Spam volumes

The spam increase that began on May 23, 2011 continued for the months of June and July 2011: between May and July, spam volumes increased by 21.5%. This represented the first continuous spam increase since the shutdown of Rustock, the world’s largest botnet, on March 16, 2011. Online casino campaigns sent in short but massive waves were responsible for the increase, which led to the eleven research team’s findings of a substantial increase in spam level fluctuations. Although permanent spam volumes were exceptionally low, the casino waves led to considerable spam peaks, which sent spam levels skyrocketing in very short periods of time.

The renewed increase in spam also contributed to an increase of the share of spam in terms of overall e-mail volume. Although that percentage fell to 78.7% in May, it was back at 83.1% by July 2011. The percentage of legitimate, clean e-mails was 10.8%; legitimate newsletters came in at 3.7%. For the first time ever, the percentage of new virus outbreaks (0.09%) was considerably higher than the percentage of known malware (0.03%).

Spam topics

A significant shift in spam topics took place in June and July 2011. At 54.2%, advertising for online casinos constituted more than half of all spam e-mail. The long-standing front-runner, pharmaceutical spam, trailed far behind in second place at 26.0%, followed by replica watches (9.8%) and illegal job offers (4.6%). By contrast, dating spam nearly disappeared, comprising only 0.8% of spam volume in July after 7.7% in May. The percentage of job offers decreased by more than half in comparison to May (9.5%).

Spam trends

The trend of capitalizing on current events and popular topics as a lure for spam e-mails continued in June and July. One focal point was the launch of Google’s social network, Google+. Spammers took advantage of the fact the platform is currently only accepting users invited by registered users. In response, they sent out fictitious invitation e-mails that instead linked to a page from Canadian Pharmacy, a well-known Viagra spam supplier.

That incidence marked the continuation of yet another trend that had begun in the wake of the Rustock shutdown: whereas pharmaceutical spammers used to advertise their products directly in e-mail subject lines and content, they are now attempting to lure e-mail users to their online shops under a pretense, in the hope that users will order something after landing on the page.

One other current event spammers took advantage of was the scandal surrounding Rupert Murdoch’s media empire and the phone-hacking methods employed by the since-defunct News of the World, which led to isolated campaigns in July. The e-mails included subject lines such as “Murdoch faces Australia questions” and included the invitation to “buy Viagra,” as well as a link to an online pharmacy.

One noticeable trend for the most important of all spam subjects, online casinos, was that these spam messages are increasingly being localized, i.e. German-speaking users receive news in German, while English-speaking recipients are targeted in English.

Countries of origin

India took first place among the countries from which spam is distributed. With a 12.1% share of overall spam levels, the country came in first for the third time in a row in July. Brazil, the previous leader, came in second with 9.5%, while the USA, which had been the dominant country of origin for spam for years, has not placed in the top ten since April. Indonesia came in third (9.2%), Vietnam fourth (8.6%), and Russia came in fifth (6.1%).

The United Kingdom – the final leading Western industrialized nation to be included in the top ten list– was eliminated in June. France and Germany had not been among the main spam sources since the Rustock shutdown. Instead, Asia and Eastern Europe began to take their place and are currently playing a leading role in spam dissemination. In July, eight countries came from those regions, along with two South American countries: Brazil (second place) and Peru (tenth place).

Phishing

The number of phishing attempts increased significantly in June and July. One evident trend was increased localization efforts, targeting recipients in their own language. Primary targets for phishers included credit card users. In Germany, especially customers of the banking group Sparkasse were targeted. The bait used in the Sparkasse campaign primarily capitalized on the SecureCode method, which has recently been introduced as an additional security measure for online credit card purchases. The campaign not only takes advantage of a current topic, but even uses the bank customers’ need for security as bait. The subject lines included phrases such as “Activate your Verified by Visa – MasterSecure Code.” The e-mail warns that the customer’s account or shopping cart will be blocked. The e-mail then either includes an attached HTML file for the user to fill out or a direct link to a phishing site.

Another campaign targeted credit card owners. The alleged sender was “The Credit Card Association”. The e-mails purported that the user’s credit card had been blocked for security reasons. To unblock it, the user was requested to fill out a form involving important personal and credit card data. The form then led to a manipulated Web site where the phishers could get their hands on the data.

Yet another target of phishing attacks was Google’s AdWords, an online advertising service popular with many companies. Google AdWords allows companies to place ads that are displayed with search results depending on the specific search terms entered. The subject line of the phishing e-mails alleges that the company’s Google AdWords account has been frozen: “Account has stopped running this morning.” The e-mail then goes on to say that the account has been blocked, meaning that no more ads can be placed. Since many companies activate AdWords ads only for a brief period of time, e.g. 24 hours, even a short break can mean serious losses for the company. The link leads to a typical Google registration page where the user is asked to log in using their name (or Google e-mail address) and password. The phished data are then processed via a PHP form.

Malware

July 2011 was the month of virus outbreaks. Although the number of known malware decreased by 45%, the appearance of new malware categorically exploded: the number of virus outbreaks increased by 233% as compared to June. At 0.09%, the share of new malware within overall e-mail volumes was three times as high as the known malware (0.03%). In recent months, the eleven research team has noticed that malware senders are increasingly taking advantage of the time delay in virus detection found in conventional virus scanners. They commonly take several hours until they have assigned a signature to a new malware and can recognize it accordingly. The malware authors take advantage of precisely that window of time for disseminating the majority of the malware. eleven’s early-detection antivirus software, eXpurgate, detects virus outbreaks immediately after their very first appearance.

The most sensational malware campaign in June and July involved e-mails that allegedly included a voucher for a free breakfast at McDonald’s. The messages included subject lines such as “Invite everyone to the day of free food,” which were supposedly sent from the address information@mcdonalds.com. A purported invitation to the free breakfast on June 28, 2011 – which the spammers referred to as “Free Breakfast Day” – was meant to trap the recipient into opening the attachment. Instead of a free breakfast, though, the recipient received a piece of malware.

A number of different Trojans – including Crypt.XPACK.Gen, a version of the Zeus/ZBot banking Trojan – continued to dominate the field of malware disseminated via e-mail. They were camouflaged as a money transfer or order confirmation from a package-shipping service. If the attachment was opened, a Trojan was activated. The Dropper TR/Dropper.gen Trojan was sent out in June using a similar trick to the one that led the wave of malware sent via e-mail in June. The Mydoom worm, which has been causing trouble for years and which was the most commonly sent malware in July, experienced a comeback. The e-mails feigned an alleged undeliverable message. The malware was contained in an attachment disguised as an error report for the refused e-mail.