Spammers become image conscious

Symantec has published its April 2009 MessageLabs Intelligence Report that highlights a spam increase of almost 10% in one month, reaching heights of 85.3%, levels not experienced since September 2007.

Also in April, the G20 summit was the subject for a rise in targeted malware attacks. In addition, the number of malicious websites intercepted per day continued to increase, taking the average number intercepted each day to 3561.

“Image spam was a phenomenon that peaked in 2007, and now we see spammers recycling their techniques in the hope of repeating history,” said Paul Wood, MessageLabs Intelligence senior analyst, Symantec.

“Unfortunately for the spammers, the good guys are ready for the next bout of image spam and the cyber criminals have had to significantly revamp their tactics to put up a good fight.”

Previously, image spam involved emails containing attachments, such as .gif or .jpg that contained the spam content. However, today these images are now being hosted on trustworthy hosting sites, while taking advantage of redirection links from reputable sites to obfuscate the true location of the image hosting.

This is a technique employed by spammers to evade spam filters that examine the domains of the hyperlinks contained in the email, to make a judgment about the nature of that domain and the likelihood that it is a spam message.

Other techniques used to evade detection include containing some standard email text, such as unsubscribe opt-outs and privacy links, designed to make the overall appearance seem legitimate and compliant with legislation such as CAN-SPAM in the US.

Including randomised words within the content of the message to evade spam fingerprinting techniques and the use of HTML style tags to hide random text are other frequently used tactics.

The G20 summit was the subject of intense global media attention and also the subject for a rise in targeted malware attacks. On average, in 2008, the number of attacks was about 53 a day, rising to around 60 a day in early 2009.

In the run-up to the G20 summit and the days following, the number rose to about 100 a day.

The recipients of these attacks included financial organisations, including individuals from some of the central banks involved with the G20.

The email included a PDF attachment which, if opened, would cause a trojan downloader to be installed and executed. This would then download further spyware components onto the target computer.

It was noted that some attacks were crafted as replies to actual non-malicious emails, indicating that at least one of the recipients had already been infected.

The number of malicious websites continues to rise with April statistics highlighting an increase of 27.3%, with 3561 new malicious websites stopped on average each day. This is due to a series of threats including drive-by trojan malware, trojans hidden inside PDF files, malware disguised as .gifs but in fact being executable files, and malicious IFRAME HTML tags.

The latter is often as a result of the web server being compromised by an SQL injection attack, a technique favoured when targeting otherwise legitimate, bona fide domains. Other culprits also include software disguised as legitimate-looking apps, including rogue anti-malware software.

Analysis of web security activity shows that 63.3% of all web-based malware intercepted was new in April.

The global ratio of spam in email traffic from new and previously unknown bad sources was 85.3% (1 in 1.17 emails), an increase of 9.6% since March.

The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 304.9 emails (0.28%), a decrease of 0.08% since March.

One in 404.7 emails (0.25%) comprised some form of phishing attack, a decrease of 0.10% in the proportion of phishing attacks compared with March.

When judged as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails had decreased by 9.2% to 89.7% of all email-borne malware threats intercepted in April.

Spam levels in Britain rose by 25.6% in April to 94%, positioning it as the most spammed country. Levels in the US rose to 79.4%, 77.4% in Canada and 89.9% in Hong Kong. Germany’s spam rate reached 83.3% and 78.0% in the Netherlands. Levels in Australia were 87.8%, 90.3% in China and 86.4% in Japan.

Virus activity in Germany rose by 0.07% to 1 in 164.8 emails, placing it in the top position for viruses in April.

Virus levels were 1 in 908.8 for Australia.

In April, the most spammed industry sector with a spam rate of 82.9% was retail. Levels reached 81.1% for education, 77.3% for chemical and pharmaceutical, 76.1% for public sector and 78.2% for finance.