Spam evolution: August 2009

Spam in mail traffic

The amount of spam detected in mail traffic averaged 85.1% in August 2009. A low of 76.3% was recorded on 1 August with a peak value of 90.8% being reached on 16 August.

Percentage of spam on the Russian Internet in August 2009

Malicious attachments and links

Malicious files were found in 0.05% of all email messages, which is half as many as in the previous month.

Malware in spam messages in August 2009

It’s not difficult to notice that the NetSky epidemic continues – nearly half of all the top 10 malicious programs contained in spam messages belong to this worm family. According to the description provided on Securelist.com, Email-Worm.Win32.NetSky spreads across the Internet in the form of an email attachment. It is sent to all the email addresses found on an infected computer. The worm activates when a user launches an infected file (by double clicking on the attachment). The worm then installs itself on the new system and launches its distribution procedure afresh.

The total percentage of infected spam messages containing worms from the NetSky family exceeded 33% in August.

The second most prevalent family is Bredolab. Backdoor.Win32.Bredolab is a Trojan program from a backdoor family. It is distributed in the form of an attachment to an email message. In order to appear less suspicious it has an icon identifying it as a Microsoft Excel document, though with an .exe extension. This trick works because for the majority of users, file extensions are not normally displayed. When the Trojan is launched it includes your computer into a botnet. Having requested data from the command centre, a malicious program then downloads additional modules from the global network. These modules are either annoying fake antivirus programs that find hundreds of non-existent malicious programs and ask for money to treat them, or spyware that steals user passwords. This scheme is reminiscent of Net-Worm.Win32.Kido which used the same scheme to install a Iksmas spam bot and a fake antivirus program.

The total percentage of emails containing malware attributable to the Bredolab family exceeded 32%.

A worm from the MyTob family is rated as the second most prevalent – the percentage of emails containing this piece of malware averaged 12.53% in August. The MyTob epidemic, like the NetSky epidemic, has been experiencing a slowdown for more than a year now. A MyTob worm is a network worm that infects computers running under the MS Windows operating system. The worm spreads via vulnerabilities found in Microsoft Windows LSASS (MS04-011) and Microsoft Windows DCOM RPС (MS03-026), as well as via the Internet in the form of attachments to infected emails. The worm is sent to all email addresses found on an infected computer. The worm contains a backdoor function allowing it to receive commands via IRC channels.

In order to distribute malicious attachments, spammers fell back on one of their old tricks – the mass mailing of false ecards. The attachment containing the ‘ecard’ displays a name such as “something.card.zip” which, in fact, turns out to be a Trojan program from the Trojan-Spy.Win32.Zbot family designed to steal user data. In some mass mailings it was a backdoor called backdoor.irc.zapchast.zwrc that allowed remote operation of the computer via the Internet with the help of mIRC. These two worms were received most often by recipients of this type of ‘ecard’.

The backdoor mentioned above spread throughout the Internet in spam emails purporting to relate to the death of the late Michael Jackson.

Any user that clicked the link was asked to download an .exe file, which was in fact, a backdoor program.

Phishing

Links to phishing sites were found in 1.09% of all emails, an increase of 0.06% compared to July. In August, PayPal and eBay, the two most popular targets for phishers for the last half a year, were finally deposed from their leading positions. The percentage of attacks on PayPal halved and made up only 18.65% of the total figure. Its companion in misfortune, Internet auction site eBay, was attacked less in August than in July by a factor of three, averaging 10.05%. Following an abrupt and unexpected rise, CHASE bank found itself in the number one slot with 30.6%, having been a Top 10 outsider in the previous month. Exactly the same thing happened in December 2008 when CHASE appeared from nowhere to take the lead unexpectedly – the number of phishing attacks on the bank amounting to 55.9% at that time. Bank of America climbed one place compared to July. The percentage of attacks it suffered increased considerably, reaching 19.45%.

Organisations targeted by phishing attacks in August 2009

One of the phishing attacks involved a mass mailing to PayPal users and contained a fake address similar to the web portal’s administration address. Fraudsters replaced the letter “l” in PayPal for “1”, making the fake address look almost identical to the original one: service@PayPa1.com.

Amongst August’s English-language phishing ploys, Citibank clients were encouraged to enter their personal details on the site of the Free Protestant Church which had been taken over by hackers.

The increase in the amount of phishing was most noticeable towards the end of August. The last week of the month saw a 4.6% rise in the percentage of emails in the Computer fraud category.

Sources of spam on the Russian Internet

Sources of spam

In August, there was a major reshuffle in the league table of countries considered to be key sources of spam. Brazil took the lead (11.8%) due to the increased volume of spam originating from inside the country (+3.3%) coupled with a considerable decline in that originating from the U.S. (-21.33%). Poland came second with 8% of the world’s spam (up 5.5% compared to July), followed by Vietnam (6.83%), India (6.55%) and Korea (5.52%). These last three countries “improved” on their previous results regarding the mailing of spam, displacing China and Russia as the leaders. China took third place in July, but in August its share fell by 2% which meant it fell to ninth position. The amount of spam coming from the UK increased by 0.5% and accounted for 2.02%, taking it up two places to 14th.

Spam by category

Spam by category on the Russian Internet in August 2009

In August the most common spam categories were:

1. Education — 14.29% (-0.3%)
2. Medication and health-related goods and services — 13.77% (-11.53%)
3. Fake luxury goods — 10.38% (+3.58%)
4. E-advertising services — 9.89% (-5.51%)
5. Travel and tourism — 8.96 (+5.66%)

Noticeably, there was significant growth in types of computer fraud not included in the top five categories. August saw this sector double compared to the previous month, averaging 7.5% (+3.4%)

In August, spammers used the name of Michael Jackson to distribute more than just viruses. For example, when a user clicked on the pop idol’s photo, which was of course masked by the spammers using background noise, they received an email with the subject “Michael Jackson dead? NO!!!”. Upon opening the email, the user then found themselves on a web page advertising Viagra.

Original spam

New technologies are penetrating all spheres of our life, including religion. For example, today many churches have their own websites that help people to better understand the gospels. Another example is a page on Twitter where people can leave a message for God that will subsequently be placed in the Wailing Wall. Spammers just couldn’t resist the opportunity to ‘participate’ in this area of people’s lives, and in August someone called James from the US launched a spam email that contained his offer to pray for people.

Neither the email itself nor the site that the recipient is directed to upon clicking the link in the body of the message contains any requests to send an expensive SMS message or to make a money transfer. The only thing that the sender has to do is to tell James who or what exactly he wants James to pray for. It is stated in the email that he promises to subsequently comply with their request. It is of course a noble intention. However, the use of spam as a means to distribute his message gives reason to suspect that his intentions may not be as pure as they seem.

Spammer methods and tricks

In August, spammers again used one of their old tricks – an email address “drawn” by means of colouring in cells in an HTML table. It seems that whilst we were enjoying a break from these ‘mosaics’, the spammers were perfecting their skills – the previously unreadable inscriptions having been turned into high-quality images.

The main disadvantage of this trick is the fact that many users prefer plain text format whereby the “drawing” is not seen, as opposed to HTML format where it is. Moreover, such mailings are not for the lazy recipient – an address drawn with the help of an HTML table is not a clickable link and a user has to enter it into their browser address bar manually. Generally, even the most curious and reckless of users will not bother to do this.

In August, spammers launched several mass mailings that expertly imitated legitimate messages. The main feature of these mailings were that they had nefariously altered the headers in the ‘From’ field, amongst others.

Conclusion

With the exception of Michael Jackson’s death, August was not rich in newsworthy public events that spammers could adapt for use as messages headers in their mass mailings. This accounts for the use of the pop singer’s death being such a prominent theme.

In August, Internet fraudsters became more active. Considerable increases in the volume of phishing and ‘Nigerian’ letters for this period will inevitably lead to an increase in the number of victims that fall for this type of fraud.

It is necessary to at least abide by the simplest of security rules: do not send personal data and passwords to suspicious or unknown addresses, do not download attachments or click the links received in spam messages, and of course, ensure that the antivirus program that protects your computer is permanently enabled and active.

Recent trends

• The amount of spam in mail traffic decreased by 0.65% compared to July’s figure and averaged 85.1% in August.
• Links to phishing sites were found in 1.09% of all emails – an increase of 0.06% compared to July.
• Malicious files were found in 0.05% of emails – a decrease of 0.06% compared to the previous month.
• Spammers continue to use the name of Michael Jackson in order to attract the attention of recipients to messages containing malicious links.
• In order to bypass filters, spammers provided links to their sites in the form of HTML charts containing cells of different colours.