Embed Size (px)
Citation preview
The State of Spam A Monthly Report – August 2008Generated by Symantec Messaging and Web Security
Spam Monthly Report, August 2008
2
Doug Bowers Executive Editor Antispam Engineering
Dermot Harnett Editor Antispam Engineering
Joseph Long Security Response Lead Symantec Security Response
Cory Edwards PR Contact [email protected]
Spam Monthly Report, August 2008
3
Monthly Spam Landscape
McCain, Obama and the Olympic games have all become prime targets in a malicious spam campaign as spam levels average at 78 percent of all messages in July 2008. In July 2007, spam represented 66 percent of all messages. The rise in spam represents a year on year increase of 12 percent and demonstrates spammers’ unwillingness to give up their spam campaigns. The Symantec August 2008 State of Spam Report notes the following trends:
• Spammers’ Bullseye: Obama, McCain and the Olympic Games
• World War III Spam Hoax
• Superfoods and How to Lose Money Fast
• Phishing Email Targets Microsoft POP3 User Data
• Bilingual Spam Messages Emerge
• Spammers Offer Drug & Alcohol Rehab
• Economic Spam Watch: August 2008
Percentages of E-mail Identified as Spam
Defined:
Worldwide Internet Mail Gateway Spam Percentage represents the number of messages that were processed and classified as spam versus the total number of messages processed when scanned at the mail gateway. This metric represents SMTP layer filtering and does not include the volumes of e-mail detected at the network layer.
Internet E-mail Spam Percentage
A trend line has been added to demonstrate a 7-day moving average.
Spam Monthly Report, August 2008
4
Global Spam Categories
Defi ned:
Spam category data is collected from classifi cations on messages passing through the Symantec Probe Network.
Global Spam Categories Last 30 Days
Spam Monthly Report, August 2008
5
Category Definitions
• Products E-mail attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup
• Adult E-mail attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice
• Financial E-mail attacks that contain references or offers related to money, the stock market or other financial “opportunities.” Examples: investments, credit reports, real estate, loans
• Scams E-mail attacks recognized as fraudulent, intentionally misguiding, or known to result in fraudulent activity on the part of the sender. Examples: Nigerian investment, pyramid schemes, chain letters
• Health E-mail attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies
• Fraud E-mail attacks that appear to be from a well-known company, but are not. Also known as “brand spoofing” or “phishing,” these messages are often used to trick users into revealing personal information such as E-mail address, financial information and passwords. Examples: account notification, credit card verification, billing updates
• Leisure E-mail attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos, games
• Internet E-mail attacks specifically offering or advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware
• Political Messages advertising a political candidate’s campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/cam-paign, etc. Examples: political party, elections, donations
• Spiritual E-mail attacks with information pertaining to religious or spiritual evangeliza-tion and/or services. Examples: psychics, astrology, organized religion, outreach
• Other E-mails attacks not pertaining to any other category.
Spam Monthly Report, August 2008
6
Regions of Origin
Defined:
Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.
Spam Monthly Report, August 2008
7
Spammers’ Bullseye: Obama, McCain and the Olympic Games
Using recent news events such as Obama’s trip to Europe, the US Presidential Campaign and the anticipation of the Olympic Games which begins August 8th in China, spammers continue to sensationalize spam emails to entice users to open them. In recent examples of these spam attacks, the recipient opens one of these messages, and then is asked to click on a link that hosts malware. This malicious spam is often designed to infect other comput-ers with viruses and trojans rather than simply promoting a spam product.
In the examples observed by Symantec during July, legitimate websites were often hijacked by hackers to host malware for this attack. Using legitimate websites can often make it harder to trace some of these hijackers.
Some of the subject lines of these malicious spam emails have included
There are two key points to highlight note when monitoring this type of spam - the continu-ing link between spam and other security threats and the prevalent trend being used by spammers to use current events and human curiosity to lure users into opening a spam message.
Spam Monthly Report, August 2008
8
World War III Spam Hoax
Spammers are misleading web users with spam messages containing a Trojan virus claim-ing that World War III has begun after a US invasion of Iran.
This malicious code has been detected as Trojan.Peacomm by Symantec AV.
Symantec has seen emails with the following subject lines: “Third World War has begun”, “US soldiers occupied Iran”, “US soldiers occupied Iran”, “Negotiations between USA and Iran ended in War”.The email contains what appears to be a video showing a bomb explosion which, when clicked, links to the Trojan. The message also reads:“Just now US Army’s Delta Force and US Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran’s Army resistance. The video……….”
The spammer is attempting to take advantage of the recipient’s curiosity and news events to sell them on the idea that a US invasion of Iran has taken place in hopes of enticing the recipients to click on the link in order to spread this Trojan.
Spam Monthly Report, August 2008
9
Superfoods and how to Lose Money Fast
Trends in spam often closely mimic what’s happening in popular culture. Currently all things natural are in vogue, with superfoods often making the news.
This spam offer seems to have it all – a natural product that promotes weight loss, an ad-vertisement that included a photo of a prominent news broadcaster and logos of prominent news outlets and their seeming endorsement of the superfood. To top it off, the spam mes-sage indicated that the product could be tried without any cost. However, a quick look at the small print, hidden away on a separate page that the promoters do not require the recipient to open shows it’s far from free – by signing up for the offer the recipient agrees to have $74.95 billed monthly to their account.
To try and get the message by spam filters, each message includes hundreds of random words hidden in the html tags.
Spam Monthly Report, August 2008
10
Random paths hidden in the html tagsThe spammer uses several different domains, uses random long paths and changes the subject and sender line each time when sending the attack
Spam Monthly Report, August 2008
11
Phishing Email Targets Microsoft POP3 User Data Symantec has observed a new fraud attack targeting Microsoft POP3 users.The email claims that recipients have a POP3 setting problem and need to click on the URL in the email to confirm the account data.
Headers from the scam email were:From: “Microsoft”<[email protected]>Subject: Message from Microsoft or Subject: Microsoft Outlook Verification #
The email shows a warning but the URL in the message does not lead the recipient to the Microsoft web site, but rather to a hacked web site.
The phishing page requests personal data from the end user. While this phishing example may be easily identified as a scam, the recipient of this message could provide their per-sonal information. The information would then be used maliciously by the spammer.
Spam Monthly Report, August 2008
12
Bilingual Spam Messages EmergeOnline casino spam has been around for quite some time in many languages including English and Japanese. The interesting thing about the message below is that it is written in Japanese and machine translated into English. As antispam filters become more sophisti-cated, spammers continue to try and inundate the markets that they are targeting.
Spam Monthly Report, August 2008
13
Spammers Offer Drug and Alcohol RehabJuly 2008 saw the emergence of rehab spam. Subject lines have included
- Get help today with Drug Rehab Info
- Overcome Alcoholism today
Spammers are constantly trying new tactics to try and coerce recipients into opening a spam message so that they can obtain personal information from end users. In this particu-lar example, they are trying to target individuals who are not in good health, in the hopes that they will act on this spam message and give away their personal details.
Spam Monthly Report, August 2008
14
Economic Spam Watch: August 2008
As economic concerns continue to be top of mind for Americans, spammers have continued to exploit this sensitive topic as a way to promote various financial spam offers. This month Symantec observed economic spam emails with the following subject lines:
The purpose of these particular spam messages is to harvest personal information from trusting recipients. Spammers use this information to feed future spam campaigns, but may also sell this information to other groups.
