Spam and phishing in Q1, 2015: banks and banking Trojans

In Q1 of 2015, the amount of spam in the world’s email traffic is less than it was a few years ago, but still too high. Junk mail goes from annoying to dangerous when infected by cybercriminals.

In May, Securelist released their quarterly report on spam and phishing covering this year’s first quarter. Spam had been – and remains – one of the peskiest problems corporate IT staff has to deal with. The amount of spam in the world email traffic is currently just below 60%; it’s much less than a few years ago when it was towering above 90%, but still it’s a bit too much. The primary problem is not the junk mail itself; on its own it’s almost harmless. When it’s interspersed with malware or phishing letters is when it puts you in direct peril.

So, what’s up this quarter?

“In January 2014 the New gTLD program of registration for new generic top-level domains designated for certain types of communities and organizations was launched. The main advantage of this program is the opportunity for organizations to choose a domain zone that is clearly consistent with their activities and the themes of their sites,” Securelist said.

The new business opportunities provided by the New gTLD program were enthusiastically endorsed by the Internet community. Unsuprisingly, spammers and cybercriminals were quick to react as well. Almost immediately, new domain zones became an arena for the large-scale distribution of advertising spam, phishing, and malicious emails. Cybercriminals registered domains to spread spam mass mailings, hacked existing sites to place spam pages, and/or used these and other web resources in chains that redirect users to spam sites.

As such there was a dramatic increase in the number of new domains doling out spam of every imaginable sort, with content both related and totally unrelated to the domain name. While .work domains were spamming out the various service offers such as household maintenance, construction, or equipment installation (which doesn’t really inspire respect for a businesses that uses such promotions), .science spam domains advertised criminal lawyers along with various education courses.

By the way, there are also .color domains such as .blue, .pink, etc. They turned out to be the source of spam promoting Asian dating sites.

Now, the real dangers

As said above, spam becomes really problematic as soon as it is used to spread malware or gets “infested” with phishing.

Q1 was by no means an exception in that regard: There were more than enough occasions where malicious attachments were spammed. In the first quarter of 2015, the fraudsters often used spam to distribute macro viruses – programs written in the macro languages built into data processing systems (text and graphic editors, spreadsheets, etc.). Unsurprisingly, in these cases, malicious attachments were Microsoft Office documents (.doc, .xls) which launched VBA scripts when opened. The script then downloaded and installed other malicious programs, such as banking Trojans.

“Basically, malicious attachments imitated various financial documents: notifications of a fine or a money transfer, unpaid bills, payments, orders and complaints, e-tickets, etc.,” Securelist said. “Among these fraudulent notifications were fake messages written on behalf of public services, stores, hotel, airlines and other well-known organizations.”

At least once there had been a mass mailing detected with all messages based on the single template, with only the sender address and the amount of money specified in the subject and the body of the message being varied. The attachment was a document with garbled text looking like an incorrect display of coding. Fraudsters tried to convince the victims to enable macros in order to have their virus launched. Microsoft disabled macros by default back in 2007 for safety reasons. Now criminals are trying to convince users to power down their shields – hopefully without much success. was the malware most often distributed via email; a downloader that brings in Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Click the thumbnail to see the full diagram.

Click the thumbnail to see the full diagram.


In the first quarter of 2015, the Anti-Phishing system was triggered 50,077,057 times on the computers of Kaspersky Lab users. This is 1 million more than in the previous quarter.

Given that there was some slight drop in the overall amount of spam compared to Q4, 2014, +1 million phishing alerts looks especially set off.

Kaspersky Lab’s statistics show that Global Internet Portals (Email, Search engines, etc.) are at the top of the ranking of organizations attacked by phishers – above 25%. Facebook, Google and Yahoo! are the most attacked entities, just like in Q4, 2014.

Financial organizations – banks, online stores, and electronic payment systems are attacked the most: above 37%.

Overall dynamics

The sharing of spam in email traffic in the first quarter of 2015 was 59.2%, which is 6 percentage points less than in the previous quarter. Might’ve been seasonal change: after all, major holiday seasons in Western Countries are in Q4, which spammers and scammers are try to exploit.

Phishing grows. So do the banking Trojans. That is the trend with cybercriminals going after the money – preferably the money owned by the organizations.

From the previous quarterly reports, it looks like the amount of spam is steadily going down: from 80.5% of the overall mail traffic in Q1, 2010 to the current 59.2%. In first quarters there are drops, followed by increases in Q2. But in general spam is dwindling. The war is far from being won, but there are reasons for some optimism. Because it is clear that antispam tools’ efficiency is improving, although technical means to counter spam are just a part of what is necessary to beat this problem. The other – extremely important – part is to keep people informed and educated on how not to get duped by spammers and phishers.