According to Kaspersky Lab’s spam report, in Q1 2013, the amount of unsolicited correspondence in email traffic grew slightly (+0.53 percentage points) and averaged 66.55%. The increase in the proportion of emails with malicious attachments was also small, reaching 3.3%, while the share of phishing emails fell 4.25 times to 0.0004%.
In the first quarter of 2013 spammers switched to techniques that were once well known but had fallen into disuse. They revived the use of the once-popular method of creating background noise known as "white text”. This method involves adding random pieces of text (this quarter they were sections of news reports) to the email. These insertions are in light gray font against a gray background and are separated from the main text of the ad with a lot of line breaks. The scammers expect content-based spam filters to regard these emails as newsletters and, besides, the use of random news fragments makes each email unique and thus difficult to detect.
In addition, spammers have been exploring the possibilities of legal services and are now using them to bypass spam filtering. The actual address to which the malicious link leads is masked by two legal methods at once. Firstly, the spammers used the Yahoo URL shortening service and then processed the subsequent link through Google Translate. This service can translate web pages in the user-specified link and generate its own link to that translation. The combination of these techniques makes each link in the mass mailing unique and furthermore the use of the two well-known domains adds "credibility" to the links in the eyes of the recipient.
An example of legal services being used to generate links for spam mass mailings
In the first quarter of 2013, several high-profile events occurred: the Venezuelan President Hugo Chavez died, Pope Benedict XVI resigned and the new Pope Francis was officially inaugurated. As usual, such events did not go unnoticed by spammers. There were many mass mailings which imitated BBC or CNN news reports and the users’ curiosity was aroused by the promises of sensational photos and video footage.
China (24.3%) and the US (17.7%) remained the most active spam distributors. South Korea came 3rd with 9.6% of all distributed spam in Q1 2013. Interestingly, the spam originating from these countries targets different regions: most Chinese spam is sent to Asia while junk mail from the US is mainly distributed in North America, i.e. its major part can be considered internal spam. Unsolicited messages from South Korea, meanwhile, go chiefly to Europe.
“In Q1 2013, the percentage of unsolicited correspondence in mail traffic fluctuated from month to month, although the average figure remained practically unchanged from the previous quarter. We expect the share of spam to remain at its present level in the future or grow slightly due to the recent increase in the number of multimillion mass mailings,” commented Tatyana Shcherbakova, Senior Spam Analyst, Kaspersky Lab. “Spammers keep trying to draw users’ attention to their messages: they use famous names, world events or fake notifications from popular online resources. Many emails contain links to malicious programs, including exploits. We would like once again to remind users not to click the links in emails, even if the sender appears to be someone you know. It is much safer to enter the address in the browser manually.”
The full version of the spam report for Q1 2013 is available at securelist.com