eleven E-mail Security Reports
eleven E-mail Security Report – June 2012
Spam levels showed a significant increase in April and May 2012. In May alone, occurrences of spam grew by 17.3%. At the same time, there were again large fluctuations in spam levels of the type that characterised spam distribution in 2011. Despite the increase in spam e-mail occurrences, the proportion of actual spam fell between March and May 2012 from 72.9% to 67.4%. The main reason for this development was the sharp rise in other types of e-mail, particularly malware-infected e-mails. The percentage of “clean” e-mail was 19.7% in March, legitimate bulk e-mail (e.g. newsletters) accounted for 6.6%, and malware e-mail constituted 2.1%. Phishing e-mails made up 0.1% of total e-mail.
The most important spam topic consolidated its top position in April and May 2012: pharmaceutical spam increased its share in total spam e-mails from 25.0% in March to 34.4% in May. In second place, the proportion of online casino spam fell from 19.1% to 15.8%. The big “winner” when it came to spam topics was fake luxury items. This category was given a boost, among other factors, by spam related to Mother’s Day and increased its share from 11.1% to 14.0%. Dating spam (2.1%) and illegal job offers (0.8%) came further down in the ranking after registering a share as high as 7.7% in March.
Countries of origin
In April and May 2012, the eleven research team observed a more widespread geographical distribution of spamming. The top-ten list contains four Asian countries, but both Eastern Europe and Latin America occupy two places, and there are two developed Western nations in the ranking. India retained its position at the top as the origin of 11.0% of all spam, followed by Vietnam (6.2%), Brazil (5.9%), Russia (5.5%) and Romania (4.4%).
The USA, for many years the leader in the spamming charts, fell out of the top ten in March 2011 as a result of the shutdown of Rustock, the world’s largest botnet. However, the country is now climbing back towards the top, occupying sixth place as the originator of 3.8% of all spam. In tenth place, Germany is also experiencing a dubious “comeback”, returning to the top ten for the first time since the Rustock shutdown with a 2.8% share.
Generally speaking, it has been observed in recent months that the geographical distribution of spammers, which was concentrated in Asia and Eastern Europe after the Rustock shutdown, has become more diluted with a more even distribution of spam. A particularly large increase was recorded in Western industrialized countries, which were the most heavily affected areas before the action against Rustock. This indicates that several new or restructured botnets are currently being developed with the purpose of at least partially replacing lost infrastructures.
Over the last few months, the eleven research team has observed a marked increase in attempted fraud against Internet users in Germany. Spammers have improved the quality of their German texts and taken into account German issues such as tax refunds. The eleven research team has now also discovered indications in “normal” spam e-mails that suggest a heightened focus on German-speaking countries. The spam e-mails that were investigated can all be put under the category of male potency drugs, an area that has seen moderate growth since the start of the year. These spam e-mails are very short in length and have a subject line that attempts to deceive simple spam filters using a very old trick. Disguising signal words such as “Viagra” and “potency” is all it takes to bypass some spam filters. Whereas people are still just about able to make sense of a subject line such as “Ord_r free pt*/=e!:ncy drgs on the WWW”, a keyword list would fail to identify this as spam.
Event-related spam experienced a significant rise, particularly in the month of May. In addition to topic-specific flows of spam for Mother’s Day, there have already been campaigns related to the Olympic Games in London. The most popular trick here was a fake prize draw, ostensibly to raffle off tickets for various events. In most cases, this was a front for a phishing scam.
Having increased during the first quarter by almost 170%, the number of phishing attacks continued to grow, rising by a further 18.5% in May. In the same month, phishing e-mails accounted for 0.1% of all e-mail activity.
There was a continued trend in May towards region-specific phishing campaigns, for example ones that targeted German-speaking users. For example, the eleven research team observed a wave of e-mails ostensibly from Amazon.de claiming that user accounts had been restricted and needed to be reactivated. The links in such e-mails would then lead to a phishing site.
Campaigns using the name of German financial institutions remain popular among spammers. In particular, phishers still appear to have their sights set on Postbank customers. In April and May the team at eleven registered numerous waves of phishing in the name of this bank.
The months of April and May 2012 were shaped by a significant increase in e-mails containing new and familiar malware. There was an explosive rise in the number of virus-infected e-mails: the volume of known malware swelled by more than a factor of ten, growing by 927.3%. Compared to the same month in 2011, this represents an increase of 340.1%. The team at eleven also observed considerable growth in the number of new virus outbreaks: the volume of new malware more than tripled in May 2012 (an increase of 251.6%). Compared to the previous year, this represented growth of as much as 622.4%.
Similar to the statistics for spam, those for the distribution of known malware in May 2012 were dominated by India, which had a share of 12.5%, followed by Italy (6.5%) and Taiwan (6.0%). The USA came eighth with 3.4%, and Germany was not listed in the top-twenty countries. For virus outbreaks, too, India came first with 11.9% of all new viruses. Vietnam (7.5%) and Brazil (7.4%) came next, with the USA ranked seventh (4.4%). However, Germany was once again not among the twenty most prolific countries.
The explosive increase in malware can once again be traced back to Trojan horses above all else. In addition to well-known culprits such as Zbot and Bredolab, the eleven research team observed strong waves of less widespread malware, including the Matsnu, Bublik and Gypikon Trojans. Nine of the ten largest malware waves in May 2012 contained Trojans, and eight out of ten malware outbreaks were also Trojan horses. The largest virus wave concerned a variant of the Zeus Trojan (Zbot) disguised as a delivery confirmation from a logistics company.
Fake mobile phone bills, delivery notes and order statements were once again popular tricks. Scammers claimed that users had taken out a subscription that required them to pay a fairly large amount (a high three-figure sum) in the hope that this would prompt them to open an attachment to see the supposed invoice.
An especially perfidious campaign that also specifically targeted users in Germany claimed that the sender had proof that the recipient was guilty of a crime, and that this would be reported unless a certain amount was negotiated and paid. The attachment appeared to contain photographic evidence which was actually nothing more than a Trojan horse that would install itself on the system if the file was opened.
It was once again noted that more and more spam e-mails were written in good German and specifically targeted German-speaking users in the hope that they would think the messages were genuine. A greater degree of regionalisation has been observed for some time and is now apparent in spam, phishing and malware campaigns.