June 2009 Report #30

Transcription

1 June 2009 Report #30 The McColo shutdown is all but a distant memory with spam levels in May 2009 at approximately 90 percent of all consistent with the levels observed one year ago in May Old botnets have been brought back online, and new botnets have been created. While the EMEA region continues to be the leading host of zombie computers, Brazil at 16 percent continues to own the dubious honor of the number one host of active zombie machines. The following headlines summarize the trends highlighted in this June 2009 report: Spam Highlights: May 2009 Spammers Appeal To Revive Auto Companies Twitter Used As Bait to Phish For Personal Information Spam Diploma Mills Continue To Turn Out More Offers Fight Diabetes, But Not With Spammer s Help Zombie Host IP Activity May 2009 Spam Percentage: The model used to calculate spam percentage now factors in network layer blocking in addition to SMTP layer filtering, and as a result represents a more accurate view into the actual spam percentage on the Internet. Doug Bowers Executive Editor Antispam Engineering Dermot Harnett Editor Antispam Engineering Cory Edwards PR Contact cory_edwards@symantec.com

2 Spam Highlights: May 2009 In May 2009, spam levels climbed to nearly 90 percent of all , consistent with levels observed in May Several interesting trends have been observed during the past month. Image spam has re-emerged as a force to be reckoned with as 6.5 percent of all spam messages in the last 30 days contained an image. During that time it climbed during one week to 21.9 percent of all messages. One consequence of the re-emergence of image spam is that the average size of spam messages has increased with percent of messages in the 2kb-5kb bucket, and 14 percent of messages larger than 10kb. When you consider that less than three percent of messages were larger than 10kb in January 2009 this increase in message size is significant. Increase in message size puts a strain on mail infrastructures and could possibly prevent end users from receiving legitimate . A historical look at the size of spam messages since late 2008 clearly shows just a significant increase in size. When plotted on a chart showing the increases in image spam it is clear that image spam is a significant part of the reason for the the spike in message size.

3 Spam Highlights: May 2009 While image spam has increased, it is spam messages containing URLs in the message body that continue to be the predominant spam trend. During the last 30 days, 91.7 percent of all spam messages contained a URL. These URLs are often associated with sites which allow users to set up free accounts including free webhosting accounts and URLs that are registered and operated by spammers. These URLs are used to promote certain products and services, and spammers often rotate the URLs used in their spam attacks in an effort to evade antispam detection. In May 2009, 52 percent of the URLs observed had a com top level domain (TLD), and 32 percent had a cn cctld. The number of URLs with a com TLD decreased by 12 percent, and the number of URLs with a cn cctld increased by 12 percent. The obvious switch is a spam tactic employed by spammers in which they alternate between different TLDs in an attempt to evade antispam filters.

4 Spam Highlights: May 2009 Overall, spam messages continue to promote and offer a wide variety of products and services ranging from the old reliables such as meds (health is currently at 24 percent), Internet (27 percent ) and 419 spam (5 percent) to more recent spam messages such as interior design school courses and "Barbara Walters Special - Anti-Aging Miracle." It is clear that as long as recipients continue to click on URLs in an attempt to curiously observe or take advantage of the products and services offered, spammers will continue sending out large volumes of fraudulent messages.

5 Spammers Appeal To Revive Auto Companies With the financial concerns and bankruptcy looming for some automakers, spammers have been lured and are taking advantage of these misfortunes. These spam messages which claim to come from a particular motor company mention falling sales due to the economic downturn and includes details about how the United States government plans to bail them out. However, since the supposed bailout funds have yet to reach them the spam message indicates that they are offering 1000 automobiles discounted at 35 percent off the original price. They add that this sale will help the company bounce back and increase their customer base. Recipients are instructed to fill out and submit an attached form to take advantage of the offer. The message indicates that a company representative will visit the recipient within five business days after receiving the form.

6 Spammers Appeal To Revive Auto Companies An image of the attachment is shown below. Note that although this attachment appears to be a PDF, it is actually an html file with a background image that includes the widgets along the top and left-hand side of the page. Spammers are continuously coming up with new offers using the backdrop of the economic downturn to attempt to trick users into submitting information, which may be misused in the future.

7 Twitter Used As Bait to Phish For Personal Information Spammers habitually exploit the reputations of brands for their benefit. As more and more people become connected through social networking sites, it is no surprise that the trust and reputation earned by these websites is misused by spammers. In the last month, spam attacks have leveraged the burgeoning social networking brand Twitter for two spam campaigns: Make Money Fast (MMF) and dating spam. In the MMF attack Risk-Free Twitter Profit Software kit is offered. Recipients of this message would be directed to a web-form which asks for personal information including name, address and postal address. This is followed by another form asking for your credit card number, expiration date and security code. Below are some of the subject-lines used in the Twitter MMF spam: Subject: Twitter Guru Reveals All On Video Subject: Use Twitter to make money Subject: Teenagers are playing online and making grundles of money.

8 Twitter Used As Bait to Phish For Personal Information In the second Twitter-related spam attack, Twitter dating site Datetwit is targeted. Various recently registered spam domains are used in the links, which lead users to enter Twitter credentials to open the dating site. In an attempt to evade antispam filters, messages are obfuscated with legitimate content. From: "DateTwit" From: "DateTwit" From: "DateTwit" From: "DateTwit" With these attacks, Spammers hope that they can lure recipients into action by hiding behind the reputation of the Twitter social networking brand that continues to grow in popularity.

9 Spam Diploma Mills Continue To Turn Out More Offers Approximately 539,000 jobs were lost in the United States in April While the number of jobs lost each month is easing slightly, the unemployment rate rose to 8.9 percent in the same month. With difficulties in the job market, many professionals and students are deciding to obtain additional qualifications in order to enhance their resumes. While diploma spam is not new, the number and variety of courses offered have increased in recent weeks. Specifically we ve observed an increase in degrees offered around criminal justice and forensic science perhaps as a result of popularity of television shows focused on criminal investigation and forensic science. Massage therapy courses have recently become a favorite of spammers as well. One of the linking factors between the courses offered by spammers is that they routinely ask for financial related information in the initial application stage whereas legitimate online universities generally connect the candidate with an advisor or mentor who guides them through the application process.

10 Fight Diabetes, But Not With Spammers Help According to the World Health Organization (WHO), At least 171 million people worldwide have diabetes; this figure is likely to be more than double by The chronic nature of diabetes means that patients are constantly required to control their blood sugar levels using various pharmaceutical products. The WHO has reported that overall, direct health care costs of patients with diabetes range from 2.5 percent to 15 percent of annual health care budgets. Online medical suppliers have for some time provided certain discounts and offers, including free glucose meters to visitors placing their supply order. Recent spam messages have been observed in which the brands of legitimate medical providers have been used by spammers to try and obtain personal information. Spammers ensured that the legitimate brand names appeared either in the subject or sender line of the message. After submitting the information, recipients are informed that they will be contacted in the next five minutes. However, spammers are collecting this information for their own gain. addresses submitted as part of the personal information requested are often used or sold for future spam campaigns. Users can avoid compromising their data by simply typing the legitimate URLs directly into the browser when ordering their supplies rather than clicking on a link from an . Some of the sample subjects associated with these spam attacks: [brand name removed] glucose meter at no-charge from [supplier name removed] Manage your diabetes - Complimentary glucose meter from [supplier name removed] Self-test your blood glucose with a complimentary meter from [supplier name removed Your free glucose meter is waiting for you Manage your diabetes - free glucose meter from [supplier name removed]

11 Zombie Host IP Activity May 2009 Zombie is a term given to a computer that has been compromised and is being used for various criminal related interests such as sending spam, hosting websites that advertise spam and acting as DNS servers for zombie hosts. The top 10 countries hosting active zombie machines in May 2009 are compared in the chart below with the results shared in the May 2009 State of Spam report: The table shows that Brazil continues to dominate as the number one host of active zombie machines. Turkey and Russia at eight and seven percent respectively, have swapped positions this month.

12 Metrics Digest: Regions of Origin Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.

13 Metrics Digest: Global Spam Categories: Internet attacks specifically offering or advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware Health attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies Leisure attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos Products attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup Financial attacks that contain references or offers related to money, the stock market or other financial opportunities. Examples: investments, credit reports, real estate, loans Scams attacks recognized as fraudulent, intentionally misguiding, or known to result in fraudulent activity on the part of the sender. Examples: Pyramid schemes, chain letters Adult attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inap- Fraud attacks that appear to be from a well-known company, but are not. Also known as brand spoofing or phishing, these messages are often used to trick users into revealing personal information such as address, financial information and passwords. Examples: account notification, credit card verification, billing updates 419 spam attacks is named after the section of the Nigerian penal code dealing with fraud, and refers to spam that typically alerts an end user that they are entitled to a sum of money, by way of lottery, a retired government official, lottery, new job or a wealthy person that has that has passed away. This is also sometimes referred to as advance fee fraud. Political attacks Messages advertising a political candidate s campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/campaign, etc. Examples: political party, elections, donations