Spam in May 2011

May in figures

• The amount of spam in email traffic increased by 2.1 percentage points compared to April and averaged 82.9%.
• Phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared to the previous month.
• Malicious files were found in 4.1% of all emails, an increase of 0.45 percentage points compared to April’s figure

Spam in the spotlight

Death of the world’s No.

1 terrorist reflected in spam

Osama bin Laden’s death was treated as yet another piece of hot news and eagerly exploited by spammers.

Malware distributors were the first to pick up on the theme. In our blog we described in detail how fraudsters lured users into clicking a malicious link or downloading a malicious attachment. Pharmaceutical spammers were not far behind in taking advantage of the Bin Laden death story.

We also recorded several other mass mailings that made passing reference to the same theme in May.

It is not uncommon to see spam messages offering recipients the chance to view UFO landing sites or secret military installations with the help of the Google Earth service. The links in the messages, however, usually lead to sites that charge to download software. In one of the latest messages of this kind recipients were offered the chance to see the house where Bin Laden had been hiding out for the last few years.

‘Nigerian’ spammers also used the news about Osama’s death. In one message recipients were warned of their impending arrest because they had been suspected of aiding terrorists. Apparently, large sums of money had been transferred to their bank accounts which had been discovered by security forces searching for Bin Laden’s accomplices following his death. Of course, there was a promise of an exemption from all charges and several million dollars into the bargain if the recipients contacted them.

Considering the fact that there have been lots of major world news events in recent months, it is worth reminding users that spammers are always going to try and exploit people’s curiosity for their fraudulent ends. Be careful and don’t fall for their tricks!

Spam and the law: Russia

We have written in earlier spam reports about the anti-spam measures introduced by various governments, describing how this or that law had led to spammers being identified and punished.

Of course, we must stress that the fight against spam is most effective when spammers are brought to justice. We also consider it very important to emphasize that the criminal spam business is international. Therefore, to effectively combat unauthorized mass mailings, strong anti-spam laws need to be introduced worldwide.

Russia is currently among those countries without comprehensive anti-spam legislation. However, this situation is set to change. In early May, a State Duma committee on anti-spam law, which includes experts from Kaspersky Lab, took its first steps towards the development of such legislation.

The new law is unlikely to be introduced for more than a year. We will monitor its progress closely, as this law will become the main instrument for combating spammers in Russia, which is thought to currently shelter numerous members of this criminal business.

Statistical summary

Spam in mail traffic

The amount of spam in mail traffic increased by 2.1 percentage points compared to April and averaged 82.9%.

As we forecasted, spam’s share of all email traffic in May returned to the average figure seen during the first half of 2010 – nearly 83%. A low of 72.4% was recorded on 7 May, with a peak of 91.4% on 29 May.

Sources of spam

In May, India remained the most popular source of spam, accounting for 11.35% of the total volume of spam – a decrease of 1.41 percentage points.

Sources of spam in May 2011

Russia continues to slip down the rating of most popular spam sources. In May, its share dropped by approximately 0.5 percentage points compared to April, which meant it fell one place. Overall, the various shifts in the distribution of outgoing spam traffic by country did not exceed a percentage point, suggesting the rating of the most popular spam sources has stabilized.

Malware in mail traffic

In May, malicious files were found in 4.1% of all emails, an increase of 0.45 percentage points compared with the previous month.

The two countries that have led this rating over recent months once again switched places. Russia retook top spot with the number of blocked emails containing malicious attachments increasing by over 4 percentage points compared to April. The amount of malware detected in US mail traffic fell by nearly 3.5 percentage points, pushing that country down one notch to second.

Countries where mail antivirus detected malware most frequently in May 2011

In May, India and Vietnam’s share in this rating grew. Vietnam with over 8% of all blocked emails containing malicious attachments claimed third place pushing the UK down to fourth place. India (5.21%) came fifth, leapfrogging Italy and Germany, which occupied 6th and 7th places respectively.

While Vietnam and India’s figures increased by 2.2 and 0.92 percentage points respectively in May, Australia saw a drop of 1.66 percentage points in the number of malware detections in mail traffic, while Germany saw a drop of 0.94 percentage points and the UK a drop of 0.5 percentage points. We can see a familiar picture emerging here: when the number of emails containing malware decreases in developed countries, the corresponding figure for developing countries increases.

Despite the changing targets of malicious mass mailings, most of May’s Top 10 malicious programs distributed via mail traffic are the usual suspects:

The Top 10 malicious programs distributed via mail traffic in May 2011

In May, Trojan-Spy.HTML.Fraud.gen was the most popular malicious program spreading via email, accounting for slightly more than 10% of all the malware detected in mail traffic.

A new entry in April’s Top 10 rating of malicious programs distributed via mail traffic, Trojan.HTML.Fraud.fc came 3rd in May. It appears in the form of a phishing HTML page designed to steal confidential financial information from Brazilian users.

Occupying 2nd, 4th and 8th places in the Top 10 are Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Bagle.gt and Email-Worm.Win32.NetSky.q mail worms. As we have already mentioned in previous reports, Mydoom.m and NetSky.q are malicious programs whose only functions are to harvest email addresses and to send copies of themselves to these addresses. Bagle.gt is yet another mail worm; however, its functionality is more sophisticated. It not only collects email addresses and sends a copy of itself to all email addresses harvested from the victim’s machine but downloads malicious programs itself from Internet resources.

In May, this rating saw the appearance of Trojan-Downloader.Win32.FraudLoad.zerc and Trojan-Downloader.Win32.FraudLoad.zept which claimed 5th and 7th places respectively. It should be noted that in 2010 representatives of the families which these Trojans belong to were regulars in this rating. At the end of 2010 and the beginning of this year, programs of the FraudLoad family almost completely disappeared from the Top 10. To recap, these programs are designed to download rogue antivirus programs to users’ computers. In April, for the first time after a long break a representative of this family, Trojan-Downloader.Win32.FraudLoad, entered the Top 10 rating of malicious programs distributed via mail traffic.

Phishing

In May, phishing emails accounted for 0.02% of all mail traffic, a decrease of 0.01 percentage points compared with the previous month.

PayPal remained the undisputed leader of May’s Top 10 organizations most often attacked by phishers (+23.28 percentage points). eBay (+2.5 percentage points) returned to 2nd place in the rating after a brief respite in April.

Top 10 organizations targeted by phishing attacks in May 2011

The most noticeable change in the Top 10 organizations attacked most often by phishers was the appearance of RuneScape, an online game (4.67%). It immediately occupied 3rd position in the rating ahead of such long-term entries as Facebook (-1.82 percentage points), Habbo (-1.36 percentage points) and the phishers’ favorite online banking systems Santander (-0.13 percentage points), HSBC (-1.25 percentage points) and LloydsTSB (-1.82 percentage points).

RuneScape, which is free, even surpassed the subscription-based World of Warcraft (-1.24 percentage points) in terms of popularity. It appears the phishers have been attracted by the growing popularity of free online games. Even free online games can be a source of profit. The developers have to earn money somehow, and this is usally by selling virtual objects for game characters. Fraudsters have also taken an interest in the sale of advanced-level characters. The question remains as to why phishers have lost interest in WoW, reportedly the the most popular online game in the world. This is most likely the result of the Blizzard team and its efforts to protect their users.

Conclusion

For the spammers the most important news event of the month was Osama bin Laden’s death – they immediately went to work exploiting it in their mass mailings. However, this was only one of many other themes this spring. Almost all the tragic events of early 2011 remain a part of the fraudsters’ arsenal. That is why we would like once again to ask all users to be careful and attentive when surfing the Internet.

In the sphere of anti-spam legislation the most important event, in our opinion, was the first serious steps being taken towards introducing strong anti-spam laws in Russia. This is a crucial development both on the regional and the global level. It’s common knowledge that a significant amount of the spam business is concentrated in Russia. Of course, we understand that one anti-spam law adopted in a single state cannot solve the problem. However, the ability to fight spam at the legal level will no doubt eventually lead to a reduction in the volume of spam on the Internet. The more countries that implement such measures, the easier it will be for law enforcement agencies to counter spam.