Spam and phishing reports

Spam report: October 2011

October in figures

  • The amount of spam in email traffic was up 1.4 percentage points compared to September and averaged 79.9%.
  • The amount of phishing emails decreased threefold compared with September’s figure, accounting for 0.01% of all mail traffic.
  • Malicious files were found in 2.5% of all emails, down 2 percentage points from September.

Spam in the spotlight

Hot topics of the month

When it came to grabbing the attention of users in October, spammers had numerous big news stories to choose from. The month was not only rich in sensational events but was also marked by the approach of two international holidays.

Life after death – in spam

As our readers may know, nothing is sacred to a spammer. A headline-grabbing death is just another chance to draw users’ attention to their mailings like any other high-profile event.

Steve Jobs

On 5 October the co-founder of Apple Steve Jobs died. The spammers were surprisingly slow to react: the first malicious mailings appeared a whole day after his death. Some emails reported that Steve Jobs was alive, while other messages “provided information” about how the company had reacted to the tragic news.

Throughout the whole month we registered new mailings exploiting the theme. They were mostly emails containing malicious code.

We also came across a fraudulent email that invited users to buy the newest add-on for iTunes, a special version allegedly released to celebrate Jobs’ life that cost $30.

The only other spam exploiting Steve Job’s death that didn’t have malicious or fraudulent content was a mass mailing that offered users a guide on meditation and relaxation.

The only other spam exploiting Steve Jobs death

Contrary to our expectations, in October the Apple-related spam did not include traditional pharmaceutical adverts.

Gaddafi

On 20 October the world learned about the death of the Libyan leader Muammar Gaddafi. As expected, a lot of emails allegedly sent by “Gaddafi’s relatives” and “Gaddafi’s former officers” immediately appeared on the Internet offering a cut of his treasures. Each of them, it appeared, had “inherited part of the Muammar’s countless treasures”. If you add up all the sums mentioned in these ‘Nigerian letters’ it seems that the Libyan leader indeed possessed immense wealth: the most modest sum on offer was $12.5 million.

On 20 October the world learned about the death of the Libyan leader Muammar Gaddafi

Gaddafi’s “second wife” has become his most active “relative”: several variations of ‘Nigerian letters’ were spread on her behalf.

Of course, such letters are nothing but a scam and we strongly recommend ignoring them. For ‘Nigerian’ spammers, the death of a prominent figure in a politically unstable country is the perfect vehicle for a new wave of attacks. The fraudsters believe mentioning a real person in their emails makes them more credible. However, we hope that no sensible person could possbily believe they had received an email from Gaddafi’s second wife offering a slice of her $12.5 million inheritance.

The holidays are coming

Popular global holidays – from Halloween to Christmas and New Year – added a seasonal flavor to October’s spam mailings.

Halloween

The spammers actively tried to exploit the build-up to Halloween on October 31.

Interestingly, although the Halloween spam mailings appeared to be different, they were all distributed by partner programs.

Among the goods and services on offer we saw carnival costumes, party invitations, Halloween presents and cards and even special offers for medication and cut-price software.

Christmas and New Year are just around the corner

Spam related to New Year and Christmas usually starts appearing in October as the real world is gripped by the annual advertising frenzy. This October emails contained adverts for presents and delicacies as well as parties and holidays during the festive season.

In November, we expect to see an increase in the number of these kinds of emails because the holiday rush will only intensify. As well as traditional gifts, cards and trips there will also be ‘special offers’ for items such as Viagra and replicas of designer watches that have a Christmas or New Year twist.

Statistical summary

Sources of spam

The top sources of spam in October 2011
The top sources of spam in October 2011

In October, outgoing spam was distributed more evenly throughout the world. To recap, in Q3 2011 almost 50% of all spam traffic came from the Top 5 members of the rating. In October, however, these countries contributed just 33.4%. At the same time, more spam came from the other countries including those from the ‘Others’ category (+7.3 percentage points).

There was little change in October’s list of the top four leading spam sources compared to the previous month, although some countries swapped places: India (-4.7 percentage points), South Korea (-0.7 percentage points), Brazil (-4.1 percentage points) and Indonesia (-3.4 percentage points).

Peru, which came 5th in September, fell sharply to 19th place in October (-3.6 percentage points).

Peru was replaced in the Top 5 by Italy (+2.47 percentage points). Noticeably, western European countries were more widely represented in the Top 10 this month, compared to September when only Italy featured.

Over a period of three months prior to October we monitored how two groups of countries – India-Brazil and Ukraine-Peru-Thailand – were sending out spam in synchronization, while Russia and Vietnam were out of sync. However in October we did not see the same correlation. We will keep monitoring the situation, and in the near future we will publish updated information and analyze the new correlations between spam volumes from these groups of countries. All we know for sure at the moment is that spammers are trying to ensure that their botnets are not concentrated in one country or region, but are spread across different parts of the world.

Malware in mail traffic

In October, the share of malicious files found in all emails amounted to 2.5% — a drop of 2 percentage points compared to September.

The top three countries with the highest rates of email antivirus detection remained out in front, but swapped places. Russia took a significant lead and topped the rating: the amount of mail antivirus detections in the country nearly doubled (+8.26 percentage points) compared with September. The US and the UK also showed smaller increases in mail antivirus detections (+2.1 and +1.2 percentage points respectively).

Other noticeable changes included increases in the share of antivirus detections in Vietnam (+2.7 percentage points) and Australia (+1.65 percentage points) and the drop recorded in India (-1.8 percentage points).

There was a newcomer in the Top 10 – South Africa entering at 10th place with an increase of 1.2 percentage points.

Distribution of email antivirus detections by country October 2011
Distribution of email antivirus detections, by country: October 2011

October’s list of the most frequently detected malicious programs has a familiar look about it.

The Top 10 malicious programs spread via email in October 2011
The Top 10 malicious programs spread via email in October 2011

Trojan-Spy.HTML.Fraud.gen again topped the rating of the ten most popular malicious programs, appearing in 13% of all malware spread via email in October 2011. This Trojan uses spoofing technology and appears in the form of an HTML page. It comes with a phishing email containing a link to a fake site resembling that of a well-known bank or e-pay system where the user is asked to enter a login and a password.

Second came Email-Worm.Win32.Mydoom.m, which was the only mail worm to remain in September’s rating. However, in October it was joined by two more representatives of this family: Email-Worm.Win32.Bagle.gt was 5th followed directly by Email-Worm.Win32.NetSky.q. in 6th place.

As we have already mentioned in previous reports, Mydoom.m and NetSky.q are malicious programs whose only functions are to harvest email addresses and to send copies of themselves to these addresses. Bagle.gt is yet another mail worm, but as well as the usual functionality it downloads malicious programs from Internet resources.

Worm.Win32.Mabezat.b was in 3rd position. This worm also sends a copy of itself to all email addresses found on a computer. In addition it copies itself to the local disks and accessible network directories on the infected machine.

The number of Trojan.Win32.Yakes modifications decreased slightly: September’s Top 10 included three members of this family while October’s rating had just two, in 4th and 9th. Like Trojan-Downloader.Win32.Agent.gxwf in 10th position, Yakes is a classic Downloader Trojan that downloads other malicious programs once installed on a computer.

Phishing

The percentage of phishing emails in total mail traffic decreased by a factor of three accounting for 0.01% of all email traffic.

Top 10 organizations targeted by phishers
Top 10 organizations targeted by phishers*

* This rating is based on the number of phishing URLs on the Internet that attempt to obtain user logins and passwords for various online services. The rating is not demonstrative of the security level of the organizations named above, but rather the popularity of their services among users, which in turn explains their popularity among phishers.

Banks and financial services became more attractive targets in October, with social networks and online games getting a smaller share of phishers’ attention.

The number of phishing attacks on Facebook halved, placing this social network in 3rd place. In September, Habbo and Orkut came 4th and 5th. However, in October they dropped out of the Top 10 with decreases of 3.9 and 6.3 percentage points respectively. The share of attacks targeting RuneScape halved compared to September’s figure (-2.3 percentage points).

Often, a decrease in the number of attacks on some Top 10 organizations is caused by a more intense focus on the leaders – PayPal and eBay. However, in October, both PayPal and eBay were attacked less intensively compared with the previous month (-1.3 and -0.4 percentage points respectively). At the same time the total share of phishing attacks on the banking sector increased by 1.2 percentage points. The increases in attacks on individual banks ranged from 1.5 to 2.6 percentage points. This suggests that the share of attacks on social networks and online games fell due to the growing number of attacks targeting banking organizations.

This trend may have been caused by the unfavorable financial forecasts for the world economy. The phishers may well be trying to gain as much real money as possible because its value is increasing compared to virtual currencies.

Spam by category

Spam by category in October 2011
Spam by category in October 2011

There was no change among the top five categories of English-language spam. Fraudulent emails remained on top, although their share decreased by 7.7 percentage points.

The amount of ‘Personal finance’ spam in 2nd place grew slightly in October.

We have already mentioned that the prominence of these two categories could be linked to the world financial crisis.

The raft of Halloween and Christmas messages pushed ‘Other goods and services’ up to third place.

Conclusion

The most notable changes came among the organizations targeted by phishers. As mentioned above, phishers have reconsidered their interest in virtual money: their interest in cold hard cash is outstripping their desire for virtual wealth. Although it is hard to make a prediction, we imagine that phishers will return to the ‘safe haven’ of virtual money if and when the global financial situation stabilizes.

October reinforces the point that spammers will use any noteworthy event to lure users to their mass mailings. As always, we strongly recommend against opening spam emails: even if the subject seems tempting, the content is unlikely to include anything desirable. Be careful on the Internet! Don’t open spam emails!

Spam report: October 2011

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox