Spam Levels

Spam levels increased considerably in the months of August and September 2011 with an 89% upsurge compared to July 2011. eleven recorded an increase of more than half (51%) in September alone. That placed spam levels in September back at 74% of the level prior to the takedown of the world’s largest botnet, Rustock, on March 16, 2011. The soaring growth indicates that the spammers have since replaced a large part of their lost capacities.

Campaigns for online casinos sent in short, yet often massive waves were largely responsible for the increase. Although the Rustock takedown led to a roughly 80% decrease in spam, the shutdown of the Kelihos botnet in late September 2011 had no impact on spam levels whatsoever.

Due to the rising spam levels, spam’s share of all e-mail continued to grow. In September, 89.6% of all e-mails were spam; in May, that level was 78.7%. The percentage of “clean” e-mails was 6.4%, and legitimate mass e-mails (e.g. newsletters) made up 2.4%. Malware e-mails were at 0.13%; although, 0.04% of those were new virus outbreaks.

Spam Topics

The forerunner among spam topics was once again e-mail ads for online casinos. With a 53.7% share, they constituted over half of all spam in September. The year-long leader, pharmaceutical spam, declined once again and only constituted a 10.0% share (July: 26.0%). Other popular spam topics from this year lost ground, too: fake watches fell from 9.8% in July to 3.0% in September, and illegal job offers declined from 4.6 to 1.3%. Phishing e-mail constituted 2.6% of all spam e-mails in September 2011.

Spam Trends

The trend toward taking advantage of current events for spam continued in August and September 2011: for example, the revolutions in Libya immediately led to deceitful spam waves. An alleged daughter of overthrown dictator Gaddafi asked for help in “saving” the family fortune. A different story was used as bait for those who weren’t able to muster up any sympathy for the Gaddafi family: an American business man, the e-mails claimed, was stranded in Libya, and the US consulate had been shut down. The only individuals who could help were the e-mail recipients. Those who responded to the e-mail were then asked to pay up, either for a flight ticket or the fee for a new passport.

Rumors about a new iPhone also served as an opportunity for spam campaigns in September. E-mails with quiz questions about Apple’s smartphone insinuated that participating recipients would be eligible to win an iPhone 5. What was actually behind the e-mail, though, was a subscription ploy: participation in the quiz led to the automatic sign-up for a 4.99-per-week contract.

Facebook’s continuing popularity presented yet another opportunity for spam campaigns under the pretense of new functions that Facebook presented in late September. The spam e-mails contained subject lines such as “New Facebook site” or “Latest from Facebook.” They were intended to get users to click on a link leading to a dating site with a Facebook-like design and which was disguised as a Facebook service.

Countries of Origin

When it comes to spamming, the considerable shift that began after the Rustock takedown continues: Most spam e-mail currently comes from emerging nations. The most important regions of origin for spam are Asia, Eastern Europe, and, to a lesser degree, South America. Of the top ten spammers in September, six came from Asia, three from Eastern Europe, and one from South America.

India has remained the top country of origin for spam. The country ranked first in July with a 13.2% share of all spam, followed by Brazil (10.4%), Vietnam (10.3%), Indonesia (8.7%), and Russia (6.7%). By contrast, the western industrial nations, which long played a key role in spamming, have entirely disappeared from the leading group. Rustock operated a majority of its infected computers in those countries. The US, the long-time top spammer, last made the top ten list in April.

Phishing

German-speaking bank customers were once again victims of phishing campaigns in August and September, indicating a continuing trend toward greater regionalization of phishing attacks. E-mail recipients are increasingly being attacked in their own language and shown the name of local financial institutes, which gives phishers a significantly higher “success rate.”

Deutsche Bank customers were particularly affected this time around. Subject lines included phrases such as “Credit card blocked” or “Important: Your account has been frozen!” The sender appears as “Deutsche Bank Visa and MasterCard Security” with the e-mail address verschlossen@deutsche-bank-visa-mastercard.de. In order to reactivate the supposedly blocked card, a form has to be filled out, which asks for sensitive data such as credit card number, expiration date, and the three-digit security code. The 3-D Secure Code is also asked for, which is not allowed to be requested at the same time as the three-digit security code. If the user falls for the trick, the phisher has all the required information to max out the credit card account.

A particularly perfidious campaign targeted individuals who had been victims of deceptive e-mail attacks. They allegedly came from a UN organization and held the promise of compensation. A link to a UN Web site was added to make the e-mails appear more serious. In an attached form, the targeted individuals were asked to enter personal data and credit card information in order to then collect the reparation at an ATM.

Malware

E-mails used for disseminating malware experienced an explosive increase in August and September. The number of attacks with known viruses increased by 348% in September alone. Trojans once again dominated the field of malware dissemination. According to the experts of the eleven research team, that fact indicates a clear sign that the rebuilding of global botnet infrastructures is continuing with the goal of replacing the resources lost by the botnet takedowns and to make their infrastructures more resistant to future attacks.

The most commonly occurring types of malware were new versions of the Crypt.XPACK.Gen Trojan, which is related to the Zeus botnet. The Trojan Chepvil, which is associated with the Donbot botnet, was also well represented. Classic viruses and worms do not currently play a significant role in the dissemination of malware.

Purportedly fraudulent account transactions are the latest trick being played by virus senders to get recipients’ attention. The acronyms ACH or NACHA appear over and over in the e-mails, which refer to an organization for handling payment transactions. It is only active in the USA and handles financial payment transactions for private customers, companies, and public authorities. Since August 24, the eleven research team has seen a dramatic increase in e-mails allegedly containing documents from NACHA. The attachments were .zip files with various names, usually document.zip or report.zip. The Trojan downloader Chepvil was extracted from the attachment. In the current case, Chepvil downloaded additional malware from the Internet after unzipping. This was a version of Zbot. In addition, a second Trojan was also loaded, which entered itself into the Windows auto-start directory and attempted to contact different domains, and which also downloaded additional data. That data included spam e-mails which were then passed on via the infected system.

An older trick is e-mail allegedly sent from a printer or scanner. Using subject lines such as “Scan from HP Officejet #5223920,” the claim was that the e-mail contained a scanned document as an attachment. It instead possessed a Trojan that was activated upon the attempt to open the supposed file. Malware waves using that scam were once again sent out in September.