Kaspersky: Spam in Q1 2012, A Marathon of Holidays
May 2012 by Kaspersky
Please see below the findings from Kaspersky Lab’s Q1 2012 spam report. The main topics that emerged during the last quarter included the increase in spam during the holidays, mass mailings, malicious attachments and the distribution of phishing attacks.
The first quarter of the year was littered with holidays and spammers tried to make the most of this. Be it Valentine’s Day, St. Patrick’s Day or Easter - it seems there’s no holiday that won’t get a spammer working overtime. However, in Q1 of 2012 the share of spam in mail traffic was down 3 percentage points compared to the previous quarter, averaging 76.6 per cent.
“The drop in the percentage of junk email was in no little part down to the combined efforts of Kaspersky Lab and the CrowdStrike Intelligence Team, HoneyNet Project and Dell SecureWorks research groups. Their work resulted in the neutralisation of the second version of the Hlux/Kelihos peering botnet. According to our data, the botnet included over 100,000 infected computers,” says Darya Gudkova, Head of Content Analysis and Research at Kaspersky Lab.
Spammer methods and tricks
Spammers who specialise in spreading malware are especially creative in the sphere of social engineering. A mass mailing containing fake notifications from NACHA (The Electronic Payments Association) was followed by messages from the Better Business Bureau (BBB). The emails mainly targeted small and medium-sized businesses. When users clicked on the links inside the messages they entered a hacked site with a built-in script that redirected them to a malicious site containing the notorious BlackHole exploit pack.
A similar scheme was used for another mass mailing that imitated a message from an airline. The user was invited to check-in online for a US Airways flight. Other malicious mass mailings imitated financial news, job offers, bank notifications and information from social networking sites.
Sources of spam
2011’s major trend continued in Q1 2012: the share of spam emanating from Asia (+3.83 percentage points) and Latin America (+2.66 percentage points) increased, albeit slowly. Africa (+0.67 percentage points) and the Middle East’s (+1.09 percentage points) contribution also grew. Although the volume of spam originating from the latter two regions is not yet significant, a clear growth dynamic is evident. The proportion of spam distributed from Africa and the Middle East increased by 20 and 29.6 percentage points respectively compared with Q4 2011.
The share of spam in Western and Eastern Europe continued to decrease and in Q1 2012 amounted to 23.43 per cent of the total volume of global spam (-8.35 percentage points). After the closure of Hlux, further changes in the geographical distribution of spam sources can be expected.
Emails with malicious attachments
Although the percentage of malicious attachments in spam has decreased, it still remains high. Moreover, many malicious emails contain links to sites with exploits that are used in drive-by attacks, rather than attachments. Such links use various redirects to sites containing exploit packs – sets of exploit tools designed to find vulnerabilities in popular applications such as Java, Flash Player and Adobe Reader.
The peak of malware distribution came in January - over 4 per cent of all emails contained malicious attachments. In February and March the proportion of malicious spam accounted for 2.8 per cent.
In the first quarter of 2012, the volume of phishing emails decreased slightly and accounted for just 0.02 per cent of all mail traffic.
This year saw the start of Kaspersky Lab’s new listing of the top 100 organisations targeted by phishers, grouped by category. More detailed information about each category is available here.
In Q1 2012, the distribution of phishing attacks by organisation was relatively stable. Among noticeable shifts was the increase in the number of attacks on Amazon in January. In the first month of the year, online stores and e-auction sites occupied second position in the rating. However, in February it was replaced by social networking sites, which saw its position bolstered by a surge in attacks on Facebook. This site has been the single most targeted site for the past two months.