Spam Statistics Report Q3-2013

This 2013 Quarterly Spam Statistics Report provides the latest analysis of spam trends, malicious attachments, phishing, and insights from the Kaspersky Lab intelligence team for the 3rd quarter 2013. This report provides not only key findings and trends but also spammer methods and tricks as well as spam by source globally.

• The percentage of spam in total email traffic decreased by 2.4 percentage points from the second quarter of 2013 and came to 68.3%.
• The percentage of phishing emails grew threefold and accounted for 0.0071%.
• Malicious attachments were detected in 3.9% of all emails — 1.6 percentage points more than in Q2 2013

In Q3 2013, spammers indulging in the stereotypical promotion of medications to improve potency were especially creative, combining social engineering techniques with tricks to bypass spam filters.

In one mass mailing they used the following method:

The email subject used a string of symbols designed to resemble the word ‘Viagra’, while the text was limited to a single link to a pharmaceutical site.

This minimalist approach helps to bypass content filtering. There are no keywords to be found, since the word ‘Viagra’ cannot be read by the filter even though it is obvious to a human reader. Since each email found a different ‘code’ for Viagra, it wasn’t enough to simply add a new keyword to the database either. Since UTF-8 includes symbols from all languages – including very rare ones. Most languages have their own unique letters, modifiers and symbols even when they are based on the familiar Latin alphabet. As a result there are more than 100 symbols which could be read as the letter ‘a’. It’s not surprising that there are hundreds of millions of different potential combinations which could spell ‘Viagra’.

Q3 2013 was rich in events which generated public interest, such as the birth of the royal baby in the UK, the FBI hunt for Edward Snowden and the railway accident in Spain. All this news was used by fraudsters to distribute malware.

The malicious emails registered by Kaspersky Lab in Q3 2013 came in various forms but mostly imitated mass news mailings. However, the links contained in all emails led to compromised websites which redirected users to a page with one of the most popular exploit kits – Blackhole. Once users reach the website, Blackhole starts searching for vulnerabilities in their software. If it finds any, it downloads several malicious programs, including Trojan spyware designed to steal personal data from victim machines.

Statistic: Sources of Spam by Country

In Q3 the top three spam sources remained unchanged: China (-0.9 percentage points), the US (+1.2 percentage points) and South Korea (+2.1 percentage points). The total share of these three countries accounted for 55% of the world’s spam traffic.

As in the previous quarter, Taiwan came 4th in the rating (+0.1 percentage points).

The distribution of sources of spam by region in Q3 2013

 

In Q3 the rating of the top sources of spam by region did not undergo any major changes from the first two quarters of 2013. The share of the regions remained almost the same too.

Asia remained the number one regional source of spam (+0.2 percentage points). It is followed by North America (+1.9 percentage points) and Western Europe (-0.2 percentage points).

The share of the other regions did not vary significantly.

Noticeably, there is not always a correlation between where spam is sent and where it is produced. For example, a lot of African spam goes to Russia; that originating in South Korea is often sent to Europe, while spam from Western Europe is distributed evenly around the world.

The percentage of small spam emails weighing in at under 1 KB is growing from quarter to quarter. The majority of these emails contain hardly any text. They only include a link, which usually leads to the redirecting site or to a short link service which makes each email unique. These emails create problems for spam filters and, due to their small size, can be sent quickly and in huge quantities.

The level of malicious attachments in the third quarter was 1.6 percentage points higher than in the second and came to 3.9% of all mail traffic.

Trojan-Spy.HTML.Fraud.gen topped the rating of the most popular malicious program spread by email in the third quarter this year. This malicious program is designed to look like an html page used as a registration form for online banking services. It is used by phishers to steal financial information.

In Q3 2013 the percentage of phishing emails increased threefold from the previous quarter and accounted for 0.0071%.

Distribution of the Top 100 organizations most frequently targeted by phishers,* by category — Q3 2013

* This rating is based on Kaspersky Lab's anti-phishing component detections, which are activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.

 

In Q3-2013, notifications from social networking sites were most frequently imitated in phishing emails. Messages sent on behalf of email services and search engines were in 2nd and 3rd places. In fact, these two categories are difficult to separate as many major companies combine search engine and webmail functions.

In total, these three categories represented over 60% of all attacks in the Top 100 organizations most frequently targeted by phishers. This figure shows that the monetization of phishing is largely based on the sale of stolen account credentials, which can be used in turn to distribute spam across their contact lists.

Financial and e-pay organizations and banks came 4th in the list of phisher targets. This does not imply that phishers are less interested in banks. It is more likely that attacks on individual institutions are rarely on such a large scale as to get them into the Top 100.

In Q3 2013 spammers actively used both old and new tricks to bypass filtering as well as social engineering techniques to persuade users to click the necessary links. For example, one of the most common malware distribution tricks is to use high-profile news stories and design emails in the form of newsletters. Some tricks, such as fake emails sent on behalf of a well-known Internet resource, were considered especially effective and used in various partner programs. For example, a link in an email imitating a notification from Facebook could, at different times, lead to a site advertising medications or to a site containing exploits.

However, the arrest of the Blackhole exploit kit creator has shown that cybercriminals do not go unpunished, even in Russia with its relatively weak legislation against cybercriminals. We will continue to follow the developments in this case.

Q3 2013 saw little change in the leading spam sources by country. On a regional level there was even less change. It seems that the location of botnets is relatively stable, or at least there is a lull in the active relocation of botnets.

Despite the slight decline in the share of spam in email traffic, the proportion of malicious spam grew more than 1.5 times compared to the previous quarter. The majority of the malware spread via email targeted user logins, passwords and confidential financial information.

As for the phishers, their most attractive targets were user accounts for social networking sites, email and other resources.