 0.3 percentage points.

The most noticeable change was Italy’s drop from seventh to tenth place: the share of Kaspersky Mail Antivirus detections there decreased by 1.4 percentage points.

The other countries fluctuated within a range of 1 percentage point compared to June.

Top 10 malicious programs spread via email in July 2012

Top 10 malicious programs spread via email in July 2012

The share of rating leader Trojan-Spy.HTML.Fraud.gen was down 1.7 percentage points compared with June, meaning there was a slight fall in the amount of malicious emails used to distribute phishing HTML pages or imitating registration forms of well-known banks or e-pay systems.

Trojan.JS.Iframe.aaz came second in the rating. This Trojan is particularly dangerous in that it infects the computer as soon as the spam message is opened. The program is a script that executes itself directly from the email if it is opened in HTML format. We strongly recommend users curb their curiosity and not open spam messages.

Packed.Win32.Katusha.o, which occupied second place in June’s rating, was less popular with the spammers in July with half as many of detections as in the previous month. To recap, the packers of this family are used to pack other malicious programs (mostly rogue AV) in order to bypass antivirus detection.

Mail worms are still represented in the rating. However, in July only three of them were included in the Top 10 – Mydoom.m, NetSky.q and Bagle.gt. The first two mail worms have only two functions – to harvest email addresses and send copies of themselves to those addresses. Bagle.gt, a similar program that is a long-term resident in this rating, in addition to the usual functionality downloads malicious programs from the Internet.

Two newcomers in last month’s Top 10 belonging to the Trojan.Win32.Androm family remained in the rating of the most popular malicious programs spread via email in July. Once these malicious programs are installed on a computer, they start downloading other malware from the Internet.

Phishing

The percentage of phishing emails remained unchanged from June and amounted to 0.01%.

Top 100 organizations, by sphere of activity, targeted by phishers in July 2012
(based on anti-phishing component detections*)

*This rating is based on our anti-phishing component detections activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.

The share of attacks on social networking sites continues to increase accompanied by a decrease in the intensity of attacks on financial organizations. In July 25.8% of all registered phishing attacks targeted social networking sites and only 22% were aimed at financial organizations. At the same time the percentage of phishing attacks on online stores dropped by 1 percentage point and accounted for 18.4%.

Facebook remains the main focus of the phishers, becoming a distinctive feature of the Social networking sites category. While that category of phishing target has an obvious leader the Financial and e-pay organizations and banks category includes numerous organizations that account for no more than 1.5% of all phishing attacks. This is not surprising since the majority of users choose Facebook for their online communication, while there is no particular bank that is preferred by the overall majority of clients.

Spam by category

Spam by category in July 2012

In July, the shares of the Personal finance and Medications and health-related goods and services categories increased by nearly 3 percentage points each which inevitably led to a reduction in the amount of spam in other categories. The majority of emails in the Personal finance category are offers to get involved in dubious money-making schemes. The reasons for such a high level of this type of spam remain the same. First of all, it is related to the spammers reacting to people losing their jobs in the current economic downturn. Secondly, the holiday season usually sees a decrease in consumer activity that makes the advertising of goods unprofitable. We can expect some major shifts in European spam traffic in August when the holiday season ends.

Conclusion

In summer spammers usually have fewer orders. That is why they readily switch to the distribution of partner spam including malicious mailings which, along with the difficult economic situation, makes spam traffic even more dangerous. In July, the share of malicious attachments in email traffic increased by 50%. At the same time the second most popular malicious program distributed via email is a script which executes itself when a spam message is opened. In addition to 4.4% of emails with malicious attachments there is also spam containing malicious links.

The increasing number of fraudulent emails in mail traffic are no less dangerous. ‘Nigerian letters’, dubious money-making schemes and quick loans are all aimed at extorting money from users or involving them in criminal activity.

August tends to be the peak month in terms of dangerous spam. In 2011, August’s share of emails with malicious attachments nearly reached 6%. That surge in malicious code spreading via email may well be repeated this year.

We strongly recommend all users not to open spam messages. This recommendation should always be followed, but especially now at a time when spam is clearly becoming more and more dangerous.