Kaspersky Security Bulletin: Spam in 2008

2008 was notable for several reasons. It was the first time serious steps were taken at an international level to combat spam. The result was the closure of several criminal hosting providers where the command and control centers of major botnets were located. The economic situation also started affecting the spam business in 2008; fewer goods were advertised, but there was an increase in the amount of criminalized spam.

Kaspersky Lab’s forecast that 2008 would not bring a decline in the amount of spam was borne out, even given the factors outlined above. The average volume of spam in 2008 was 82.1% of all mail traffic – 2.1% higher than in 2007. The lowest figure (50.5%) was recorded on 13 November, with the highest figure (97.8%) being recorded on 1 March.

22% of spam on the Russian Internet (Runet) originated in Russia and 16% originated in the USA. Spain, Italy, Brazil, Germany, Korea, China, Turkey and Ukraine were the other countries in the Top Ten sources of Runet spam.

Spam containing links to phishing sites averaged 1.01%. Phishers were particularly active in February and between April and June. Experts anticipated higher figures in the second half of the year, as banking customers were more likely to be unsettled due to the financial climate, and therefore more likely to fall into the hands of scammers. However, the closing of McColo and Atrivo, by all accounts, meant that phishers were unable to be very active. Phishers most often targeted the PayPal payment system.

0.89% of emails had malicious attachments. In order to spread malicious programs, spammers most often used messages which contained links to infected sites. Malicious users resorted to a range of tricks in order to persuade users either to visit a site or to open an attachment which contained a malicious program.

Among notable trends this year were the rise of spam targeting users of social networking sites, and spam on the sites themselves. On the Russian Internet, such spam was mostly used in order to spread malicious programs. Another noticeable trend on Runet is the evolution of scams which use a variety of approaches to get users to send an SMS message to a short number. The aim of this is to get a cut of the high charge made for sending such messages.

In 2008, the most commonly used tricks by spammers employed html formatting. These tricks were used in order to get spam messages past spam filters and included adding “background noise” to texts using random phrases placed in html tags which most mail clients view as auxiliary (comment tags, colour tags, etc.) Spammers also used html tables e.g. a phone number in an advertisement was created with a combination of white and black table cells.

In 2008, spammers started actively using publicly accessible web services to spread their advertisements. The spammers’ page (or a redirect leading to such a page) was placed on well known hosting or a blog, with links in spam emails leading to this page. This approach is primarily designed to evade filters which use reputation filtering, and depends on filters not blocking a message which contains links to legitimate services such as Google Docs, Microsoft SkyDrive, Microsoft Livefilestore and others.

As previously, spammers used hot topics in order to attract the attention of users. In 2008, these topics included the football world championship, the US presidential elections, and the global economic crisis. The word “crisis” was used in spam advertising for almost any type of goods or services in the second half of 2008.

During 2008, there were some new categories of spam, and the leading category changed. During the second half of the year, the “Other goods and services” category decreased by 6%, while “Adult content” spam increased by more than 15%. This latter type of spam is often circulated on Runet in order to increase the traffic on certain sites.

The drop in the volume of spam advertising goods and services shows that the number of orders spammers are receiving from legitimate businesses is decreasing. The rise in attacks of a criminal nature – scams using SMS, increasing the hit rate on pornographic sites, etc. – demonstrates that the cybercriminals who are starting to see a decrease in their profits are searching for new sources of income. The global economic situation is having a clear impact on the type of spam being sent, while creating conditions for increasing criminalization.

As spam is a global phenomenon, changes in the spam landscape can serve as an indicator of the condition of the economy. The correlation is fairly clear and the end of the economic downturn will be reflected by changes in the spam landscape.

Kaspersky Lab analysts believe that the volume of spam will not decrease in 2009, and the volume of criminal spam will increase. Problems in the banking sphere will create the conditions for a new wave of phishing attacks and users are advised to be on their guard.

The full version of “Kaspersky Security Bulletin: Spam in 2008” is available on viruslist.com.