June 2009 - Symantec

June 2009
Report #30
The McColo shutdown is all but a distant memory with spam levels in May 2009 at approximately 90 percent of all email – consistent with the levels observed one year ago in May
2008. Old botnets have been brought back online, and new botnets have been created. While
the EMEA region continues to be the leading host of zombie computers, Brazil at 16 percent
continues to own the dubious honor of the number one host of active zombie machines.
The following headlines summarize the trends highlighted in this June 2009 report:
 Spam Highlights: May 2009
 Spammers Appeal To Revive Auto Companies
 Twitter Used As Bait to Phish For Personal Information
 Spam Diploma Mills Continue To Turn Out More Offers
 Fight Diabetes, But Not With Spammer’s Help
 Zombie Host IP Activity May 2009
Spam Percentage: The model used to calculate spam percentage now factors in network layer
blocking in addition to SMTP layer filtering, and as a result represents a more accurate view
into the actual spam percentage on the Internet.
Doug Bowers
Executive Editor
Antispam Engineering
Dermot Harnett
Editor
Antispam Engineering
Cory Edwards
PR Contact
[email protected]
Spam Highlights: May 2009
In May 2009, spam levels climbed to nearly 90 percent of all email, consistent with levels observed in May 2008. Several interesting trends have been observed during the past month.
Image spam has re-emerged as a force to be reckoned with as 6.5 percent of all spam messages in the last 30 days contained an image. During that time it climbed during one week to
21.9 percent of all messages. One consequence of the re-emergence of image spam is that the
average size of spam messages has increased with 24.14 percent of messages in the 2kb-5kb
bucket, and 14 percent of messages larger than 10kb. When you consider that less than three
percent of messages were larger than 10kb in January 2009 this increase in message size is significant. Increase in message size puts a strain on mail infrastructures and could possibly prevent end users from receiving legitimate email.
A historical look at the size of spam messages since late 2008 clearly shows just a significant
increase in email size. When plotted on a chart showing the increases in image spam it is clear
that image spam is a significant part of the reason for the the spike in message size.
Spam Highlights: May 2009
While image spam has increased , it is spam messages containing URLs in the message body
that continue to be the predominant spam trend. During the last 30 days, 91.7 percent of all
spam messages contained a URL. These URLs are often associated with sites which allow users
to set up free accounts including free webhosting accounts and URLs that are registered and
operated by spammers. These URLs are used to promote certain products and services, and
spammers often rotate the URLs used in their spam attacks in an effort to evade antispam detection.
In May 2009, 52 percent of the URLs observed had a com top level domain (TLD), and 32 percent had a cn ccTLD. The number of URLs with a com TLD decreased by 12 percent, and the
number of URLs with a cn ccTLD increased by 12 percent. The obvious switch is a spam tactic
employed by spammers in which they alternate between different TLDs in an attempt to
evade antispam filters.
Spam Highlights: May 2009
Overall, spam messages continue to promote and offer a wide variety of products and services ranging from the old reliables such as meds (health is currently at 24 percent), Internet
(27 percent ) and 419 spam (5 percent) to more recent spam messages such as interior design
school courses and "Barbara Walters Special - Anti-Aging Miracle." It is clear that as long as
recipients continue to click on URLs in an attempt to curiously observe or take advantage of
the products and services offered, spammers will continue sending out large volumes of
fraudulent messages.
Spammers Appeal To Revive Auto Companies
With the financial concerns and bankruptcy looming for some automakers, spammers have
been lured and are taking advantage of these misfortunes. These spam messages which claim
to come from a particular motor company mention falling sales due to the economic downturn
and includes details about how the United States government plans to bail them out. However,
since the supposed bailout funds have yet to reach them the spam message indicates that they
are offering 1000 automobiles discounted at 35 percent off the original price. They add that
this sale will help the company bounce back and increase their customer base. Recipients are
instructed to fill out and submit an attached form to take advantage of the offer. The message
indicates that a company representative will visit the recipient within five business days after
receiving the form.
Spammers Appeal To Revive Auto Companies
An image of the attachment is shown below. Note that although this attachment appears to be
a PDF, it is actually an html file with a background image that includes the widgets along the top
and left-hand side of the page.
Spammers are continuously coming up with new offers using the backdrop of the economic
downturn to attempt to trick users into submitting information, which may be misused in the
future.
Twitter Used As Bait to Phish For Personal Information
Spammers habitually exploit the reputations of brands for their benefit. As more and more people become connected through social networking sites, it is no surprise that the trust and reputation earned by these websites is misused by spammers. In the last month, spam attacks have
leveraged the burgeoning social networking brand Twitter for two spam campaigns: “Make
Money Fast” (MMF) and dating spam.
In the MMF attack “Risk-Free Twitter Profit Software” kit is offered. Recipients of this message
would be directed to a web-form which asks for personal information including name, email
address and postal address. This is followed by another form asking for your credit card number, expiration date and security code.
Below are some of the subject-lines used in the Twitter MMF spam:
Subject: Twitter Guru Reveals All On Video
Subject: Use Twitter to make money
Subject: Teenagers are playing online and making grundles of money.
Twitter Used As Bait to Phish For Personal Information
In the second Twitter-related spam attack, Twitter dating site Datetwit is targeted. Various recently registered spam domains are used in the links, which lead users to enter Twitter credentials to open the dating site. In an attempt to evade antispam filters, email messages are obfuscated with legitimate content.
From: "DateTwit" <DateTwit_kv@[removed].com>
From: "DateTwit" <DateTwit_hoybfks@[removed].com>
From: "DateTwit" <DateTwit_vf@[removed].com>
From: "DateTwit" <DateTwit_bxrf@[removed].com>
With these attacks, Spammers hope that they can lure recipients into action by hiding behind
the reputation of the Twitter social networking brand that continues to grow in popularity.
Spam Diploma Mills Continue To Turn Out More Offers
Approximately 539,000 jobs were lost in the United States in April 2009. While the number of jobs
lost each month is easing slightly, the unemployment rate rose to 8.9 percent in the same month.
With difficulties in the job market, many professionals and students are deciding to obtain additional qualifications in order to enhance their resumes. While diploma spam is not new, the number and variety of courses offered have increased in recent weeks. Specifically we’ve observed an
increase in degrees offered around criminal justice and forensic science – perhaps as a result of
popularity of television shows focused on criminal investigation and forensic science.
Massage therapy courses have recently become a favorite of spammers as well. One of the linking factors between the courses offered by spammers is that they routinely ask for financial related information in the initial application stage whereas legitimate online universities generally
connect the candidate with an advisor or mentor who guides them through the application
process.
Fight Diabetes, But Not With Spammers’ Help
According to the World Health Organization (WHO), “At least 171 million people worldwide
have diabetes; this figure is likely to be more than double by 2030.” The chronic nature of diabetes means that patients are constantly required to control their blood sugar levels using various pharmaceutical products. The WHO has reported that overall, direct health care costs of
patients with diabetes range from 2.5 percent to 15 percent of annual health care budgets.
Online medical suppliers have for some time provided certain discounts and offers, including
free glucose meters to visitors placing their supply order. Recent spam messages have been observed in which the brands of legitimate medical providers have been used by spammers to try
and obtain personal information. Spammers ensured that the legitimate brand names appeared
either in the subject or sender line of the message. After submitting the information, recipients
are informed that they will be contacted in the next five minutes.
However, spammers are collecting this information for their own gain. Email addresses submitted as part of the personal information requested are often used or sold for future spam campaigns. Users can avoid compromising their data by simply typing the legitimate URLs directly
into the browser when ordering their supplies rather than clicking on a link from an email.
Some of the sample subjects associated with these spam attacks:
 [brand name removed] glucose meter at no-charge from [supplier name removed]
 Manage your diabetes - Complimentary glucose meter from [supplier name removed]
 Self-test your blood glucose with a complimentary meter from [supplier name removed
 Your free glucose meter is waiting for you
 Manage your diabetes - free glucose meter from [supplier name removed]
Zombie Host IP Activity May 2009
Zombie is a term given to a computer that has been compromised and is being used for various criminal related interests such as sending spam, hosting websites that advertise spam and
acting as DNS servers for zombie hosts. The top 10 countries hosting active zombie machines
in May 2009 are compared in the chart below with the results shared in the May 2009 State of
Spam report:
The table shows that Brazil continues to dominate as the number one host of active zombie
machines. Turkey and Russia at eight and seven percent respectively, have swapped positions
this month.
Metrics Digest: Regions of Origin
Defined: Region of origin represents the percentage of spam messages reported coming from
certain regions and countries in the last 30 days.
Metrics Digest: Global Spam Categories:







Internet Email attacks specifically offering or
advertising Internet or computer-related
goods and services. Examples: web hosting,
web design, spamware
Health Email attacks offering or advertising
health-related products and services. Examples: pharmaceuticals, medical treatments,
herbal remedies
Leisure Email attacks offering or advertising
prizes, awards, or discounted leisure activities.
Examples: vacation offers, online casinos
Products Email attacks offering or advertising
general goods and services. Examples: devices,
investigation services, clothing, makeup
Financial Email attacks that contain references or offers related to money, the stock
market or other financial “opportunities.” Examples: investments, credit reports, real estate, loans
Scams Email attacks recognized as fraudulent,
intentionally misguiding, or known to result in
fraudulent activity on the part of the sender.
Examples: Pyramid schemes, chain letters
Adult Email attacks containing or referring to
products or services intended for persons
above the age of 18, often offensive or inap-



Fraud Email attacks that appear to be from a
well-known company, but are not. Also known
as “brand spoofing” or “phishing,” these messages are often used to trick users into revealing personal information such as E-mail address, financial information and passwords.
Examples: account notification, credit card
verification, billing updates
419 spam Email attacks is named after the
section of the Nigerian penal code dealing
with fraud, and refers to spam email that typically alerts an end user that they are entitled
to a sum of money, by way of lottery, a retired
government official, lottery, new job or a
wealthy person that has that has passed away.
This is also sometimes referred to as advance
fee fraud.
Political Email attacks Messages advertising a
political candidate’s campaign, offers to donate money to a political party or political
cause, offers for products related to a political
figure/campaign, etc. Examples: political
party, elections, donations