Spam Evolution: January – March 2008 Executive Summary

Kaspersky Lab, a leading developer of secure content management systems, has released its latest report on the evolution of spam for the first quarter of 2008.

The results of the first quarter of 2008 have not been altogether encouraging: the share of spam in mail traffic rose steadily, continued to diversify and became increasingly criminalized.

In the first quarter this year spam represented an average of 88% of all mail traffic. The largest fluctuations in spam volume were observed in January (from 73.1% to 97.3%), but from mid-February the figure remained above 80%.

The list of spam categories was fairly typical for the Russian Internet: Medications and health related goods and services (32.5%), Education (13.3%), Travel and tourism (7.2%), and Computers and the Internet (4.5%). The exception was Adult content (4.3%) in fifth place. For over two years this category had propped up the list of category ratings, accounting for just 2% of spam.

There were two interesting aspects to the spam categories on the Russian Internet in the first quarter: the absence of any political spam preceding the presidential elections in Russia, and the sharp rise in spam advertising fake luxury goods (totaling 9.1% of all spam in March).

In the first three months of 2008 the criminalization of spam continued to diversify into other areas. This type of spam can generally be divided into three main groups:

1. Fraudulent spam: spammers use a variety of methods to try to steal money from Internet users;
2. Spam that is used by cyber criminals in order to spread malicious programs;
3. Spam with offers of a criminal nature: organizing DDoS attacks, selling spam software and databases of confidential data, and offers to send malware, etc.

A separate example is negative PR, which was also observed this quarter. Incidents included attacks on the newspaper Kommersant and the SB-GARANT insurance company.

The Russian Internet has recently been the site of more than just classic ploys from the Western segment of the Internet. Malicious users have successfully developed new means of swindling money from Russian-speaking users. For example, fraud in which SMS text messages are sent to short code numbers is currently very widespread on the Russian Internet.

Malicious users also took advantage of spam emails to spread links to malware. These emails tend to imitate notifications from well-known email clients. Many virus attacks were observed during holidays. There was a wide variety of offers in terms of advertisements for criminal goods and services: DDoS attacks, phone flooding, selling spam database addresses, making promises to teach users how to write viruses, etc. In addition to criminal activities online, spammers also offered specific offline services.

A number of technical spammer innovations were also observed in the first quarter of the year: spammers started adding random "noise" text using html tags. This involved the use of comment tags to define the color and other features of text. Most email clients see such tags as auxiliary, which is why they are not displayed to the recipient. Spammers also made use of their tried and tested methods: the share of graphical spam rose steadily from January to end the quarter at 28% of all unsolicited correspondence.

The full version of the report can be found at www.viruslist.com.