The State of Spam A Monthly Report August 2008 Generated by Symantec Messaging and Web Security
Doug Bowers Executive Editor Antispam Engineering Dermot Harnett Editor Antispam Engineering Joseph Long Security Response Lead Symantec Security Response Cory Edwards PR Contact cory_edwards@symantec.com 2
Monthly Spam Landscape McCain, Obama and the Olympic games have all become prime targets in a malicious spam campaign as spam levels average at 78 percent of all messages in July 2008. In July 2007, spam represented 66 percent of all messages. The rise in spam represents a year on year increase of 12 percent and demonstrates spammers unwillingness to give up their spam campaigns. The Symantec August 2008 State of Spam Report notes the following trends: Spammers Bullseye: Obama, McCain and the Olympic Games World War III Spam Hoax Superfoods and How to Lose Money Fast Phishing Email Targets Microsoft POP3 User Data Bilingual Spam Messages Emerge Spammers Offer Drug & Alcohol Rehab Economic Spam Watch: August 2008 Percentages of E-mail Identified as Spam Defined: Worldwide Internet Mail Gateway Spam Percentage represents the number of messages that were processed and classified as spam versus the total number of messages processed when scanned at the mail gateway. This metric represents SMTP layer filtering and does not include the volumes of e-mail detected at the network layer. Internet E-mail Spam Percentage 0.00 8.00 80.00 7.00 70.00.00 0.00.00 0.00 2 2007 7 2 2007 8 2 2007 2 2007 0 2 2007 2 2007 2 2 2007 2 2008 2 2 2008 2 2008 2 2008 2 2008 2 2008 7 2 2008 A trend line has been added to demonstrate a 7-day moving average. 3
Global Spam Categories Defined: Spam category data is collected from classifications on messages passing through the Symantec Probe Network. Global Spam Categories Last 30 Days inancial 20 Adult raud ealth Scams 8 nternet 22 Products 2 Leisure 4
Category Definitions Products E-mail attacks offering or advertising general goods and services. Examples: devices, investigation services, clothing, makeup Adult E-mail attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice Financial E-mail attacks that contain references or offers related to money, the stock market or other financial opportunities. Examples: investments, credit reports, real estate, loans Scams E-mail attacks recognized as fraudulent, intentionally misguiding, or known to result in fraudulent activity on the part of the sender. Examples: Nigerian investment, pyramid schemes, chain letters Health E-mail attacks offering or advertising health-related products and services. Examples: pharmaceuticals, medical treatments, herbal remedies Fraud E-mail attacks that appear to be from a well-known company, but are not. Also known as brand spoofing or phishing, these messages are often used to trick users into revealing personal information such as E-mail address, financial information and passwords. Examples: account notification, credit card verification, billing updates Leisure E-mail attacks offering or advertising prizes, awards, or discounted leisure activities. Examples: vacation offers, online casinos, games Internet E-mail attacks specifically offering or advertising Internet or computer-related goods and services. Examples: web hosting, web design, spamware Political Messages advertising a political candidate s campaign, offers to donate money to a political party or political cause, offers for products related to a political figure/campaign, etc. Examples: political party, elections, donations Spiritual E-mail attacks with information pertaining to religious or spiritual evangelization and/or services. Examples: psychics, astrology, organized religion, outreach Other E-mails attacks not pertaining to any other category. 5
Regions of Origin Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days. 6
Spammers Bullseye: Obama, McCain and the Olympic Games Using recent news events such as Obama s trip to Europe, the US Presidential Campaign and the anticipation of the Olympic Games which begins August 8th in China, spammers continue to sensationalize spam emails to entice users to open them. In recent examples of these spam attacks, the recipient opens one of these messages, and then is asked to click on a link that hosts malware. This malicious spam is often designed to infect other computers with viruses and trojans rather than simply promoting a spam product. In the examples observed by Symantec during July, legitimate websites were often hijacked by hackers to host malware for this attack. Using legitimate websites can often make it harder to trace some of these hijackers. Some of the subject lines of these malicious spam emails have included There are two key points to highlight note when monitoring this type of spam - the continuing link between spam and other security threats and the prevalent trend being used by spammers to use current events and human curiosity to lure users into opening a spam message. 7
World War III Spam Hoax Spammers are misleading web users with spam messages containing a Trojan virus claiming that World War III has begun after a US invasion of Iran. This malicious code has been detected as Trojan.Peacomm by Symantec AV. Symantec has seen emails with the following subject lines: Third World War has begun, US soldiers occupied Iran, US soldiers occupied Iran, Negotiations between USA and Iran ended in War. The email contains what appears to be a video showing a bomb explosion which, when clicked, links to the Trojan. The message also reads: Just now US Army s Delta Force and US Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran s Army resistance. The video. The spammer is attempting to take advantage of the recipient s curiosity and news events to sell them on the idea that a US invasion of Iran has taken place in hopes of enticing the recipients to click on the link in order to spread this Trojan. 8
Superfoods and how to Lose Money Fast Trends in spam often closely mimic what s happening in popular culture. Currently all things natural are in vogue, with superfoods often making the news. This spam offer seems to have it all a natural product that promotes weight loss, an advertisement that included a photo of a prominent news broadcaster and logos of prominent news outlets and their seeming endorsement of the superfood. To top it off, the spam message indicated that the product could be tried without any cost. However, a quick look at the small print, hidden away on a separate page that the promoters do not require the recipient to open shows it s far from free by signing up for the offer the recipient agrees to have $74.95 billed monthly to their account. To try and get the message by spam filters, each message includes hundreds of random words hidden in the html tags. 9
Random paths hidden in the html tags The spammer uses several different domains, uses random long paths and changes the subject and sender line each time when sending the attack 10
Phishing Email Targets Microsoft POP3 User Data Symantec has observed a new fraud attack targeting Microsoft POP3 users. The email claims that recipients have a POP3 setting problem and need to click on the URL in the email to confirm the account data. Headers from the scam email were: From: Microsoft <service@securitycenter.com> Subject: Message from Microsoft or Subject: Microsoft Outlook Verification # The email shows a warning but the URL in the message does not lead the recipient to the Microsoft web site, but rather to a hacked web site. The phishing page requests personal data from the end user. While this phishing example may be easily identified as a scam, the recipient of this message could provide their personal information. The information would then be used maliciously by the spammer. 11
Bilingual Spam Messages Emerge Online casino spam has been around for quite some time in many languages including English and Japanese. The interesting thing about the message below is that it is written in Japanese and machine translated into English. As antispam filters become more sophisticated, spammers continue to try and inundate the markets that they are targeting. 12
Spammers Offer Drug and Alcohol Rehab July 2008 saw the emergence of rehab spam. Subject lines have included - Get help today with Drug Rehab Info - Overcome Alcoholism today Spammers are constantly trying new tactics to try and coerce recipients into opening a spam message so that they can obtain personal information from end users. In this particular example, they are trying to target individuals who are not in good health, in the hopes that they will act on this spam message and give away their personal details. 13
Economic Spam Watch: August 2008 As economic concerns continue to be top of mind for Americans, spammers have continued to exploit this sensitive topic as a way to promote various financial spam offers. This month Symantec observed economic spam emails with the following subject lines: The purpose of these particular spam messages is to harvest personal information from trusting recipients. Spammers use this information to feed future spam campaigns, but may also sell this information to other groups. 14