Spam and phishing reports

Spam Report: February 2008

Spam in mail traffic

Spam in mail traffic averaged 86.7% in February 2008. A low of 74% was recorded on 11 February, and a high of 95.9% occurred on 2 February.


Spam in February 2008

The graph shows that the share of spam peaked at weekends when business correspondence is at its lowest.

Spam by category

The leading spam categories in February 2008:

  1. Medications, health-related goods and services (24.5%).
  2. Education (15.8%).
  3. Travel and tourism (10.4%).
  4. Computers and the Internet (4.4%).
  5. Legal and audit services (4.3%).


Spam on the Russian Internet, February 2008

The proportion of spam from the Medications, health-related goods and services category fell considerably compared to January’s figures. In the first half of January (especially during the extended holiday period) there was not much Russian-language spam, while spam with a medical theme was prevalent in English-language traffic, heading the list of categories with a new record of 48.1%. February saw both English- and Russian-language spam in this category return to previous levels. Despite the Medications, health-related goods and services category decreasing by almost half, it still remains in first place.

Valentine’s Day and two Russian holidays (23 February, or ‘Defenders of the Fatherland Day’ and 8 March, or ‘International Women’s Day) caused an increase in the amount of spam offering greetings and presents. As is the case before any holiday, spammers were particularly creative in the gifts they offered. One example is the message shown below, which offers an all-female marching band and a brass band for the “men’s” and “women’s” holidays respectively:

[Translation: The best present for men on 23 February is the Viva Russia! drum band! This colorful ensemble can perform in offices and take part in events to mark the holiday.
The best present for women on 8 March is the Vis-à-vis orchestra – guaranteed to liven up any holiday mood with their musical gift for the most beautiful women.
+ {tel.}]

The large amount of mass mailings of this nature increased the Other goods and services category, which even exceeded the figures for December 2007 when spam traffic was inundated with offers for all sorts of gifts to mark the festive season. The February figure of 24.5% for this category meant it drew level with the leading category.

The category Education (15.8%) held on to second place with an increase of 6.5%. With the summer and entrance exams just around the corner, spammers obviously believe it’s a good time to offer assistance with getting places at higher education institutions.

Travel and tourism climbed one place after more than doubling its share of spam traffic. The various public holidays gave spammers the opportunity to tempt computer users with an increased number of excursions and foreign holidays.

The categories Computers and the Internet, and Legal and audit services entered the top five in February at the expense of Electronic advertising services, and Adult content spam.

Interestingly, in spite of the fact that the Russian presidential elections on March 2 were a major event, this wasn’t really reflected in February’s mass-mailings, with no significant changes being detected in the amount of political spam. Despite the scale of the event, there was only a minor spam response to the Russian presidential elections on 2 March in February’s traffic.

Malicious messages in February spam traffic

As was expected, the holidays were actively exploited with the aim of infecting users’ PCs. In the days leading up to Valentine’s Day there was a wave of mass mailings containing a link to a site where users were invited to download a greetings card – an executable file with a “.exe” extension. Needless to say, the users who were incautious enough to download the file ended up with a malicious program on their computer.

Those who visit adult sites on a regular basis also failed to avoid the spammers.

Online sex with models – {site}

Web pages infected with Trojans were often behind such offers.

Curiously, the fear of being infected by worms, Trojans and viruses has become a new subject for chain letters. The message below first spread throughout the social networking site Odnoklassniki.ru (the Russian equivalent of Classmates and Friends Reunited) and is now being circulating in email:

[Translation: Odnoklassniki has been infected by a virus. Send this message to all the people on your contact list, even those that are currently offline, so that they DON’T ADD THE CONTACTS:
1. “Tropokh (292-222-***)”, because this is a virus. His name is Denis Zieg. It ruins the whole hard drive. If someone from your list adds it, then you do too. Friends have already fallen victim.
2. kuzen4ik@***.ru, because IT’S also a VIRUS.
3. Don’t add sateite@***.ru with the nickname “Satellite”! IT’S A VIRUS! Windows crashes as soon as the computer starts. If one of your contacts adds it, then you will automatically be infected. So, copy this and send it to all your contacts.]

Fraudulent spam

Besides phishing messages, another widespread form of fraud in February were fake notifications of lottery wins and offers of free gifts.

Fake messages about lottery wins have been a fixture in English-language spam for a while now, and now they’ve been detected in Russian-language spam. Cybercriminals are sparing no expense in their efforts to tempt gullible users into giving away money; they create dedicated web sites which look so genuine that even the most wary users start thinking that the messages and their contents may be authentic.

The first sign that the notification is fake is the reference to a random prize draw; this implies that the recipient has not consented to participate in the lottery. A comparison of several of the Russian-language messages reveals that all recipients of the message came 18th in the draw and that they have to enter an identical registration code. When the recipient attempts to register, the total winnings are shown and the “lottery participant” is asked to send a “free” SMS message to a short number in order to confirm their location (apparently, only those located in Russia or Ukraine can take part in the lottery). The SMS charge is transferred to the criminals while the “randomly chosen participant” is left dreaming about what might have been.

Spammers have been using mobile phones more and more often in their illegal get-rich schemes. The latest example of this was linked to the presidential elections in Russia.

This message, which allegedly comes from the Centre for Independent Sociological Research, claims to be conducting a poll on how recipients intend to vote – for Medvedev, for Zuganov, for Zhirinovskii, for Bogdanov, or for none of the named candidates. Recipients are urged to send an SMS to a short number. However, the spammers do not highlight the fact that the SMSs are not free, and although the results will supposedly be published on 28 February, the spammers omit any mention of where the results of the results will be published.

Spammer methods and tricks

In February, spammers continued to work on improving the methods they currently use when sending mass mailings. In January, with the help of html tags, the text in spam messages was broken up by a random selection of symbols that the recipient could not see. These insertions were only visible to spam filters that analyzed the source code of a message; the main purpose of the tags is to prevent filters from detecting spam messages. The random symbols have now been replaced by foreign words which have no connection to each other.

The html code in the message shows that the link does not direct recipients to the legitimate greetings service postcard.ru, but to a different site altogether – most probably one containing a malicious program.

Once again we’d like to remind Internet users that cybercriminals will do anything to get you to visit their sites, as well as of the potential threat of unsolicited messages from unknown senders. Careless actions by a user can result not only in an infected computer but also in financial losses.

Monthly update

  • The amount of spam in mail traffic rose to 86.7%, a slight increase on January’s figure.
  • 0.61% of all mail traffic was made up of messages which contained links to infected web sites or which had malicious files attached.
  • The amount of phishing messages compared to January rose significantly, to 1.6%.
  • There was an increase in spam advertising a range of goods and services as presents.
  • Fake notifications of lottery wins were detected in Russian-language spam.
  • Spammers have continued to use html tags, which are invisible to recipients, to create background ‘noise’ in messages.

Spam Report: February 2008

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox