Spam volumes

In the months April and May 2011, spam traffic declined in response to the shutdown of the world’s largest botnet, the Rustock botnet, on March 16, 2011. This meant that spam volume in April was 51% lower than in March – a direct result of the shutdown. In May, the eleven research team recorded another slight reduction of 16%.

However, there were signs of a possible resurgence of spam at the end of May 2011. From May 23 to the end of the month, spam traffic showed a rapid increase for the first time since the Rustock shutdown. Between May 22 and May 31, daily spam volume grew over 150% – over two-and-a-half-fold. A key reason for this rapid increase was short but very strong waves of casino spam, which occurred at least once daily starting on May 23. It remains to be seen whether this was just a brief flare-up or whether it signifies the beginning of a new period of spam growth.

Another consequence of the Rustock shutdown was that the share of spam in May fell to a multiyear record low of 78.7%. In April, it was 81.5%. In February 2011, before the shutdown, 94.6% of all e-mails were still spam. Due to the decline in the spam share, legitimate “clean” e-mails attained a two-digit share of e-mail traffic in April and May (May: 13.6%). Legitimate newsletters had a share of 5% in May, while the share of malware e-mails was about 0.2%.

Spam topics

Spam growth at the end of May was the sole result of casino spam, which appeared in regular, strong waves starting May 23. Monthly averages indicate that casino mailings accounted for 17.5% of all spam e-mails, while in April the figure was still a low 6.3%. This meant that casino spam took third place, just behind counterfeit watches (17.6%). The top position was still assumed by pharmaceutical spam; however, the Rustock shutdown eroded this lead. While it still accounted for a share of 71.6% in February 2011, its share was just 39.0% in May. In April, the share of pharmaceutical spam was a low 28.3%.

A change in the top position was taking shape at the end of May after the massive casino campaign was launched. On June 1, Viagra spam accounted for just 3% of all spam e-mails. The daily leader was casino spam, which attained a record share of 28%.

Spam trends

After spam volumes for pharmaceuticals collapsed as a result of the shutdown of the Rustock botnet, spammers made a number of attempts to increase the opening rate of spam e-mails in April and May. Instead of their previous highlighting of advertised products as the focus of the message, they now exploited the popularity of the video portal YouTube. Subject lines such as “YouTube service sent you a message: TOP ten best unrated videos to watch” or “YouTube administration sent you a message: your video on the TOP of YouTube” were designed to mislead the recipient into clicking the link contained in the e-mail. Naturally, this does not direct the user to YouTube, but to a Web page of the spammer group Canadian Pharmacy, where medications are sold. The idea behind the spam campaign is that once the user is on the site, they are more likely to order something.

In addition, we observed an increasing trend toward criminal spam campaigns in April and May 2011; in April and May, there was greater mixing of spam and malware. For example, dating spam was not only used to advertise questionable dating portals; some of the e-mails also contained malicious software as an attachment. This was used to transfer a variant of the banking Trojan SpyEye/Zeus.

Spam with illegal content was another focus of spammers. Spam offering jobs increased significantly, especially in April. They primarily involved advertisements for so-called “money mules”, who were asked to make their bank accounts available for money transactions that would presumably be used for money laundering. Probably serving the same purpose were offers soliciting for test buyers. They were supposed to purchase online products and pay with certificates. In this way money, presumably of criminal origin, could be laundered. E-mail spam promising academic degrees was also on an upward trend.

Old spam tricks used to circumvent spam filters in the past are again making a resurgence. In April and May, ASCII spam and random texts were used to attempt to outsmart spam filters.

Countries of origin

There has been a clear “changing of the guard” in spam-sending countries. While the USA – the top country for many years – lost its lead position in March, it was not even among the ten largest spam senders in May. Since March, Germany has no longer been in the top ten. Overall, the eleven research team has observed a clear shift from Western industrial nations – in May, only the United Kingdom, in ninth place, was still represented among the top ten – towards emerging countries. Regionally, spam sending primarily shifted to Asia, Eastern Europe, and South America.

The top spam source in May was India at 10.4%, followed by Russia (9.2%), April leader Brazil (7.9%), South Korea (5.7%), and the Ukraine (4.7%). Experts from the eleven research team assume that this is a direct consequence of the Rustock shutdown. The botnet controlled many computers in the United States in particular, but was clearly also heavily represented in other Western industrial countries.

Phishing

The most malicious phishing campaign in April and May exploited the upcoming deadline for submitting annual tax returns in Germany. The e-mail was said to originate from the German Federal Ministry of Finance, and informed the recipient of a supposed tax refund. According to the message, to obtain the refund the recipient had to fill out a form and enter his or her credit card data. The tone and layout of the e-mail and form were considered to be highly authentic.

However, the attack campaign also illustrates how affected institutions can react quickly and effectively to phishing attempts. In this case, the form contained images directly downloaded from the official server of the government agency. In response, authorities replaced the images with images containing a clearly visible warning that appeared whenever a recipient opened the form.

Clients of well-known German banks increasingly became the targets of phishing campaigns in April and May 2011. Affected banks included the Postbank and the Berliner Sparkasse. The forged Postbank e-mails claimed that the account was “limited” and the recipient could have the limitations removed by a “Resolution Center”. The e-mail was executed in the style of the Postbank and used images from their Web site. The link to the “Resolution Center” led to a page that was considered to be a deceptively genuine reflection of the Postbank’s online banking presence. Once there, recipients were asked to log in with their account number and PIN. The campaign against the Berliner Sparkasse was less professional in design. The e-mail was composed in poor German and did not use any Sparkasse layouts or logos. It said that due to maintenance tasks account data would have to be reactivated, and rerouted the recipient to a phishing site.

Malware

Since the shutdown of the Rustock botnet on March 16, 2011, the volume of malware distributed by e-mail increased significantly. This can be attributed primarily to attempts to infect many new computers in businesses or private households via massive Trojan mailings and use them to at least partially replace those lost in the botnet infrastructures. Above all, malware volumes increased considerably in April. A focal point here were virus outbreaks, i.e. new malware that conventional virus scanners are not yet able to detect. They grew by 129% in April, while other known viruses increased by 26%.

In May, the eleven research team documented – in parallel to the growth in targeted phishing campaigns that primarily targeted bank customers – a distinct rise in related malware. In particular, this involved the most familiar and malicious banking Trojan SpyEye/Zeus, which accounted for about 80% of all malware e-mails in May 2011. In particular, the Crypt.XPack and Crypt.ZPack variants were especially widespread, sometimes in massive waves, most of which promised nude photos. SpyEye/Zeus contains a routine that attempts to undermine the mTAN method for online bank transactions, which is considered particularly safe. SpyEye/Zeus detects a call to a banking Web site, and it attempts to misdirect the user to download an alleged security certificate to his or her cell phone. Users are asked to input their phone number and the IMSI number of their cell phone. Afterwards, criminals are able to read mTANs from the bank, and a program that executes a transaction with the captured mTAN is installed on the computer.

Another trend was the use of major brand names in malware mailings. The well-known Apple brand was used as bait with notable frequency, e.g. in e-mails announcing an alleged iPhone 5G. However, instead of finding images of the desired product, recipients invited a Trojan onto their PCs. Others interested in the Apple products were more fortunate: the message was “only” spam advertising for Viagra & Co.