Spam and phishing reports

Spam report: December 2011

December in figures

  • The percentage of spam in email traffic was 4.4 percentage points lower than in November and averaged 76.2%.
  • The percentage of phishing emails in mail traffic did not change from November and amounted to 0.02%.
  • In December, malicious files were found in 4% of all emails, which is 1 percentage point more than in November 2011.

Spam in the spotlight

Spam coupons

Coupon services are selling like hot cakes in many countries today. So what are they exactly? Well, they are essentially online projects that offer users collective discounts. When someone purchases a coupon, he buys the right to purchase a specific product or service at a considerable discount — typically on the condition that a certain number of customers buy in.

These services have gradually become an alternative to spam marketing for small and mid-sized companies, due to several things: first of all, these services — unlike spam — are completely legitimate; second, the way in which the advertisements are distributed are more or less the same: coupon services send out updates among their clients (and unlike spam, these are not blocked by spam filters). Furthermore in addition to email notifications, information about a product or service is also published on the Internet, which potentially increases the number of viewers. Finally, the probability of attracting clients via a coupon service is considerably higher — coupon services don’t meet the same rejection that spam does. Instead, mailings are sent to a target audience interested in purchasing coupons.

Spammers could hardly ignore the impact of coupon services on email traffic and Internet advertising. These distributors of electronic junk mail realized that the word ‘coupon’ is even more attractive to users than ‘discount’. After all, a coupon is a specific kind of discount for a certain group of people.

German spammers who specialize in medical-related spam concluded that offering a ‘conditional coupon’ would boost demand for the medications they sell:

An example of a spam email purporting to offer a ‘conditional coupon’

Even those who don’t know German can easily recognize the word ‘coupon’ in the above screenshot. You can also see that the discount that is offered isn’t that large at just 10%.

This is not the only case in which users are offered goods that are widely advertised in spam (medications or counterfeit luxury items, for example) with the promise of a coupon discount.

As usual, we are advising users to be cautious. We still have not detected any malicious attachments disguised as coupons, although we expect that these will show up sooner or later. Anything and everything that is in demand on the Internet is eventually added to the spammers’ arsenals in one way or another. Primarily, new approaches are typically used by the participants of affiliate programs that send out spam advertising medications and replicas of luxury goods. They are later joined by distributors of malicious code.

One should also bear in mind that users run the risk of losing money from their accounts if the registration data for these coupon services is ever compromised. Users should remember that no major service ever asks users to confirm their login or password via email. Furthermore, before entering any registration data, users should be confident that the address of the web page is correct.

The calm before Christmas

At the end of the year, we typically see a slowdown in spam activity. During this period, many computers that are hooked up to botnets are inactive, as it is the season of school vacations and winter holidays. The level of business activity also goes down considerably. Users spend money primarily on their Christmas and New Year’s presents and don’t do much other spending. Advertisers know about the seasonal fluctuations and don’t engage in useless marketing campaigns. And spammers want vacations, too!

The year 2011 was no exception to this rule, and the percentage of spam in mail traffic fell 4.4 percentage points in December.

The proportion of spam in email traffic in November – December 2011

Meanwhile, the proportion of spam mentioning Christmas or New Year began to increase as early as in November, and surged to over 10% in the second-last week of December.

Overall, this category of spam came to 6.8% at the month’s close.

The percentage of spam mentioning Christmas and New Year in email traffic in December 2011

Statistical summary

Sources of spam

Sources of spam in December 2011 (TOP 20)
Sources of spam in December 2011 (TOP 20)

In December, India remained the leading source of spam, with the share of spam coming from the country rising 0.34 percentage points compared to November.

The three other countries behind India also saw their share of spam rise by more than 3 percentage points from November: Indonesia (+3.55 percentage points), Brazil (+3.5), and Peru (+3.5). At the same time, the percentage of spam coming from South Korea, which was in second place last month, fell by 2.85 percentage points, putting that country in fifth place in December.

There was another major change in this rating: the UK fell from 7th to 17th place. The percentage of spam originating from the UK fell by 2.31 percentage points. Remarkably, during the first week of December, the UK was still in 8th place, but fell to 53rd place for the last week of the month. This drop is primarily related to the Christmas holidays, during which many leave their work and home computers switched off.

The percentage of spam originating from other countries in the top 20 changed insigificantly – less than 1 percentage point.

Malware in mail traffic

In December, malicious attachments were found in 4% of all emails — that’s 1 percentage point more than in November.

The distribution of email antivirus detections in December 2011, by country
The distribution of email antivirus detections in December 2011, by country

In December, the US remained in second place in terms of countries with the highest number of email antivirus detections, close behind first-placed Russia. The share of email antivirus detections in the US in December came to 15.1%, or 0.9 percentage points higher than in November. Meanwhile, the share of email antivirus detections in Russia fell by 4.9 percentage points and came to 15.3%.

Australia rose from 10th place to 5th in December, with an increase of 2.6 percentage points compared to November.

Note the appearance of Hong Kong in fourth place this past month, while China took 10th place. Hong Kong had a total of 7.4% of email antivirus detections in December, while users of Kaspersky Anti-Virus in the rest of China produced 2.5 times fewer detections, at just 2.8%.

The Top 10 malicious programs spread via email in December 2011
The Top 10 malicious programs spread via email in December 2011

Among the malicious programs most frequently detected by our email antivirus program, the number one remains Trojan-Spy.HTML.Fraud.gen. The percentage of detections of this particular program fell by another 1 percentage point but still made up 11% of the total. You may remember that this Trojan is designed to look like a registration web page for a financial organization or some other online service.

In second place, we have Email-Worm.Win32.Mydoom.m – an email worm that performs just two functions: collecting email addresses on infected computers, and sending itself to them. This is the same as Email-Worm.Win32.NetSky.c. which came 10th this month. Another email worm in December’s Top 10 is, which made it into 5th place. In addition to the above-described function of traditional email worms, the latter threat also sends requests to online resources in order to download malicious programs.

Downloader Trojans filled rankings seven through nine in the December Top 10 of email malware spotted by Kaspersky Anti-Virus: Trojan-Downloader.Win32.Agent.tpes, Trojan.Win32.Yakes.jyh and Trojan.Win32.MokesLoader.dp. Once installed on a computer, these threats send requests to specific online resources and obtain links to download other malicious programs.

In sixth place this month was a Trojan from the Trojan.Win32.Pakes family. This is a packer program that is used to smuggle modules of other malicious programs past antivirus checks.


The percentage of phishing emails in total email traffic did not change from November and came to just 0.02%.

Top 10 organizations targeted by phishers
Top 10 organizations targeted by phishers*

* This rating is based on the number of phishing URLs on the Internet that attempt to obtain user logins and passwords for various online services. The rating is not demonstrative of the security level of the organizations named above, but rather the popularity of their services among users, which in turn explains their popularity among phishers.

In December, the Top 5 targeted organizations remained unchanged from November: PayPal (+5 percentage points), Habbo (+1), eBay (-2.7), Facebook (-3.6), and Santander (+0.2).

The percentage of attacks targeting Facebook was nearly half of that in November.

There were few changes to the rest of the Top 10. Of particular interest, however, is the emergence of the Brazilian aviation company TAM in sixth place (3.7%) and the disappearance of the IRS from the list of targeted organizations. This change is easy to explain: the deadline for submitting tax declarations in the US passed, and as a result, malicious users became less interested in the US tax authority. At the same time, the holiday season peaked and many people were busy buying air tickets online — a trend noticed by malicious users, who created a fraudulent site disguised as an official airline website.

Spam by category

Spam by category in December 2011
Spam by category in December 2011

The top three categories in English-language spam have not changed since November, although they did swap places. As in November, most spam in December was comprised of fraudulent emails. The percentage of these types of emails skyrocketed 12.8 percentage points right before Christmas and New Year. Financial spam fell from second place to third, dropping 4.3 percentage points compared to November. The category in second place is spam advertising various goods and services, although its percentage fell slightly (-2.4 percentage points).

Most of the spam categories in December were related somehow to the crisis conditions in the financial sector and with the upcoming holiday season. In the ‘other goods and services’ category, we saw mailings advertising Christmas-themed goods — decorations for the home or dinner table, and presents for relatives and loved ones. The holiday season assumes people will be spending their money, and resourceful spammers filled up inboxes with different types of emails offering credit or dubious sources of revenue (also known as the ‘personal finances’ category of spam).

Scammers are proactive during this period since users often pay for their purchases online and don’t necessarily pay too much attention during the holiday rush.


Overall, December was a quiet month for spam. The percentage of spam emails in total email traffic declined in connection with the holiday season. Many computers hooked up to botnets remained switched off, and there was a general decrease in business activity.

A large amount of emails advertised Christmas-related goods and services, which was expected. The overwhelming majority of these types of messages are the fruits of seasonal affiliate program operations.

The negative trend of the rising amount of malicious spam seen in 2011 continued throughout December. Many malicious emails in December exploited the Christmas season. Furthermore, many of them were designed to look like notifications from online shops about order registrations.

As 2012 gets under way, the percentage of malicious spam in email traffic will not fall; instead, malicious users will begin to use new tactics to spread their threats.

Spam report: December 2011

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox