October was an eventful month in the spam world.
Thanks to the economic fallout in the world market, spammers had plenty of material to base their spam and virus campaigns around. Speaking of viruses, there were still plenty around, even though the daily levels were far less than the traffic we were seeing back in August. Here are a few other highlights from the month of October.
*LinkedIn, a social networking site that’s geared towards professionals was the target of a malware campaign early on in the month of October.
*With the near collapse of the banks this month, cyber criminals took their stereotypical role in the tragedy equals opportunity game.
*Virus activity actually appeared to continue to stabilize during the month, still recovering from August’s record traffic.
*To continue with the month’s stressful financial theme, spammers bumped up the amount of debt‐relief offers they dropped in your inboxes.
*The Better Business Bureau was used once again as the front for a malware campaign this month.
*The FTC along with New Zealand’s Department of Internal Affairs helped to bring a group responsible for one of the largest spam operations around today to court.
Total Email Traffic Volume
We saw just over 300 million more total messages in October than in the previous month. Spam levels remained relatively the same from the previous month.
Regions of Origin
The disbursement remained very similar to the percentages from the past few months. However, the huge spike in spam traffic that we saw from Africa has subsided and is back to its previous levels of about one percent.
Top Ten Spam Countries of Origin
The spamscape again remain virtually unchanged from the previous month as the top six spam originating countries remain the same and in the same order. Spain did make another return to the top ten this month and Korea failed to make the list.
Economic Trends
There has been a drastic increase in Phishing emails as well as Debt/Credit solicitation over the past few months. As the uncertainty set in on global financial markets, spammers ramped up their efforts to obtain peoples personal and banking information evident in the chart below. Most often they appealed to peoples financial fears to coax them into giving up their information. As the credit market began to dry up we also saw another significant change. In addition to the increase in Phishing over the past few months we also have been seeing a huge increase in Debt/Credit spam.
Top Viral Threats
These are the top 20 malware threats we saw this past month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with “X.” signify rules that were written by AppRiver Analysts. (This doesn’t mean that other anti‐virus companies didn’t eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them.)
*X.Trojan.Virantix.C
*X.Trojan.Spy.Goldun.NDU
*W32\Spy.Goldun.NDM_trojan
*a_variant_of_W32\Kryptik.
*X.Passprotected‐08
30Day Virus Activity
Virus levels decreased again from the unusually high levels of the past few months. The number of total Virus messages blocked was still nearly 200 percent more than this time last year. We successfully captured more than 75 million messages containing a virus in the month of October. AppRiver also maintained its capture rate of 99.8% for the second consecutive month.
Attachment Spam
The amount of attachment spam seen broken apart by file type and frequency. Image spam doubled during the month of October. We successfully captured 750 million image spam messages this month. Image spam accounted for 6.4 percent of all spam traffic during October.
It's been a trend for the past year or two to use social networking sites in orderto infect people with malware. At first people would create fake profiles on said networks, such as MySpace and/or Facebook, to post infectious comments on valid sites within the network. Once the excited recipient clicked the link in the commento 'see who had a crush on' them, or 'get free gift cards', they would then in turn start sending ousame messages to all of their network of "friends". That was popular until MySpace figured out who was doing it, took them to court and won a big lawsuit against them.So, naturally, that began to look like a bad idea, and the bad guys would send out spam emails that appeared to come from these networks. The emails would lead to fake log‐in screens where the users' credentials would be stolen and accounts used to send the spam and malware or, the fake emails would simply infect the recipient with an attachment that contained malware or include a link to a web site that hosted other malware. Right at the beginning of the month we began to see another social network being used as a theme to infect recipients. Linked In, if you're unaware is supposed to be a social network designed for an older, more professional demographic. These email's would arrive pretending to be from the LinkedIn network explaining that they were finally able to export your list of business contacts from your account. They are written in a "better than most" support style email, signed from the "Technical Support Department". The attachment that is supposed to have your contact list is actually a .Scr file inside a .Zip titled 'Contacts.Zip'. Those screensaver files (.scr), are always bad news, especially when Zipped up, avoid them.
The Better Business Bureau has been used to push malware many times in the past, and here it is once again. This time much like the times before, it arrives in your inbox as a not‐so‐official looking email. This one claims that they, the BBB, have “enhanced web surfing process [sic] with new security measures”. The recipient is then encouraged to click on a link to register their company’s new enhanced digital security certificate. Once the link is followed, you are taken to a more official looking website, even though web address certainly isn’t the BBB. The site goes on to explain the benefitof certificates and gives you a link to download the fil‘TrustedBBBCertificate.exe’. As you may have guessed it’s far from secure, and is instead a Trojan designed to steal login credentials.
It’s no doubt that this month’s theme has been the economy, or rather the very poor economy. It was no shock that this theme also carried over into the cyber realm. Not only did these cyber crooks try to steal your money by offering you bogus debt‐relief options via your inbox, but they also tried a more direct route of robbing you. That was of course through phishing scams, and a lot of them. One such phishing scam was posing as BanCorp around the beginning of the month. Themails arrived in the same ironic fashion as a lot of them do, by pretending to boost the security measures surrounding your critical information. After following the link provided in these emails, thewebsite, which in another ironic fashion warns you that “Fraudulent online banking activity is on the rise”, prompts for your account login information. Which in turn, they collect to use themselves or to sellto other thievesBut the jokes on them, because the banks already lost all of my money! Other banks that were the target of larger phishing schemes this past month were Wells Fargo and Flagstar.
Right around the middle of Octoberthe US Federal Trade commission along with the help of the New Zealand Department of InternAffairs successfully brought a spagang responsible for one of the largest botnets out there to court. The gang was responsible for promoting weight loss pills, replica watches and several herbal male enhancement products. They used the botnet dubbed as the Mega‐D botnet, which was named after one of their products, to push their wares. After receiving more than 3 million individual complaints about the group, the FTC grabbed thgroup on charges that one of their products “VPXL” which was touted as “100% herbal and safe” wasneither 100% herbal nor safe. This product actually contained the ingredient Sildenafil which is theactive ingredient in the prescription drug Viagra. Even though the group was ordered to halt all operations, the botnet they used to deliver all of these spam emails, continues to function at only a slightly lower level.
Virus activity certainly hasn’t been as insane as it was back in August which topped out at around 40 million virus laden emails on a daily basis; in fact it has begun to stabilize for the time being. The numbers are still high, granted, but only around 2 million daily which is a big difference. Interestinenough the number of zero day variants continue at a rate of 3 or 4 day. This has been the trend sincenumbers were at their peak. Malware authors will write a new Trojan, and create many different variations of this single virus by using a method known as packing. Packing essentially scrambles the code of the virus or adds junk code or whitespace throughout the original code so that it appears completely different to Anti‐Virus software yet behaves exactly the same with each variant. The virus authors will run one virus campaign until they see the AV vendors begin to catch up with it; they will then switch out variants with one of many they have waiting on deck, and the cycle starts over. Luckily, AppRiver’s XVirus AV Engine operates inline and can be updated instantly without having to wait for definitions to be pushed down en masse which can take up to hours with software solutions.
Comment on this Article
Printable Version
