Spam Report Gennaio 2010


Published on

I risultati del Report sullo Spam condotto da Symantec e aggiornato a gennaio 2010

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Spam Report Gennaio 2010

  1. 1. January 2010 Report #37 Notable highlights from December 2009 include the shift in the region of spam message origin and changes in the average size of spam messages. In recent months, APJ and South America have been taking spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009. With respect to the average size of the messages, the 2kb- 5kb message size category increased by 7 percent points, while the 5kb-10kb message size category decreased by 6 percent points in December 2009. This change corresponds with a decrease in attachment spam. Attachment spam averaged at 4.48 percent in December 2009, compared with 5.28 percent in November 2009. With respect to all spam categories, health and product spam have increased, and now account for 52 percent of all spam messages. The following trends are highlighted in the January 2010 report:  Xmas Card, Loaded with Malware  Your Bank Has Declared Bankruptcy  Pills From Amazon?  December 2009: Spam Subject Line Analysis  “Dotted Quad” Spam Shows Sign of Eruption  Andy Lau Talks Chinese Invoice Spam Dylan Morss Eric Park Sagar Desai Executive Editor Editor PR contact Antispam Engineering Antispam Engineering
  2. 2. Xmas Card, Loaded with Malware Last month’s State of Spam Report highlighted top seasonal subject lines as the holidays ap- proached. Once again, Symantec researchers have monitored the typical holiday spam, rang- ing from replica goods and online pharmacy products to Nigerian-type scams. It was interest- ing to see a spam message pretending to be a holiday greeting card from a financial institu- tion. It is also important to note that this spam message can be easily changed into a phishing/fraud message. This could be accomplished by making minor changes to the email message source.
  3. 3. Your Bank Has Declared Bankruptcy Due to current recession, the FDIC (Federal Deposit Insurance Corporation) has closed many failed banks. By mid-December, there were 140 banks in 2009 closed by the FDIC. Given the amount of press coverage such news garners in the media, it is no surprise that spammers are taking advantage of this trend for their benefit. In the example above, spammers are claiming that the bank has declared bankruptcy. When the user clicks on the provided link to “learn how to save money,” Trojan.Pidief tries to install itself on the machine. Symantec advises users to check reliable news outlets as well as the official FDIC website to determine whether the banks indeed have been taken over by the government. As this exam- ple shows, spammers continue to look for ways to increase the chances of their messages be- ing opened by users. Symantec expects such techniques to continue in 2010.
  4. 4. Pills from Amazon? Spammers have been taking advantage of various “freeweb” services in an effort to bypass filters. Some have used URL shortening services to mask the true destination URL while others have abused a variety of social networking sites/tools by creating a profile that is really a spam campaign. While Symantec researchers have monitored spam which purported to be from Amazon, this particular spam message was different in that the spammer actually created an account on the retailer’s website. Then, the spammer sent the message via Amazon’s email system with its links. When users click on the link provided in the message, they are directed to the Amazon web- site.
  5. 5. December 2009: Spam Subject Line Analysis In December 2009, the top ten subject lines used by spammers were dominated by a mixture of Nigerian type and online pharmacy spam. This correlates to doubling of “health” category from 8 percent in November 2009 to 16 percent in December 2009. Meanwhile, NDR bounce spam, which appeared on the previous month’s list, averaged at 1.28 percent of all spam (accounted for 2.23 percent in November). Spam messages containing malware also fell, aver- aging 0.32 percent of all spam messages (accounted for 1.35 percent in November).
  6. 6. “Dotted Quad” Spam Shows Signs of Eruption Symantec researchers are observing an unusually large increase in volume of spam containing hijacked IPs. Furthermore, review of spam with hijacked IPs indicates that one specific attack was responsible for this volume change. Spam messages with hijacked IPs more than tripled in December 2009, compared with the vol- ume in November 2009. While this type of attack makes up a very small chunk of overall spam messages, there were certain periods in December when “dotted quad” spam accounted for a significant percentage. For example, such spam was over 25 percent of overall spam during the hour of 6:00 am PST on December 24th. Symantec researches investigated such spikes and found consistency among the spam mes- sages. A particular spam attack leading users to online pharmacy sites was using hijacked IPs in its campaign. As always, users cannot be certain whether the medications are genuine, if they are even de- livered in the first place. Worse, there is a high possibility that users who order through these sites become victims of identity theft. Users are advised to consult with their doctors for their health needs.
  7. 7. Andy Lau Talks Chinese Invoice Spam While invoice spam makes up a large slice of Chinese spam, the message often contains plain text-based advertisement (although the text may be an image). In this example below, spam- mers are leveraging a celebrity’s status by using Andy Lau’s image. Users should not be calling a number featured on spam for invoice, regardless of who is speaking.
  8. 8. Checklist: Protecting your business, your employees and your customers Do  Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. De- select items you do not want to receive.  Be selective about the Web sites where you register your email address.  Avoid publishing your email address on the Internet. Consider alternate options – for ex- ample, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services.  Using directions provided by your mail administrators report missed spam if you have an option to do so.  Delete all spam.  Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed websites. We suggest typing web addresses directly in to the browser rather than relying upon links within your messages.  Always be sure that your operating system is up-to-date with the latest updates, and em- ploy a comprehensive security suite. For details on Symantec’s offerings of protection visit  Consider a reputable antispam solution to handle filtering across your entire organization such as Symantec Brightmail messaging security family of solutions.  Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is located here. Do Not  Open unknown email attachments. These attachments could infect your computer.  Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.  Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a veri- fied telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).  Buy products or services from spam messages.  Open spam messages.  Forward any virus warnings that you receive through email. These are often hoaxes.
  9. 9. Metrics Digest: Regions of Origin Defined: Region of origin represents the percentage of spam messages reported coming from certain regions and countries in the last 30 days.
  10. 10. Metrics Digest: URL TLD Distribution Metrics Digest: Average Spam Message Size Metrics Digest: Spam Attack Vectors
  11. 11. Metrics Digest: Global Spam Categories:  Internet Email attacks specifically offering or  Fraud Email attacks that appear to be from a advertising Internet or computer-related well-known company, but are not. Also known goods and services. Examples: web hosting, as “brand spoofing” or “phishing,” these mes- web design, spamware sages are often used to trick users into reveal-  Health Email attacks offering or advertising ing personal information such as E-mail ad- health-related products and services. Exam- dress, financial information and passwords. ples: pharmaceuticals, medical treatments, Examples: account notification, credit card herbal remedies verification, billing updates  Leisure Email attacks offering or advertising  419 spam Email attacks is named after the prizes, awards, or discounted leisure activities. section of the Nigerian penal code dealing Examples: vacation offers, online casinos with fraud, and refers to spam email that typi-  Products Email attacks offering or advertising cally alerts an end user that they are entitled general goods and services. Examples: devices, to a sum of money, by way of lottery, a retired investigation services, clothing, makeup government official, lottery, new job or a  Financial Email attacks that contain refer- wealthy person that has that has passed away. ences or offers related to money, the stock This is also sometimes referred to as advance market or other financial “opportunities.” Ex- fee fraud. amples: investments, credit reports, real es-  Political Email attacks Messages advertising a tate, loans political candidate’s campaign, offers to do- nate money to a political party or political  Adult Email attacks containing or referring to products or services intended for persons above the age of 18, often offensive or inappropriate. Examples: porn, personal ads, relationship advice