The cracking, and closure, of the Rustock botnet in March this year did not impact spam traffic as much as other closures have in the past year. According to Kaspersky Lab, last year’s Pushdo, Cutwail and Bredolab closures, whereby the quantity of spam fell by 2-3 percentage points for a day or two before bouncing back again.
“This could be due to the closure of SpamIt, a large pharmaceutical partner program, and the fact that Rustock, which specialised in pharmaceutical spam, may well have ceased sending out mass mailings at the end of last year. It could be that the botnet was just used for different purposes. It is also possible that the cybercriminals themselves preferred to lie low for a while given the interest in botnets shown by law enforcement agencies in the latter stages of 2010,” explains Darya Gudkova, Head of Content Analysis & Research at Kaspersky Lab.
As a result, the amount of spam detected in mail traffic in the first quarter of 2011 averaged 78.6% – an increase of 1.4 percentage points compared with the previous quarter, though still 6.5 percentage points less than the corresponding figure for last year.
Sources of spam
In Q1 2011, the Asian and Latin American share of the total volume of spam worldwide grew (+2.93 and +3.85 percentage points respectively) while the amount of spam originating from Eastern and Western Europe fell by 5.64 and 2.36 percentage points respectively. Africa joined the list of the most active spam senders: the volume of unsolicited messages coming from African countries accounted for 3.66% of the worldwide spam total, exceeding that of the USA and Canada. These figures are in line with Kaspersky Lab’s forecasts that botnets would start shifting to regions with less effective or non-existent anti-spam legislation. However, cybercriminal activity suggests that in future botnets will also be developed in better protected regions meaning they will be spread relatively evenly across the globe, much as they are now.
Spammer tricks and techniques
In Q1 of 2011, spammers made use of some tried and tested tricks and techniques to bypass filtering. Sending out spam emails containing a link to a video clip advertising spammer services was one of them. Another trick saw emails that read “Stop sending me spam” allegedly written by an angry recipient of spam. The email was in fact itself spam with a link leading to a spammer’s site. Unfortunately, Q1 saw some tragic events including earthquakes and a major tsunami in Japan. Needless to say, spammers tried to capitalise on these events by tricking users into parting with their money by pretending to be part of the humanitarian relief effort.
Malware in mail traffic
Trojan-Spy.HTML.Fraud.gen maintained its leading position in the Top 10 rating of malicious programs distributed via mail traffic in the first quarter of 2011. This Trojan uses spoofing technology and appears in the form of an HTML page. It comes with a phishing email containing a link to a fake site resembling that of a well-known bank or e-pay system where the user is asked to enter a login and a password that will be used by fraudsters to access his/her confidential data.
The most notable entries in the Top 10 malicious programs to spread via email belonged to a mail worm family and accounted for four of the rating’s ten entries. The main purpose of malware such as this is to harvest email addresses and spread them via mail traffic.
In the first quarter of 2011 the volume of phishing emails was very small and accounted for only 0.03% of all mail traffic. PayPal and eBay remained in the unenviable position of being the organisations most frequently targeted by phishers. They were followed by Habbo, Facebook and former leader HSBC.
“Notably, in the first quarter of 2011 Google services such as Google AdWords and Google Checkout were attacked less often. The phishers switched their attention to the highly popular Brazilian social network Orkut which is owned by Google. The attacks on this social network reached 1.96% of the total, putting it in 12th place in the list of organisations most often targeted by phishers,” said Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab.
“It is worth mentioning that user accounts belonging to Google’s services, including Orkut, are interconnected. Thus, having acquired credentials for one of these accounts, a cybercriminal can access any Google service registered to the same user,” concludes Namestnikova.
By Angela Meadon