For total email traffic during the third quarter of the year, a majority (68.3%) was spam – a bad number by any estimation. But that’s actually down 2.4 percentage points from the second quarter, Kaspersky said in the report. The unfortunate thing, however, is that the proportion of malicious spam grew more than 1.5 times.
Malicious attachments were detected in 3.9% of all emails – 1.6 percentage points more than in Q2 2013. These messages carried a range of malicious programs, mostly user logins, passwords and confidential financial information.
Spy.HTML.Fraud.gen topped the rating of the most popular malicious program spread by email – a trojan malware that is designed to look like an html page used as a registration form for online banking services. It’s used by phishers to steal financial information. In its report, Kaspersky said that the level of phishing emails like this overall increased threefold and accounted for 0.0071% of all messages.
Malware artists also used a variety of social engineering tools, including security itself.
"In the third quarter we came across a very interesting mass mailing where the fraudsters imitated a reply from the technical support service of a large antivirus company,” explained Darya Gudkova, head of content analysis and research at Kaspersky Lab, in a statement. “The email informed the user that a file which he had allegedly sent for analysis turned out to be malware. The ‘technical support engineer’ attached a 'signature', advising that it would disinfect the computer. However, if users opened the attachment, they would find a malicious program detected by Kaspersky Anti-Virus as Email-Worm.Win32.NetSky.q."
Spammers continued to indulge in the stereotypical promotion of medications to improve potency, but got more creative to combine social engineering techniques with tricks to bypass spam filters.
In one mass mailing they used the following method: the email subject used a string of symbols designed to resemble the word ‘Viagra’, while the text was limited to a single link to a pharmaceutical site.
“This minimalist approach helps to bypass content filtering,” Kaspersky said. “There are no keywords to be found, since the word ‘Viagra’ cannot be read by the filter even though it is obvious to a human reader. Since each email found a different ‘code’ for Viagra, it wasn’t enough to simply add a new keyword to the database either.”
Also, UTF-8 includes symbols from all languages – including very rare ones. Most languages have their own unique letters, modifiers and symbols even when they are based on the familiar Latin alphabet. “As a result there are more than 100 symbols which could be read as the letter ‘a,’” Kaspersky said. “It’s not surprising that there are hundreds of millions of different potential combinations which could spell ‘Viagra.’”
The third quarter of 2013 was also full of newsworthy events which grabbed public attention, such as the birth of the royal baby in the UK, the FBI hunt for Edward Snowden and the railway accident in Spain. And, as to be expected, fraudsters leveraged the events to distribute malware.
Kaspersky said that the links contained in these emails led to compromised websites which redirected users to a page with one of the most popular exploit kits – Blackhole. But then in October, the author of Blackhole, known as Paunch, was arrested in Russia – immediately making the kit less desirable. Kaspersky said that the arrest could thus lead to a drop in the number of malicious "news" mailings for the fourth quarter.
In terms of geography, there was little change in the leading spam sources by country in Q3. Asia remained the number one regional source of spam (56.51%). It was followed by North America (20.09%) and Western Europe (13.47%).
As in the previous quarter, Taiwan came fourth in the rating (+0.1 percentage points), followed by Russia (+1.3 percentage points), whose share increased more than 1.5 times.
“Interestingly, Russia’s growing contribution coincided with a fall in the levels of spam coming from other former Soviet republics – Belarus (–0.9 percentage points), Ukraine (–0.9 percentage points), Kazakhstan (–1.5 percentage points) – while in Q2 2013 these countries produced far more spam than Russia,” Kaspersky said.
Also, the location of botnets appears to be relatively stable, Kaspersky noted – or at least there is a lull in the active relocation of botnets.