The first quarter of the year was littered with holidays and, of course, spammers tried to make the most of it. Be it Valentine’s Day, International Women’s Day, St. Patrick’s Day or Easter – it seems there’s no holiday that won’t get a spammer working overtime. However, in Q1 of 2012 the share of spam in mail traffic was down 3 percentage points compared to the previous quarter, averaging 76.6%.
“The drop in the percentage of junk email was in no little part down to the combined efforts of Kaspersky Lab and the CrowdStrike Intelligence Team, HoneyNet Project and Dell SecureWorks research groups. Their work resulted in the neutralization of the second version of the Hlux/Kelihos peering botnet. According to our data, the botnet included over 100,000 infected computers,” says Darya Gudkova, Head of Content Analysis and Research at Kaspersky Lab.
Spammer methods and tricks
Spammers who specialize in spreading malware are especially creative in the sphere of social engineering.
A mass mailing containing fake notifications from NACHA was followed by messages from the Better Business Bureau (BBB). The emails mainly targeted small and middle-size businesses. When users clicked on the links inside the messages they entered a hacked site with a built-in script that redirected them to a malicious site containing the notorious BlackHole exploit pack.
A similar scheme was used for another mass mailing that imitated a message from an airline. The user was invited to check-in online for a US Airways flight. Other malicious mass mailings imitated financial news, job offers, bank notifications and information from social networking sites, etc.
Sources of spam
2011’s major trend continued in Q1 2012: the share of spam emanating from Asia (+3.83 percentage points) and Latin America (+2.66 percentage points) increased, albeit slowly. Africa (+0.67 percentage points) and the Middle East’s (+1.09 percentage points) contribution also grew. Although the volume of spam originating from the latter two regions is not yet significant, a clear growth dynamic is evident. The proportion of spam distributed from Africa and the Middle East increased by 20 and 29.6 percentage points respectively compared with Q4 2011.
The shares of Western and Eastern Europe continued to decrease and in Q1 2012 amounted to 23.43% of the total volume of global spam (-8.35 percentage points). After the closure of Hlux we can expect further changes in the geographical distribution of spam sources.
Emails with malicious attachments
Although the percentage of malicious attachments in spam has decreased, it still remains high. Moreover, many malicious emails contain links to sites with exploits that are used in drive-by attacks, rather than attachments. Such links use various redirects to sites containing exploit packs – sets of exploit tools designed to find vulnerabilities in popular applications such as Java, Flash Player and Adobe Reader.
The peak of malware distribution came in January – over 4% of all emails contained malicious attachments. In February and March the proportion of malicious spam accounted for 2.8%.
In the first quarter of 2012 the volume of phishing emails decreased slightly and accounted for just 0.02% of all mail traffic.
This year saw the start of Kaspersky Lab’s new listing of the top 100 organizations targeted by phishers, grouped by category. More detailed information about each category is available here.
In Q1 2012 the distribution of phishing attacks by organization was relatively stable. Among noticeable shifts was the increase in the number of attacks on Amazon in January. In the first month of the year online stores and e-auction sites occupied second position in the rating. However, in February it was replaced by social networking sites, which saw its position bolstered by a surge in attacks on Facebook. That site has been the single most targeted site for the past two months.
The full version of the Spam Report for Q1 2012 is available at: www.securelist.com.