August 2009 Report #32 While overall spam volumes averaged 89 percent of all email messages in July 2009, spam volumes continue to fluctuate. During July 2009, image spam continued to have an impact reaching 17 percent of all spam during one point in July. Health spam decreased by 17 percent, while product and 419 spam both saw increases of eight and three percent respectively month over month. The following trends are highlighted in the August 2009 report: Spammer s Opinion Poll: President Obama and Michael Jackson Spammers Cast Their Spells to Produce Harry Potter Spam July 2009: Spam Subject Line Analysis Spying Can Be Dangerous Scammers Try to Sneak In Unvoiced Using Voice over IP Services Spam Percentage: The model used to calculate spam percentage now factors in network layer blocking in addition to SMTP layer filtering, and as a result represents a more accurate view into the actual spam percentage on the Internet. Dylan Morss Executive Editor Antispam Engineering Dermot Harnett Editor Antispam Engineering Cory Edwards PR Contact cory_edwards@symantec.com
Spammer s Opinion Poll: President Obama and Michael Jackson Much has been made about the importance of the 200 day mark of the Obama Administration on August 6, 2009. With all the talk about health care reform and health insurance in the United States right now, the majority of the spam messages that reference President Obama are promoting health spam. Yet, ironically, with all of the talk of health care, this category saw a 17 percent decline in spam during the past month. In the hours after his death on June 25, 2009, several Michael Jackson-related spam and malware campaigns emerged. While several variations of Michael Jackson spam and malware have been observed, it seems that as the general public s interest in the drama surrounding his death dissipates, spammers too are moving away from using his name in attacks. For a time it seemed that Michael Jackson-related spam was more popular than President Obama-related spam. Regardless of what opinion polls are showing about President Obama s popularity, it is clear that spammers, much like tabloid magazines, are still giving him their vote and have some confidence that his name will continue to help them to distribute some of their messages. Following are the top 5 spam messages we ve observed in July about President Obama and Michael Jackson.
Spammers Cast Their Spells to Produce Harry Potter Spam It seems that in connection with the release of the latest Harry Potter movie, spammers believe that there is benefit in using the movie and its leading actors to promote various spam products and services. The top Harry Potter-related subject lines included: Full ebook Harry Potter Harry Potter interactive ebook See Emma Watson exposed Emma Watson exposed again See Emma Watson's xxx! Emma Watson exposed again! Which Harry Potter Character Are You? Harry Potter Sneak Peek and Top 5 Movie Soundtrack Your Harry Potter Prize Recent spam messages indicate that Emma Watson, who plays the character of Hermione Granger, is the spammers favorite target. Other messages that have emerged included Harry Potter- related 419 and health spam. In the Harry Potter 419 message, the name Potter is misspelled as Porter. Below is an example of the scam email: Harry Potter- related health spam used phrases such as Harry Potter ebook. The email body is in the form of a legitimate newsletter in which the URLs try to entice users to open a link to an online pharmacy website.
July 2009: Spam Subject Line Analysis In this August 2009 State of Spam Report, Symantec is taking a closer look at the top subject lines that are appearing in spam messages. With spam levels so high, it is interesting, but not altogether surprising, that the top subject lines used by spammers are often subject lines used in legitimate messages by valid companies. There are multiple reasons why spammers might use such common subject lines such as Hey or Hi: 1. Spammers want to evade antispam filters to get the spam message into a user s inbox. As security companies and the Internet community pay more attention to the reputation of websites and email senders, spammers are not only hiding behind well-established and reputable brands, but they are also using a mixture of spam and legitimate tactics to try and evade antispam filtering to ensure the delivery of their message. Using subject lines often observed in legitimate messages is one tactic that spammers continue to use. 2. Spammers want the end user to open their message. By using subject lines that are often used in personal legitimate messages, a user is more likely to open the spam message.
July 2009: Spam Subject Line Analysis With image spam reaching a maximum of 17 percent of all spam during July 2009, it is also interesting to look at the top subject lines for these messages. Again, Symantec has observed that the top Image spam subject lines included common phrases that would often be observed in legitimate mail.
Spying Can Be Dangerous Have you ever dreamt of owning a device that could help you spy like a secret agent in a spy movie? With gadgets such as cameras, voice recorders or memory devices dropping to small sizes, it is possible, and spammers are trying to convince of it. Spammers are offering a solution for those who wish to eavesdrop on another s phone. The solution is not a bug to be attached to a phone, but software that once installed on the target phone sends back information of all the calls and messages originating from the original phone to the user phone. This offer entices users with the option of peeping into someone s phone to get desired information. Spammers claim that the surveillance functions of the target phone (after installation) can be used to obtain valuable information from subjects such as names and numbers of significant others, managers, key employees and business partners. Valuable information includes listening to outgoing calls, receiving copies of incoming and outgoing SMSs, and tracking precise locations of the phone device using GPS satellites. However, there are few steps to be able to start using the functions of the target mobile device. The user has to first install the so-called unique MMS phone interceptor loader on their phone and then execute. This is a potentially dangerous step towards installing malware. Earlier this month, Symantec published a blog on a mobile threat delivered with the help of SMSs. As mobile threats rise in 2009, users are advised against falling prey to the offer shown in the example below:
Scammers Try to Sneak In Unvoiced Using Voice over IP Services 419 spam, which in July accounted for nine percent of all spam, has been a nuisance to email users for years. Traditionally, 419 scammers have reached out to email users through textbased emails, word processing documents, PDF formats and increasingly they have their sites set on social networking sites. However, all these approaches to sending 419 spam have one thing in common fraudulent stories of a huge money inheritance, kinship and financial assistance that is communicated via typed messages. Spammers are constantly in search of techniques that will allow them to reach users inboxes by evading antispam filters. Recently, Symantec observed a new variant of 419 spam where spammers tried to exploit VoIP (Voice over Internet Protocol) services. The spammers created fake accounts on sites providing VoIP services and then, using these fake accounts, sent invitations to users using the invite friends functionality within these VoIP services. This spam message invite contained some of the elements typically seen in legitimate VoIP invitations, however spammers continued to insert the 419 rhetoric regarding a story of some unclaimed funds or inheritance within the email message invite.
Metrics Digest: Regions of Origin Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.
Metrics Digest: URL TLD Distribution Metrics Digest: Average Spam Message Size Metrics Digest: Percent URL Spam
Metrics Digest: Global Spam Categories: Internet Email attacks specifically offering or advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware Health Email attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies Leisure Email attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos Products Email attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup Financial Email attacks that contain references or offers related to money, the stock market or other financial opportunities. Examples: investments, credit reports, real estate, loans Scams Email attacks recognized as fraudulent, intentionally misguiding, or known to result in fraudulent activity on the part of the sender. Fraud Email attacks that appear to be from a well-known company, but are not. Also known as brand spoofing or phishing, these messages are often used to trick users into revealing personal information such as E-mail address, financial information and passwords. Examples: account notification, credit card verification, billing updates 419 spam Email attacks is named after the section of the Nigerian penal code dealing with fraud, and refers to spam email that typically alerts an end user that they are entitled to a sum of money, by way of lottery, a retired government official, lottery, new job or a wealthy person that has that has passed away. This is also sometimes referred to as advance fee fraud. Political Email attacks Messages advertising a political candidate s campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/campaign, etc. Examples: political Adult Email attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice