Spam report: April 2011

April in figures

• The amount of spam in email traffic increased by 1.2 percentage points compared to March and averaged 80.8%.
• Phishing emails accounted for 0.03% of all mail traffic, an increase of 0.01 percentage points compared to the previous month.
• Malicious files were found in 3.65% of all emails, an increase of 0.43 percentage points compared to March’s figure.

Spam in the spotlight

What’s worrying the spammers

In April, spammers continued to exploit the Japan earthquake and the war in Libya in their mass mailings. These two themes cropped up mostly in scammer emails including Nigerian letters. There were also a few other events that caught the attention of the spammers.

Easter

In April, the Christian world celebrated Easter. For spammers this annual event was once again exploited to attract attention to their mass mailings. We registered all sorts of emails throughout April linked to the Easter theme, for example, special offers for those wishing to lose weight after Easter festivities and notifications about Easter lottery wins. Many messages offered tablets to enhance sexual potency. The day before Easter Sunday a new batch of emails was sent promoting Easter presents such as flowers:

However, no malicious mailings exploiting the Easter theme were registered in mail traffic.

Mother’s Day

In early May, many countries celebrate Mother’s Day. Of course, spammers seized the opportunity to advertise gifts associated with the holiday: flowers, jewelry, massage equipment, chocolates, etc.

There was even an advert for an exotic wine which was touted as a gift for mothers:

The royal wedding

On 29 April, the world witnessed the “wedding of the year” as Prince William married Kate Middleton. The wedding was subject to massive coverage in April and overshadowed the war in Libya at the end of the month.

Contrary to our expectations, there was very little spam exploiting the royal wedding theme. When it did appear, it was mostly limited to offers of souvenirs including replicas of Kate Middleton’s engagement ring.

Besides these replicas, spammers advertised commemorative coins minted especially for the occasion of the royal wedding. Users were also invited to a London mansion for Royal Afternoon Tea.

Clearly, the antivirus vendor predictions of a wave of malicious spam exploiting the wedding theme turned out to be wide of the mark.

Spam rage

The first ever case of spam driving someone mad was reported in the USA in April.

New York resident Jeremy Clancy, 28, was so angry with the amount of spam he was receiving in his mail box and on his social network pages that he decided to hunt down his tormentors. Over the period of a week he tracked down 23 people whom he suspected of distributing unsolicited correspondence and in the evenings cut the Internet cables at their houses. On his eighth outing he was apprehended by the police. It was later disclosed that Clancy was suffering from a mental disorder.

Unfortunately, the media didn’t state whether Clancy’s victims really were spammers or were, just like him, the victims of spam.

Statistical summary

Spam in mail traffic

The amount of spam in mail traffic continues to grow. In April, it increased by 1.2 percentage points compared to March and averaged 80.8%.

Spam in mail traffic in April 2011

A low of 72.2% was recorded on 1 April with a peak of 86.4% on 16 April.

The amount of spam in mail traffic was noticeably higher in the second half of April: the average figure for 1-15 April was only 77.9%, while in the period 16-30 April it exceeded 83.6%. This points to a continued growth in the number of spam emails, which is in line with our forecast that the average monthly share of spam in mail traffic would return to 82-83% by May 2011.

Sources of spam

In April, India remained the most popular source of spam, accounting for 12.76% of the total volume of spam – an increase of 1.34 percentage points.

 
Sources of spam in April 2011

In April, Russia continued to slip down the rating of most popular spam sources. Though its share dropped inconsiderably – approximately 0.5 percentage points – it was overtaken not only by Brazil (+0.55 percentage points) but South Korea as well whose contribution to global spam almost doubled (+2.8 percentage points) compared with March’s figure.

The amount of spam that originated from the USA is still small – 2.1%. As a result, it dropped to 14th place in the rating.

As in the previous month, the shifts in the distribution of outgoing spam traffic by country were inconsiderable.

Malware in mail traffic

In April, malicious files were found in 3.65% of all emails, an increase of 0.43 percentage points compared with the previous month.

The USA topped the list of countries where malware was detected most frequently in mail traffic.

 
Countries where mail antivirus detected malware most frequently in April 2011

Malicious files were found in 14.2% of all emails received by users in the USA, an increase of 1.93 percentage points compared with March’s figure. In Russia the number of blocked emails with malicious attachments decreased by 2.9 percentage points when compared to March.

The UK remained in third place with 6.4% of all blocked emails containing malicious attachments, an increase of 1.1 percentage points compared to March’s figure. Vietnam in fourth place (5.91%) was a non-mover in April.

Though India’s figure (4.29%) remained practically unchanged it dropped two places to 8th in April.

Australia saw continuous growth in the number of malware detections in mail traffic: in April, it came 5th with 5.6% of all blocked emails with malicious attachments. It is possible that cybercriminals view Australian PCs as a new source of zombie machines for their botnets.

The Top 10 rating of malicious programs distributed via mail traffic in April 2011 looks like this:

 
The Top 10 malicious programs distributed via mail traffic in April 2011

In April, Trojan-Spy.HTML.Fraud.gen, the long-standing leader of the rating, made way for Packed.Win32.Katusha.n which represents a family of malicious programs used to pack rogue antivirus programs. Notably, this Packed.Win32.Katusha modification has never appeared before in the rating.

Fifth place in the list of malicious programs distributed via mail traffic is also occupied by another newcomer – Trojan-Downloader.Win32.FraudLoad.hxv. As with all representatives of the Trojan-Downloader.Win32.FraudLoad family this program is designed to download rogue antivirus programs to users’ computers.

Another new entry is Trojan.HTML.Fraud.fc which appears in the form of a phishing html-page designed to steal confidential financial information from Brazilian users.

Occupying 3rd and 7th places in the Top 10 are Email-Worm.Win32.Mydoom.m and Email-Worm.Win32.NetSky.q mail worms, whose primary function is to harvest email addresses that help them to continue spreading. You can find out more about these malicious programs here and here.

Email-Worm.Win32.Bagle.gt in 8th place in April’s rating is yet another mail worm; however, its functionality is more sophisticated. It not only collects email addresses and sends a copy of itself to all email addresses harvested from the victim’s machine but downloads malicious programs itself from Internet resources.

Phishing

In April, phishing emails accounted for 0.03% of all mail traffic, an increase of 0.01 percentage points compared with the previous month.

 
Top 10 organizations targeted by phishing attacks in April 2011

PayPal was the undisputed leader of April’s Top 10 organizations most often attacked by phishers. However, the intensity of the attacks on this e-pay system has eased off slightly, with a drop of 6 percentage points compared to March.

In April, phishers seemed to lose interest in eBay – almost half as many of its users were attacked compared to the previous month.

Facebook (+0.72 percentage points) and Santander (+0.4 percentage points), which pushed eBay into 4th place, came 2nd and 3rd respectively, though the number of attacks on these organizations increased insignificantly compared with March’s figures.

Habbo’s position as well as the share of attacks on its users remained unchanged compared to the previous month.

World of Warcraft, a popular online game, fell one place to 8th. However, the number of attacks on it was unchanged.

The Brazilian social network Orkut, which is owned by Google, ended April in 10th place. It is worth mentioning that user accounts belonging to Google’s services, including Orkut, are interconnected. Thus, having acquired credentials for one of these accounts, a cybercriminal can access any Google services registered to the same user.

Other Google services were also attacked by phishers, although less often. Phishing messages targeting GoogleAdWords users’ credentials were well designed and closely resembled genuine notifications from Google.

The link contained in the email was very similar to the links used by Google. The registration form to which a user was redirected was a very good imitation of the real Google registration form.

Conclusion

Of particular interest in April was the appearance of Packed.Win32.Katusha.n and Trojan-Downloader.Win32.FraudLoad.hxv in the rating of malicious programs blocked by mail antivirus. Both malicious programs are linked to fake AV: the former is used to pack them while the latter downloads them to users’ computers. It now looks like rogue antivirus programs have returned to spam mailings.

There were no major anti-spam operations to talk of on the legal front in April. This has created a favorable environment for the share of spam in mail traffic to gradually increase – it is now approaching the 81% mark. It should be pointed out that the average level of spam in mail traffic in the second half of April exceeded 83% and it looks like this figure is set to grow in the coming month.