Spam Articles - H  2020 1  2  3  4  5  6  7  8  Spam List - H  2021  2020  2019  2018  1  Spam blog  Spam blog

Spam and phishing in 2016
26.2.2017 Kaspersky Spam

The year in figures

According to Kaspersky Lab, in 2016:

The proportion of spam in email flows was 58.31%, which is 3.03 percentage points more than in 2015.
62.16% of spam emails were no more than 2 KB in size.
12.08% of spam was sent from the US.
Trojan.Win32.Bayrob was the most popular malware family distributed via email.
Germany (14.13%) was the country where email antivirus was triggered most often.
There were 154,957,897 instances of the Anti-Phishing system being triggered.
A total of 15.29% unique users were attacked by phishers.
Brazil suffered the highest number of phishing attacks, with 27.61% of the global total.
47.48% of incidents triggering the heuristic component in the Anti-Phishing system targeted clients of various financial organizations.
World events in spam

In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information.

With these sport-themed emails more details were often included in DOC, PDF or JPEG attachments that also contained graphic elements such as official emblems, event and sponsor logos. Messages that displayed the spam text directly in the body of the email were not very numerous. To add a bit of variety to their messages, spammers resorted to an old trick: they changed the text, the email addresses used for feedback, sender addresses, the attachment names, the size, etc. At the same, emails with the same attachment could be found in our traps on numerous occasions over a period of several months.

In the fourth quarter of 2016, spammers turned their attention to the future World Cup tournaments scheduled for 2018 and 2022. Spam traffic often included fraudulent notifications of lottery wins exploiting this theme.

The football theme was also used in malicious spam. In particular, cybercriminals sent out fake notifications with scans taken from a website that publishes news about computer games and the world of football, apparently in an attempt to arouse interest among recipients. The attached ZIP archive included a JavaScript downloader detected by Kaspersky Lab as Trojan-Downloader.Script.Generic. This malware, in turn, downloaded other malicious software to the victim’s computer.

The subject of terrorism, which has remained an important global issue in recent years, was also exploited in spam mailings. Numerous so-called Nigerian letters were sent to users on behalf of both state organization employees and individuals. The details of the stories may have differed, but the senders’ intention was the same – to get the recipient’s attention with promises of large sums of money and make them join in a conversation. Nigerian letters exploiting the tense situation in Syria remained popular in 2016 and were actively used to trick users.

Malicious spam exploiting the theme of terrorism was less common. It was used to steal personal information, organize DDoS attacks and install additional malware on victims’ computers.

Email offers from Chinese factories

In the email traffic for 2016, we often came across messages from Chinese factories and plants advertising their products. These spammers offered both finished products as well as spare parts for a variety of different spheres.

The text of a typical spam message began with an impersonal greeting to the recipient, followed by the name and surname of the factory manager. Often, the email described the merits of the company, its achievements and types of certification. The products offered by the company were either listed in the email or sent at the request of the recipient. For greater clarity, some of the emails also contained pictures of the goods on offer. At the end of the message, there were contact details (phone, mobile phone and fax numbers, email address, various messengers). Sometimes the contact details were specified in the image attached to the email.

The authors of the emails were representatives of the manufacturers, but the sender addresses were registered with both free email services and the companies’ domain names. Sometimes the messages included a company website, if the company had one.

In many countries, there was a time when small and medium-sized businesses preferred to use spam to promote their products. But users began to view this kind of advertising as undesirable, anti-spam laws were introduced, and, most importantly, new, more targeted, convenient and less intrusive advertising platforms appeared, with social networking sites prominent among them. We can only presume why Chinese businesses have not followed this trend (given that China has passed its own anti-spam law, which is one of the strictest in the world). The fact is that social networks in China are mainly internal, with global giants such as Facebook not permitted. As a result, Chinese entrepreneurs have far fewer legal means of entering the international market.

A year of ransomware in spam

In 2016, we recorded a huge amount of malicious spam. In previous years, Fraud.gen was the program most often used in malicious attachments. It appears in the form of an HTML page and is designed to steal the victim’s credit card data. In 2016, the absolute leaders in spam were Trojan downloaders that download ransomware to the victim’s computer. The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor. However, other ransomware such as Petya, Cryakl and Shade were also widespread.

The number of malicious programs began to increase in December 2015 and continued to grow in waves throughout the year. The sharp falls were mainly caused by the fact that cybercriminals temporarily disabled the Necurs botnet, responsible for the majority of spam spreading Locky. Once the botnet was up and running again, the cybercriminals changed the spam templates.

Quantity of malicious emails in spam, 2016

In 2016, the Anti-Phishing system was triggered 239,979,660 times on the computers of Kaspersky Lab users, which is four times more than the previous year.

Such extensive use of ransomware may be due to the availability of this sort of malware on the black market. Currently, cybercriminals can not only rent a botnet to send out spam but also connect to so-called Ransomware-as-a-Service. This means that the attacker may not be a hacker in the traditional sense, and may not even know how to code.

Malicious spam messages often imitated personal correspondence, prompting recipients to view attached documents under various pretexts. Cybercriminals also sent out fake bills, or receipt notifications or even messages from office equipment with scanned documents allegedly attached.

Both examples above contain an attachment in the form of a malicious file with a .wsf extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Agent.myd. The malicious file is written in JavaScript and downloads a Locky encryptor modification to the victim’s machine.

This screenshot shows an attachment containing a malicious file with a .jse extension, detected by Kaspersky Lab as Trojan-Downloader.JS.Cryptoload.auk. This is yet another malicious file written in JavaScript that downloads a Locky encryptor modification to the victim’s machine.

Overall, a wide variety of malicious attachments were used. As a rule, these were archives containing programs written in Java and JavaScript (JS files, JAR, WSF, WRN, and others), but there were also office documents with macros (DOC, DOCX, XLS, RTF) as well as classic executable files (EXE). Sometimes rare archive formats such as CAB were used.

When launched, ransomware programs encrypt the data on a user’s computer and demand a ransom (usually in bitcoins via the Tor network). More details about these programs can be found in our report Kaspersky Security Bulletin 2016. The ransomware revolution.

Spammer tricks

Adding ‘noise’ to text

To make each email unique, spammers insert random sequences of characters in their messages that are invisible to the user. This trick is not new, but spammers continue to use it, perfecting their methods. Below we describe the most popular tricks of 2016 used by spammers to add ‘noise’. All the examples below are taken from real-life spam messages.

Small letters and/or white text.

The easiest and oldest trick: the text can be written in white font (ffffff – 16 hexadecimal code written in white).

In this example, the random sequence of letters written in very small print and in white are arranged between words of a standard size in the sentence “You have received a £500”.

Text that is not displayed.

With the help of the attribute style = “display: none;” text in an email is simply not displayed. In standard situations, this tag is used in rough drafts, for example. When it comes to spam, these tags, containing random text, are inserted in messages in large quantities and if the anti-spam filter is not set up to process such tags, the text of an email practically disappears.

The same effect can be achieved by inserting a random sequence written in zero font:

Placing text outside the screen range.

Yet another way to make junk text invisible to the user is to write it in standard font, but insert it in parts of the email that are beyond the screen frame (to the extreme left or right, or below the main part):

Using tags that by default are not visible to users.

Sometimes random text is inserted in tags that are not designed to display text to the user. Typically, comment tags are used, though there are other examples:

The content of the <noscript> tag is only displayed on computers with unsupported or disabled scripts, so most users will not see it.

Using tags to add noise

Rather than using random sequences of characters that are made invisible, sometimes text is obfuscated with tags that have no value and cannot be interpreted:

The number of these sorts of tags in some spam emails can be in the hundreds.

Sometimes a very random sequence is inserted inside a tag as its attribute, rather than between specific tags:

This attribute will, of course, not be interpreted either and will not be displayed in the email that the user sees.

Masking links

There may be numerous ways of altering text in an email, but when it comes to URLs in spam messages, the situation is different. There can be lots of URLs in a single mass mailing (even reaching into the thousands), but they are subject to more limitations, as spammers have to pay for the purchase of each domain. However, attackers have come up with different techniques to make each link unique while also ensuring it opens correctly when clicked.

Obfuscation of domains using the UTF range:

In last year’s report we described some spammer tricks that involved different ways of expressing domain names and IP addresses. The trend for writing domain names using symbols from different UTF ranges and using different numerical systems for IP addresses continued in 2016.

Especially popular with spammers were mathematical alphanumeric symbols. For example:

Domain written using mathematical bold script.

Domain written using mathematical monospace small.

The range is designed for specific mathematical formulas and must not be used in plain text or hyperlinks.

Mixing encodings

The above trick was diversified by mixing encodings: spammers use the Latin alphabet in Unicode to write some of the domain characters, while the rest are written using characters from special URL-encoded ranges.

The domain from the example above is first changed to:

and then to server119.bullten.org.

URL shortening services with added noise

In addition to the various ways of writing the actual spammer site, from time to time cybercriminals use another trick to avoid mentioning the site directly in an email. This involves the use of URL shortening services and redirects. In 2016, spammers also resorted to a variety of other methods to add noise to each URL.

They inserted characters, slashes and dots between the URL shortening service and the actual link identifier (the meaningful part is marked in bold; the rest is noise):

Sometimes comment tags end up there:

To deceive filters further, the names of different, usually well-known, sites are inserted in the noise part:

All these parts will be dropped when the link is clicked.

Yet another way to obfuscate a link is to add non-existent parameters to the end of the link:

Everything that comes after the question mark in the link is not actually part of the URL – these characters are, in fact, parameters. The parameters can include a variety of information: for example, the unsubscribe link often contains the email address that needs to be entered in the unsubscribe form. However, URL shortening services, like many other sites, do not require or accept any parameters, so this part of the URL is simply dropped during the redirect process. Spammers take advantage of this and insert random sequences of parameters. In this particular case, the .pdf extension is added to the end of the parameters. This is not done to confuse the filters but rather the user, who is likely to think the link leads to a PDF file.

Prefixes

As well as parameters that can be added to the end of a link, noise elements can also be added to the beginning. These elements may include symbols that are ignored by the link interpreter when a redirect occurs, for example:

(In this example, in addition to the noise at the beginning of the link and nonexistent parameters at the end, the link itself is an IP address written partially in octal and partially in hexadecimal encoding.)

The most common technique for adding noise at the beginning of a link is to use the @ symbol. The @ symbol inserted before the domain can be utilized to identify the user in the domain (something that is no longer really applied these days). For sites that do not require identification, everything that comes before @ will simply be ignored by the browser.

The symbol is useful for spammers because it allows them not only to add noise to the link but also to make it look more trustworthy to the user by specifying a well-known site before the @ symbol.

Masked redirects

Redirects have long been used by spammers to hide the main domain. We have already written about this in some detail. In 2016, the redirect methods used were not that diverse, but links with redirects were also obfuscated. The methods used were the same as those used with URL shortening services: the @ symbol, parameters and additional characters.

Cybercriminals often used several techniques at once – concealing and obfuscating the original link:

In the example below, the name of the site used to distract the user’s attention comes before the @ symbol, followed by the redirect to the URL shortening service (which is also just noise with several @ symbols), and it is only from this part that the user will get to the spammer’s site.

Statistics

Proportion of spam in email traffic

In 2016, the proportion of spam in email traffic was 58.31%, which is 3.03 percentage points higher than the previous year.

The proportion of spam in email traffic, 2016

The lowest volume – 54.61% – was registered in February of 2016. After that, the proportion of spam grew steadily and reached a peak by the end of the year – 61.66% in November.

Interestingly, the last time there was an annual increase in the proportion of spam in email traffic was eight years ago. Since then, the percentage of spam has fallen continuously from its peak of 85.2% in 2009, to 55.28% in 2015. We believe this was due to legitimate small and medium-sized businesses gradually phasing out their use of spam, turning instead to legal advertising platforms.

The proportion of spam in global email traffic, 2009-2016

This downward trend may now have come to a halt because all those who wanted to or could refrain from using spammer services have, for the most part, already done so. This slight growth is the result of a sharp increase in spam containing malicious attachments.

Sources of spam by country

Sources of spam by country, 2016

In 2016, the top three sources of spam saw some changes: India climbed to third place with 10.15% due to a substantial growth in the volume of spam distributed (+7.19 p.p.). Such a dramatic increase may have been caused by botnets being organized in the region. Vietnam (10.32%) added 4.19 p.p. to its share and also moved up the rankings to second place. The US (12.08%) remained the clear leader despite a decrease of 3.08 p.p.

China’s share (4.66%) fell by 1.46 p.p., though it remained in fourth. Following close behind were two Latin American countries – Mexico (4.40%) and Brazil (4.01%). Russia (3.53%), among the top three in 2015, ranked seventh in 2016 after seeing a 2.62 p.p. decrease in its share of distributed spam.

France (3.39%, +0.22 p.p.) and Germany (3.21%, -1.03 p.p.) came eighth and ninth respectively. Turkey rounded off the Top 10 with a share of 2.29%, which is 0.34 p.p. more than in 2015.

The size of spam emails

The proportion of super-short spam emails (under 2 KB) dropped in 2016 and averaged 62.16%. This is 16.97 p.p. lower than in the previous year. The share of emails sized 2-5 KB also fell to 4.70%.

The size of spam emails in 2016

Meanwhile, the proportion of bigger emails increased considerably: 5-10 KB (6.15%), 10-20 KB (14.47%) and 20-50 KB (10.08%). It means that 2016 saw a trend towards fewer super-short spam emails and more emails of average size – from 5-50 KB. This was caused by a sharp increase in the proportion of spam with malicious attachments.

Malicious attachments in email

Malware families

TOP 10 malware families, 2016

In 2016, Trojan-Downloader.JS.Agent was the most widespread malware family. A typical representative of this malware family is an obfuscated Java script using ADODB.Stream technology to download and run DLL, EXE and PDF files.

The Trojan-Downloader.VBS.Agent family occupied second place. They are VBS scripts utilizing ADODB.Stream technology to download ZIP archives and run software extracted from them.

In third place was Trojan-Downloader.MSWord.Agent. These malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads another malicious file from a malicious site and runs it on the user’s computer.

Trojan-Downloader.JS.Cryptoload in fourth is a malware family whose representatives are an obfuscated JavaScript that downloads and runs encryptors.

Trojan.Win32.Bayrob rounded off the top five. The malicious programs from this Trojan family can download and run additional modules from the command server, as well as act as a proxy server. They are used to send out spam and steal personal data.

The Trojan-PSW.Win32.Fareit family came sixth. These malicious programs are designed to steal data, such as the credentials of FTP clients installed on the infected computer, login details for cloud storage, cookie files in browsers, email passwords. Fareit Trojans send the collected information to a malicious server. Some members of the family are able to download and run other malware.

The representatives of the Trojan-Downloader.JS.SLoad family in seventh are JS scripts that download and run other malware, mostly encryptors, on the victim computer.

Eighth place was taken by the Trojan.Java.Agent family. The malicious programs of this family are written in Java and have the JAR extension. These applications exploit vulnerabilities in Sun Java Runtime and can delete, block, modify or copy data, as well as download and run other malware.

Ninth place was occupied by Backdoor.Win32.Androm. This malware belongs to the family of Andromeda/Gamarue universal modular bots. Key features of these bots include the ability to download, store and run a malicious executable file, download and boot a malicious DLL (without saving it to disk), and update and delete itself. The bot functionality is extended with the help of plugins that can be uploaded by the intruders at any time.

Completing the Top 10 is the Worm.Win32.WBVB family. It includes executable files written in Visual Basic 6 (both in P-code and Native mode) that are not trusted by KSN.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, 2016

In 2016, Germany (14.13%) remained in first place, despite a decrease of 4.93 p.p. Second and third were occupied by countries from the Asia-Pacific region – Japan (7.59%) and China (7.32%) – that were both outside the Top 10 in 2015.

Russia (5.6%), which was third in the previous year’s rating, came fourth in 2016 after the proportion of email antivirus detections in the country decreased by 0.7 p.p. It was followed by Italy (5.44%), the UK (5.17%) and Brazil (4.99%), which also dropped out of the top three.

The US came eighth, accounting for 4.03% of email antivirus detections, 0.89 p.p. less than the previous year.

Austria (2.35%) rounded off the Top 10 with an increase of 0.93 p.p.

Phishing

In 2016, the Anti-Phishing system was triggered 154,957,897 times on the computers of Kaspersky Lab users. That is 6,562,451 more times than in 2015. Overall, 15.29% of our users were targeted by phishers.

Hot topics of the year

Phishers, predictably, could not pass up the most high-profile event of the year – the Olympic Games in Brazil. The scammers targeted both the organizers of the Olympic Games and ordinary netizens who received fake notifications of lottery wins, allegedly organized by the Brazilian government and the Olympic Committee.

The US presidential elections were also seen as a good media event for phishers. This theme was exploited to mislead internet users not only in the US but also in other countries.

Yet another interesting theme that became the subject of a dedicated study was holiday season sales. Scammers took advantage of the busy shopping period in the run-up to the festive season by creating fake websites of payment systems and online stores and luring potential victims by promising generous discounts.

A fake online store page

In addition, the holiday season itself often becomes an excellent cover for the fraudsters. For example, they may ask users to update their account information prior to the New Year.

Phishing page exploiting the New Year theme in the subdomain name

Methods of distributing phishing content

In 2016, cybercriminals used all possible means to reach users and make them pass on confidential information or money: social networks, pop-up ads, banners, text messages.

Among the most interesting methods were scams involving services for buying and selling used items. Cybercriminals collected phone numbers from ads placed on these services and then sent text messages to the numbers offering something in exchange at an extra cost. The message contained a link allegedly leading to a photo of the item on offer, but which actually led the victim to a phishing page.

Fraudsters often exploit social networks, and it is not restricted to personal messages. In 2016, many Facebook users around the world, for instance, were prompted to install a malicious extension for their browser, when they were added to a post containing a phishing link that supposedly led to a provocative video.

In Europe, the most widespread malicious extension was ‘xic. graphics’. It was soon removed from an online store, but according to the available whois information, over 50 other domains were registered in the name of the owners of the domain that hosted the fake page. Those domains were probably used for similar purposes.

Phisher tricks: referrer cleaner services

In Q4 2016, scammers showed a tendency to use referrer cleaner services. The victim was sent an email on behalf of a well-known company containing a link whose parameters included the address of the victim.

After clicking the URL, the user is taken to a page that shows a 302 error and then redirects the user to the address of a referrer cleaner service, which in turn redirects them to the legitimate website of a bank.

http://nullrefer.com/?https://www.cartalis.it/cartalis/prepagata/index.jsp

This way the user does not know that they have received a phishing email, while the bank does not receive a phishing domain in its referrers. At the same time, the phishers get confirmation that the user clicked on the link, which means that in future they will be able to send them more phishing emails, for example, in order to steal credit card data. In this way, the attackers ‘cleanse’ their databases of unused email addresses and vigilant recipients. They also detect clients of the bank whose name was used in the emails, allowing them to make their mass mailings more targeted.

The geography of attacks

Top 10 countries by percentage of attacked users

Brazil had the highest proportion of users subjected to phishing attacks (27.61%), a 5.98 p.p. increase on the previous year.

The percentage of users on whose computers the Anti-Phishing system was triggered out of the total number of Kaspersky Lab users in the country, 2016

In Brazil, we see lots of attacks targeting users of banks and online stores, so it is not surprising that the country often leads in the rating of countries with the highest proportion of users subjected to phishing attacks.

Phishers often place fake pages on the servers of government bodies in Brazil. This is one of the methods used to prevent phishing URLs from ending up on blacklists. It also enhances the credibility in the eyes of the victim. In 2016, we registered 1,043 such cases.

Fake page on the gov.br domain

Top 10 countries by percentage of attacked users

Country %
Brazil 27.61
China 22.84
Australia 20.07
Japan 19.16
Algeria 17.82
Russia 17.16
United Kingdom 16.64
Canada 16.03
United Arab Emirates 15.54
Saudi Arabia 15.39
China was second in this rating (22.84%). It didn’t make the Top 10 in 2015, but added 5.87 p.p. to its share in 2016. Australia (20.07%), which was seventh last year, came third following an increase of 2.39 p.p. Apart from Saudi Arabia (+ 4.9 p.p.), the shares of the other Top 10 countries barely changed.

The distribution of attacks by country

Russia (16.12%, +1.68 p.p.) topped the rating of countries where the Anti-Phishing system was trigged most often (out of the total number of the Anti-Phishing system detections around the world in 2016)

Distribution of Anti-Phishing system component detections by country, 2016

As in 2015, Brazil (8.77%) came second behind Russia, although its growth was negligible. The US added 0.5 p.p. (8.01%), which was enough to push India (6.01%) down to fourth. The top five also included China (7.86%).

Organizations under attack

The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the Anti-Phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.

Organizations under attack by category

In the second half of 2016, the proportion of phishing attacks targeting customers of financial institutions increased significantly (44.16% in the first quarter vs 48.14% in Q4). We have been following this growth over the last few years: in 2014, the average figure for the year was 28.74%; in 2015, it was 34.33%; and it was 47.47% in 2016.

In 2016, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Banks’ category (25.76%, + 8.31 p.p.). Of particular note was the increase in the percentage of targeted organizations in the ‘Online stores’ (10.17%, +1.09 p.p.) and ‘Payment systems’ (11.55%, +3.75 p.p.) categories.

Distribution of organizations subject to phishing attacks by category, 2016

At the same time, the share of the main categories decreased. For instance, the ‘Global Internet portals’ category (24.10%) lost 7.77 p.p. while the share of ‘Social networking sites’ (10.91%) fell by 5.49 p.p.

Overall, the priorities of the phishing scammers have not changed over the years. Attacks primarily exploit the names of popular brands, whose clients are numerous and likely to bring maximum financial profit.

Another priority is attacks that could lead to the acquisition of confidential information and, subsequently, money. For example, some portals from the ‘Global Internet portals’ category (Google, Yahoo!, Microsoft (live.com), etc.) use the same account to access multiple services. A successful phishing campaign can therefore give fraudsters access to several of the victim’s accounts.

Phishing page to attack Google users

Top 3 attacked organizations

Organization % of detected phishing links
Yahoo! 7.84
Facebook 7.13
Microsoft Corporation 6.98
Yahoo! (7.84%) again topped the ranking of organizations used by fraudsters to mask their attacks, although the proportion of Anti-Phishing system detections of fake pages mentioning this brand declined considerably in 2016 – by 6.86 p.p. (vs 10 p.p. in 2015). It is clear that the company is actively fighting phishing attacks, for example, by registering obfuscated domains in its own name (yshoogames.com, ypyahoo.com.cn, yhoonews.com, yhoooo.com, yayoo.com, yahou.com). However, phishers often place their content on legitimate sites (without the owners being aware of it) rather than create phishing domains.

Example of a web page using the Yahoo! brand

Second in popularity with the fraudsters was Facebook (7.13%). Over the year its share decreased by 2.38 p.p.

In 2016, we came across both classic phishing pages imitating the Facebook login page and various pages designed to steal data. One popular way of luring a victim is to promise them access to age-restricted content after entering their username and password, i.e., logging in to the system.

To increase the chances of hitting their target, mass phishing campaigns use the names of the most popular brands. Since these brands are often international, the attacks target users around the world. Naturally, phishing messages are written in many languages. One phisher trick was described in our report Spam and phishing in Q3 2016. By using information about the IP address of a potential victim, phishers determine the country in which they are located. Cybercriminals will then display pages in the language of the country that is identified.

Third place in our Top 3 was occupied by Microsoft (6.98%). Using this brand to hide their attacks, fraudsters often try to steal data from user accounts on the live.com portal. They tend to use pages imitating the login page of the company’s email service.

There are also other schemes, such as simulation of account verification:

Conclusions and forecasts

2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant. These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.

Spam became very popular with small and medium businesses in China in 2016. One possible reason for this is the Great Firewall of China, which makes it difficult for Chinese businesses to use legal international platforms for advertising.

Of all the techniques used by spammers in 2016, the various ways of adding noise to text and links with the help of HTML capabilities are worth noting. This is nothing new, but spammers are constantly coming up with new types of obfuscation, and they will obviously continue to do so in the future.

The proportion of spam in email traffic was 58.31%, which is 3.03 p.p. higher than 2015. This was the first registered growth since 2009 – this was partially down to the surge in malicious spam.

For several years in a row, the number of fraudulent schemes targeting clients of financial institutions has been increasing, and we expect this trend to continue. The attacks are becoming more versatile: the fraudulent pages adapt to the user and display information in the local language as well as other relevant data.

The methods for distributing fraudulent pages have gone far beyond the scope of email. Cybercriminals are using all available means to contact potential victims: text messages, advertising or social networks. The latter are not only a good channel of communication but also a useful resource helping intruders gather information to carry out a more effective attack on users.

Spam Rises Amid Lower Exploit Kit Activity in 2016: Cisco

1.2.2017 securityweek Spam
Spam messages accounted for 65% of overall email in 2016, with 8-10% of spam considered malicious, a recent report from Cisco reveals.

According to the Cisco 2017 Annual Cybersecurity Report (PDF), activity of the Necurs botnet, which has been distributing the Locky ransomware and Dridex banking Trojan, is driving spam volume up. In fact, data from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spam-sending computer infections, shows that spam volume is close to the record-high levels seen in 2010.

Citing data from the SpamCop Block List (SCBL), Cisco explained that Necurs’ activity has generated spikes in the number of IP addresses associated with spam. Because the botnet’s operators use an address for only 2-3 days in a row but then stop using it for weeks, researchers have a hard time responding to spam attacks.

In October, 75% of spam had malicious attachments, with Necurs responsible for most of it. As attackers are experimenting with various attachment types to ensure they can avoid detection, .docm, JavaScript, .wsf, and .hta files emerged as popular among spammers. In July, .wsf accounted for 22% of malicious attachments, while .docm accounted for 8% of them. Last week, Google decided to block JavaScript attachments in Gmail.

Attackers are also using different types of spam attacks to circumvent defenses, with "hailstorm" and "snowshoe" attack emerging as a popular methodd last year. A hailstorm spam attack usually involves the sending of a massive amount of spam from a single IP address in a short period of time, so that defenders don’t have enough time to react, while snowshoe attacks rely on keeping spam volumes low enough to fly under radar.

In addition to malicious spam, adware that packs nefarious behavior represents yet another risk organizations are facing. Legitimate adware is meant to download or display advertisements through redirections, pop-ups, and ad injections, but cybercriminals are using adware to facilitate other malware campaigns, such as DNSChanger malware, in addition to injecting ads.

According to a Cisco investigation that took place between November 2015 and November 2016, 75% of a set of 130 organizations across verticals faced adware infections. These included ad injectors (usually residing in the browser), browser-settings hijackers, utilities (web applications that supposedly offer a useful service to users, such as PC optimization, but which turn to be scams in many cases), and downloaders (adware that can deliver toolbars or other software).

Adware that evolved into Potentially Unwanted Programs has been already said to be putting enterprise data at risk, but Cisco believes that all adware can place users and organizations at risk for malicious activity. “Security teams must recognize the threat that adware infections pose and make sure that users in the organization are fully aware of the risks,” Cisco notes.

Malvertising was yet another issue for both users and companies, as malvertising activity jumped132% last year, a recent report from RiskIQ reveals. According to Cisco, attackers recently started using brokers (also known as gates) to ensure they can switch quickly from one malicious server to another without changing the initial redirection. Malvertising is one of the primary means for redirecting users to exploit kits (in addition to compromised websites) with one long-standing malvertising campaign being ShadowGate, which emerged in 2015.

“Even though ShadowGate saw a high volume of web traffic, only a tiny fraction of interactions led to a user being directed to an exploit kit. The malicious ads were mostly impressions—ads that render on the page and require no user interaction. This online advertising model allowed the actors responsible for ShadowGate to operate their campaign more cost-effectively,” Cisco notes.

Initially, ShadowGate was redirecting to the Angler exploit kit (EK) only, but it switched to Neutrino after the toolkit disappeared in the summer of 2016. Angler’s disappearance was tied to the Lurk gang arrests and resulted in a 96% decrease in EK activity. The second largest EK a year ago, Nuclear, had disappeared a month before Angler, while Neutrino abruptly ceased operations in September.

These changes resulted in a massive overall decrease in exploit kit landing page blocks, from 7407 in March to 1051 in November (the number dropped below 1000 in September). Flash vulnerabilities remained the most popular in EKs in 2016, with Internet Explorer and Silverlight bugs also targeted by attackers.

However, with Flash being used less and less on websites and with major browsers turning it off by default, EKs and other types of threats are seeing a decrease in the available viable options. Java and PDF Internet traffic experienced notable declines in 2016, while Silverlight traffic is so low that “is not worthwhile for threat researchers to track regularly,” Cisco notes.

However, adversaries have a large array of tools to take advantage of when conducting their attacks, including social engineering, malware injections in legitimate ads, lapses in patching and updating, middleware vulnerabilities, malicious spam, and more. Internet traffic is growing, largely driven by faster mobile speeds and the proliferation of online devices, and attackers are taking advantage of this, because it expands their attack surface.

“Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection,” Cisco says.

Machine learning versus spam
26.1.2017 Kaspersky Spam
Machine learning methods are often presented by developers of security solutions as a silver bullet, or a magic catch-all technology that will protect users from a huge range of threats. But just how justified are these claims? Unless explanations are provided as to where and how exactly these technologies are used, these assertions appear to be little more than a marketing ploy.

For many years, machine learning technology has been a working component of Kaspersky Lab’s security products, and our firm belief is that they must not be seen as a super technology capable of combating all threats. Yes, they are a highly effective protection tool, but just one tool among many. My colleague Alexey Malanov even made the point of writing an article on the Myths about machine learning in cybersecurity.

At Kaspersky Lab, machine learning can be found in a number of different areas, especially when dealing with the interesting task of spam detection. This particular task is in fact much more challenging than it appears to be at first glance. A spam filter’s job is not only to detect and filter out all messages with undesired content but, more importantly, it has to ensure all legitimate messages are delivered to the recipient. In other words, type I errors, or so-called false positives, need to be kept to a minimum.

Another aspect that should not be forgotten is that the spam detection system needs to respond quickly. It must work pretty much instantaneously; otherwise, it will hinder the normal exchange of email traffic.

A graphic representation can be provided in a project management triangle, only in our case the three corners represent speed, absence of false positives, and the quality of spam detection; no compromise is possible on any of these three. If we were to go to extremes, for example, spam could be filtered manually – this would provide 100% effectiveness, but minimal speed. In another extreme case, very rigid rules could be imposed, so no email messages whatsoever would pass – the recipient would receive no spam and no legitimate messages. Yet another approach would be to filter out only known spam; in that case, some spam messages would still reach the recipient. To find the right balance inside the triangle, we use machine learning technologies, part of which is an algorithm enabling the classifier to pass prompt and error-free verdicts for every email message.

How is this algorithm built? Obviously, it requires data as input. However, before data is fed into the classifier, is must be cleansed of any ‘noise’, which is yet another problem that needs to be solved. The greatest challenge about spam filtration is that different people may have different criteria for deciding which messages are valid, and which are spam. One user may see sales promotion messages as outright spam, while another may consider them potentially useful. A message of this kind creates noise and thus complicates the process of building a quality machine learning algorithm. Using the language of statistics, there may be so-called outlier values in the dataset, i.e., values that are dramatically different from the rest of the data. To address this problem, we implemented automatic outlier filtration, based on the Isolation Forest algorithm customized for this purpose. Naturally, this removes only some of the noise data, but has already made life much easier for our algorithms.

After this, we obtain data that is practically ‘clean’. The next task is to convert the data into a format that the classifier can understand, i.e., into a set of identifiers, or features. Three of the main types of features used in our classifier are:

Text features – fragments of text that often occur in spam messages. After preprocessing, these can be used as fairly stable features.
Expert features – features based on expert knowledge accumulated over many years in our databases. They may be related to domains, the frequency of headers, etc.
Raw features. Perhaps the most difficult to understand. We use parts of the message in their raw form to identify features that we have not yet factored in. The message text is either transformed using word embedding or reduced to the Bag-of-Words model (i.e., formed into a multiset of words which does not account for grammar and word order), and then passed to the classifier, which autonomously identifies features.
All these features and their combinations will help us in the final stage – the launch of the classifier.

What we eventually want to see is a system that produces a minimum of false positives, works fast and achieves its principal aim – filtering out spam. To do this, we build a complex of classifiers, and it is unique for each set of features. For example, the best results for expert features were demonstrated by gradient boosting – the sequential building up of a composition of machine learning algorithms, in which each subsequent algorithm aims to compensate for the shortcomings of all previous algorithms. Unsurprisingly, boosting has demonstrated good results in solving a broad range of problems involving numerical and category features. As a result, the verdicts of all classifiers are integrated, and the system produces a final verdict.

Our technologies also take into account potential problems such as over-training, i.e., a situation when an algorithm works well with a training data sample, but is ineffective with a test sample. To preclude this sort of problem from occurring, the parameters of classification algorithms are selected automatically, with the help of a Random Search algorithm.

This is a general overview of how we use machine learning to combat spam. To see how effective this method is, it is best to view the results of independent testing.

Warning: Beware of Post-Election Phishing Emails Targeting NGOs and Think Tanks
11.11.2016 thehackernews Spam
Just a few hours after Donald Trump won the 2016 US Presidential Election, a hacking group launched a wave of cyber attacks targeting U.S.-based policy think-tanks with a new spear phishing campaign designed to fool victims into installing malware.
The group of nation-state hackers, also known as Cozy Bear, APT29, and CozyDuke, is the one of those involved in the recent data breach of the Democratic National Committee (DNC) and is allegedly tied to the Russian government.
On Wednesday, the hackers sent a series of phishing emails to dozens of targets associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US government, said security firm Volexity.
Phishing Attacks Powered by 'PowerDuke' Malware
spear-phishing-attack-examples
The phishing emails were sent from purpose-built Gmail accounts and other compromised email accounts at Harvard University's Faculty of Arts and Sciences (FAS), trying to trick victims into opening tainted attachments containing malware and clicking on malicious links.
Once this was done, the phishing e-mail dropped a new variant of Backdoor malware, dubbed "PowerDuke," giving attackers remote access to the compromised systems.
PowerDuke is an extremely sophisticated piece of malware in both its way of infecting people as well as concealing its presence.
Besides making use of wide variety of approaches, PowerDuke uses steganography to hide its backdoor code in PNG files.
The firm spotted and reported at least five waves of phishing attacks targeting people who work for organizations, including Radio Free Europe/Radio Liberty, the RAND Corporation, the Atlantic Council, and the State Department, among others.
"Three of the five attack waves contained links to download files from domains that the attackers appear to have control over," the firm said in a blog post. "The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another."
Beware of Post-Election Themed Phishing Emails
spear-phishing-attack
All the phishing emails were election-themed. Why?
After Trump won the US presidential election, half of America, as well as people across the world, mourning the result was curious to know about the victory of Trump.
People even started searching on Google: How did Donald Trump win the US presidential election?, Were the election flawed? Why did Hillary Clinton lose?
Hackers took advantage of this curiosity to target victims, especially those who worked with the United States government and were much more concerned about Trump's victory.
Two of the emails claimed to have come from the Clinton Foundation giving insight of the elections, two others purported to be documents pertaining to the election's outcome being revised or rigged, and the last one offered a link to a PDF download on 'Why American Elections Are Flawed.'
The emails were sent using the real email address of a professor at Harvard, which indicates that the hackers likely hacked the professor's email and then used his account to send out the phishing emails.
The emails either contained malicious links to .ZIP files or included malicious Windows shortcut files linked to a "clean" Rich Text Format document and a PowerShell script.
Once clicked, the script installed PowerDuke on a victim's computer that could allow attackers to examine and control the target system. The malware has the capability to secretly download additional malicious files and evade detection from antivirus products.
Security firm CrowdStrike claimed in June 2016 that the hacking team Cozy Bear has previously hacked into networks belonging to the White House, State Department, and the United States Joint Chiefs of Staff.

Crooks earned at least $1.35m with spamming campaigns
31.10.2016 securityaffairs Spam

Authorities identified a man in Florida that powered spamming campaigns abusing an army of corporate servers and private email accounts.
Spam is still a profitable business for crooks and to give you an idea of how the cyber criminals work let share with you the story of the leader of a spamming gang.

Timothy Livingston (31), from Fort Lauderdale, Florida, used an army of corporate servers and private email accounts to send out spam messages. He has pled guilty to charges of computer hacking and identity theft, the man with two other accomplices was running A Whole Lot of Nothing (AWLN), LLC.

The company was used as a front for illegal activities of suspects, it earned hundreds of thousands of dollars between January 2012 and June 2015 by powering spamming campaigns for illicit drugs.

According to court documents, Livingston was charging advertisers between $5 and $9 for every spam email that resulted in a sale of an illegal product.

“Defendant TIMOTHY LIVINGSTON, a/k/a “Mark Loyd,” resided in or around Fort Lauderdale, Florida, and was the sole owner ofA Whole Lot of Nothing LLC (“AWLN”), a company that sent unsolicited emails in bulk (or “spam”) on behalf of its customers for a fee. Defendant LIVINGSTON was the organizer and leader of the computer hacking and illegal spamming schemes described herein.” reads the court documents.

Livingston confirmed to have hired the developer Tomasz Chmielarz (33) to write spamming code used in the campaign evading spam filters. Chmielarz, in reality, made much more, he also hacked into corporate servers and use them to power spamming campaigns.

“Defendant TOMASZ CHMIELARZ resided in or around Clifton, New Jersey, and was a computer programmer. Among other things, defendant CHMIELARZ authored the hacking tools and other programs used to facilitate the computer hacking and illegal spamming schemes described herein.” continues the court documents.

When law enforcement arrested Livingston found more than 50 million email addresses in a database used for spamming campaigns.

In the story, there is also a third person, Devin James McArthur, who worked for Comcast and contributed to the peopling of the spam archive with more than 24.5 million email addresses from his company.

McArthur collaborated with other two crooks to collect more data from other companies. that have pled guilty to the scam in June.

According to the Department of Justice (DoJ), Livingston has agreed to return illicit funds earned by his company in spamming campaigns.

“In connection with his plea agreement, Livingston consented to the entry of a forfeiture money judgment in the amount of $1,346,442, as well as the forfeiture of property obtained using illegal proceeds from the scheme, including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.” reported the DoJ.

Among the goods confiscated to Livingston, there are a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.

Do you still think that spam is not very profitable?

Symantec observed a surge of spam emails using malicious WSF files
16.10.2016 securityaffairs Spam

Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments.
Experts from Symantec are observing a significant increase in the number of email-based attacks leveraging malicious Windows Script File (WSF) attachments. Over the past three months, threat actors have adopted the tactic in the wild, mostly criminal organizations behind ransomware campaign.

“In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.” reads a blog post from Symantec.

A Windows Script File (WSF) is a file type that allows mixing the scripting languages, such as Pyton, JScript and VBScript within a single file.

WSF files are opened and executed by the Windows Script Host (WSH), they can be launched like a common executable file.

Symantec highlighted that .wsf files are not automatically blocked by some email clients. Threat actors used malicious Windows Script File files in a number of recent major spam campaigns spreading ransomware link Locky.

Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary” between October 3 and 4. In this campaign, hackers leveraged on malicious emails purported to come from a major airline that came with Windows Script File file within a .zip archive.

Symantec added that on October 5, the same threat actor launched a new massive spam campaign with the subject line “complaint letter.”

“Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.” added Symantec.

Experts from Symantec believe that the used of .WSF file is a broader trend, the number of emails being blocked containing this kind of malicious attachments is increased in the last months as reported in the following graph.

“From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.” reads the post from Symantec.

Threat actors in the wild often adopt new tactics frequently changing the format of the malicious attachments for their campaigns to avoid detection.

Italian security firm spotted BadEpilogue: The Perfect Evasion
21.9.2016 securityaffairs Spam

Security firm Certego has been detecting multiple viral spam campaigns leveraging a new malware evasion technique it called BadEpilogue.
Starting from May 2016, Certego Threat Intelligence platform has been detecting multiple viral spam campaigns using a new evasion technique. These attacks are able to hide malicious attachments inside a specific area of the MIME/Multipart structure and to avoid Content Filtering controls.

Certego has verified that some of the most common email clients and web mail services, using a different way of rendering the MIME/Multipart structure, are able to identify and extract the attachment, resulting in a Malware Evasion technique that we called BadEpilogue.

The picture shows a snippet of the source of a malicious email message using BadEpilogue evasion technique.

badepilogue-campaign-malware-1

Rows from 53 to 57 contain the end of the HTML message, while the attachment is located within an area that RFC2046 defines as Epilogue of a MIME/Multipart message, right after the final boundary of the Multipart message located at line 59 ending with the double “-” character.

According to RFC 2046, the message epilogue should not contain any useful text and, in particular, it should be ignored by MIME-compliant software:

“NOTE: These “preamble” and “epilogue” areas are generally not used because of the lack of proper typing of these parts and the lack of clear semantics for handling these areas at gateways, particularly X.400 gateways. However, rather than leaving the preamble area blank, many MIME implementations have found this to be a convenient place to insert an explanatory note for recipients who read the message with pre-MIME software, since such notes will be ignored by MIME-compliant software.

In the attack, right after the closing boundary of the MIME/Multipart message and at the beginning of the Epilogue area, there is a new boundary (see line 61) that starts another Multipart section containing the malicious attachment.”

Certego verified that many libraries used in Antispam and Antivirus systems to extract and analyze email attachments are unable to detect files hidden in the Epilogue area. On the other hand, popular email clients such as Outlook, Thunderbird, Evolution and Web Mail services are able to detect the attachment and to show it to the user resulting in a new malware evasion technique.

Responsible Disclosure Policy

Certego has described this evasion technique to the developers of email clients impacted by BadEpilogue. At the same time, we have informed the vendors of major Antispam systems that some of their Content Filters are ignoring attachments hidden in the Epilogue area.

We reported the technique to Microsoft and Mozilla. Microsoft has just released a patch for their email client in their last Security Bulletin MS16-107 (CVE-2016-3366) fixing the anomaly.

Certego also contacted Google and TrendMicro and both vendors confirmed the problem. TrendMicro has released a hotfix for their products, while Google informed us that a solution will be released shortly.

Is my email infrastructure affected by BadEpilogue?

In order to be effective, BadEpilogue must fulfill two conditions.

The first is that the Antispam filter, being compliant to RFC 2046, is unable to detect the attachment hidden in the Epilogue area. The second condition is that the email client or the web mail application is able to detect the attachment and to show it to the user.

If you want to check if your antispam system is vulnerable to BadEpilogue, you can download the following EML file which contains an EICAR test file hidden in the Epilogue area. The EICAR file is a harmless test file for signature based virus detection software. Using any email client (better if installed on a virtual machine with no antivirus software or the antivirus will detect and block the EICAR file), you can send the file to the destination address you want to test. If the recipient receives the message, then your antispam system is probably vulnerable to the BadEpilogue evasion technique.

If you want to check if your email client can detect and open attachments hidden with BadEpilogue, you can download a sample message from this link. The message contains a simple text attachment inserted in the Mime/Multipart’s epilogue. You can double click the file to open it with your favorite email client or use the “File -> Open” menu to manually open it. If the program lets you see the attachment, then your email client is vulnerable to BadEpilogue evasion technique.

Detecting BadEpilogue using a SNORT signature

Certego has created the following Snort signature to detect all incoming SMTP messages exploiting the BadEpilogue evasion technique.

alert tcp any any -> $HOME_NET [25,587] (msg:"CERTEGO CURRENT_EVENTS Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; pcre:"/\x0d\x0a--(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{1,70})--(?:\x0d\x0a(?!--|\x2e|RSET).*)*\x0d\x0a--(?P=boundary)\x0d\x0a/"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:9000501; rev:3;)
The campaigns

As mentioned, this evasion technique has been detected in the wild since May 2016, in at least eleven different campaigns targeting Italian users. These campaigns use messages written in a fluent Italian asking the user to open an attachment labeled as invoice or payment receipt. The attachment is in ZIP format and it contains a malware in PE EXE format. This attack pattern is typical of the so-called Viral Spam campaigns that were prevalent until a few months ago, but it has now been deemed ineffective by antispam filters blocking ZIP files containing PE EXE. In this case, the BadEpilogue evasion technique allows the attacker to generate extremely effective campaigns that can reach a very high number of targets.

While the first campaigns were spreading a malicious attachment containing a Trojan Downloader of the Fareit family which downloaded a variant of the Andromeda Infostealer, the latest campaigns have started working mainly with ransomware and in the last few days we have observed a massive amount of emails containing Zlader.

The following picture shows the various campaigns using the BadEpilogue evasion technique as reported by our systems.

The following picture shows the geolocation of IP addresses used to spread the malicious emails. Spreading patterns seem to be related to a single botnet that is expanding and contracting over time. This seems to be confirmed also by the fact that so far only Italian users have been targeted by these attacks.

Fake-Game offers a Phishing-as-a-Service platform to wannabe criminals
4.9.2016 securityaffairs Spam

Experts from Fortinet discovered a Russian website called Fake-Game the offers a Phishing-as-a-Service platform to anyone.
The Phishing attacks are still one of the most effective methods to grab users’ credentials on the web.

Experts from Fortinet have discovered a Russian-language site called ‘Fake-Game’ that offers Phishing-as-a-Service.

“During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:” reads a blog post published by Fortinet.

“You’ve come to the site to hijack accounts,” reads the translation of the message that the website displays.

The website is free to use, but it also offers a paid version for VIP accounts that includes additional features such as the possibility to browse all other phished accounts.

The Fake-game was used to hack into over 688,610 accounts, this is what the authors claim, it is easy to use and includes also video tutorials.

Users only have to choose which type of credential they wish to grab (i.e. Facebook, Instagram, Google, etc.)

The Fake-Game then generates a URL with a unique ID for each user.

“The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.” continues the Fortinet post.

“A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:”

The Fake-Game is a classic example of crime-as-a-service, similar services allow wannabe criminals to rent infrastructure and service to easily enter the cyber criminal arena.

Fake-Game users only need to trick victims into clicking on the Phishing URL.

Crime-as-a-service dramatically lowers the barrier for entry in the cyber criminal ecosystem.

Spam and phishing in Q2 2016
30.8.2016 Kaspersky Spam

Spam: quarterly highlights

The year of ransomware in spam

Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans. By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically.

The majority of malicious attachments were distributed in ZIP archives. The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps:

Number of emails with ZIP archives, Q2 2016

In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays.

The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June.

Number of email antivirus detections by day, Q2 2016

This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam. After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated.

As in the previous quarter, the spam messages were mainly notifications about bills, invoices or price lists that were supposedly attached to the email. The attachments actually contained a Trojan downloader written in Javascript, and in most cases the malware loaded the Locky encryptor.

For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin.

Obfuscation

The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes. This tactic became especially popular in 2015, and is still widely used by spammers.

The link in this example looks like this:

If you transfer the domain from UTF-8 into the more familiar HTML, it becomes . The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks. The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages. The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet.

Spam in APT attacks

In Q2, we came across a number of APT attacks in the corporate sector. Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account. The text was fairly plausible and hinted at a personal acquaintance and previous communication. In some cases, the emails included the logo of the attacked company. All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think.

Below is an example:

Hello NNNNN,

How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today.

Thanks,

XXXXX

The emails were sent selectively – to individual employees, usually connected to the finance department. The knowledge shown by the scammers suggests the attack was carefully prepared.

The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address.

It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks.

Sporting events in spam

Spam mailings exploiting real-life events have long become an integral part of junk email. Sporting events are not as popular among spammers as political events, although their use is increasing with every year. There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts. For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015. The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money.

The classic scenario involves false notifications about lottery wins related to 2016 Olympics. The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses. In order to claim the cash, the recipient has to reply to the email and provide some personal information.

The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment.

There were also more traditional messages where the spammer text was included directly in the body of the message.

In addition to fraudulent messages, advertising spam was also sent out.

Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins. The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent.

The football theme was also exploited by ‘Nigerian’ scammers. They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic. They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion. In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum.

In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field.

US politicians in spam

The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails. For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle. In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name. The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards. In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses.

Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency. Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News.

The links led to fake news sites also in the style of major media outlets and news networks. The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution. In order to participate in the program, a user had to register by providing their phone number and email address.

Statistics

Proportion of spam in email traffic

Percentage of spam in global email traffic, Q2 2016

The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April. The average percentage of spam in global email traffic for Q2 amounted to 57.25%.

Sources of spam by country

Sources of spam by country, Q2 2016

In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point.

China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%). Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place. Germany (2.97%) and Turkey (2.30%) completed the TOP 10.

Spam email size

Breakdown of spam emails by size, Q1 and Q2 2016

Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p. The other categories saw minimal changes.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families.

TOP 10 malware families

The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%).

The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%.

TOP 10 malware families in Q2 2016

A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%). The malicious programs from this family embed their code in the address space of other processes.

The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q2 2016

Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p. It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%.

Fourth place was occupied by Brazil (5.57%). Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%).

The US (4.06%) was the seventh most popular target of malicious mailshots. Austria (2.29%) rounded off this TOP 10.

Phishing

In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016.

Geography of attacks

The country where the largest percentage of users is affected by phishing attacks was China (20.22%). In Q2 2016, the proportion of those attacked increased by 3.52 p.p.

Geography of phishing attacks*, Q2 2015

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking. Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter.

TOP 10 countries by percentage of users attacked:

China 20.22%
Brazil 18.63%
Algeria 14.3%
United Kingdom 12.95%
Australia 12.77%
Vietnam 11.46%
Ecuador 11.14%
Chile 11.08%
Qatar 10.97%
Maldives 10.94%
Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p. The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%. This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.42%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.).

Distribution of organizations affected by phishing attacks by category, Q2 2016

The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%. The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively.

Hot topics this quarter

The Olympics in Brazil

For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing. In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games.

The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee.

‘Porn virus’ for Facebook users

Facebook users are often subjected to phishing attacks. During one attack in the second quarter, a provocative video was used as bait. To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension.

This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.

Phisher tricks

Compromising domains with good reputation

To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations. This significantly reduces the probability of them being blocked and means potential victims are more trusting. The phishers can strike it big if they can use a bank or a government agency domain for their purposes. In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank. This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it.

Phishing pages targeting the users of the Brazilian store americanas.com

When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank.

The domains of state structures are hacked much more frequently by phishers. In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them:

Phishing pages located on the domains of government authorities

The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain.

TOP 3 organizations attacked

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies.

The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016.

Organization % of detected phishing links
1 Microsoft 8.1
2 Facebook 8.03
3 Yahoo! 6.87
In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second. The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third.

Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account. This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim.

Example of phishing on Live.com, a Microsoft service

Conclusion

In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%. The US remained the biggest source of spam. As in the previous quarter, the top three sources also included Vietnam and India.

Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2.

Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent. A significant amount of malicious spam was used to spread ransomware Trojans such as Locky. For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment.

The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category.

The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money.

Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks.

As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams. All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.

The Rio Olympics: Scammers Already Competing
18.5.2016 Zdroj:Kaspersky Spam

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships). The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014. Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception.

Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee. Similar emails continue to be sent in 2016. The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment.

The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games.

The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information.

We also came across emails without attachments; the text written by the scammers was included in the body of the message.

English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese. In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine.

In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients.

For example, spammers have been pushing new TVs for watching sporting events.

They also promised to make the recipient an “Olympic champion” with the help of magic pills.

Taking any of these emails seriously enough to reply to them could well leave you out of pocket. But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on. Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro.

The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates. These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address.

If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia.

The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account. In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event.

As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account.

According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash.

To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices. The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets.

Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics. At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money. For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen.

Euro 2016 – Experts already detected football-themed spam
10.5.2016 Spam

The Euro 2016 will be held in June in France and online fraudsters already started launching football-themed spam campaigns on the event.
Major events such as the Euro 2016 represent a great opportunity for criminal organizations. In conjunction with international football tournaments such as the World Cup and the European Championship, traditionally security experts observe a spike in spammer activities.
The Euro 2016 will be held in June in France, and online fraudsters started launching spam campaigns that rely on fake notifications about lottery wins dedicated to the upcoming football tournament.

Security experts from Kaspersky are warning Internet users about malicious spam campaign spreading messages containing attachments adorned with graphic elements including logos of the next Euro 2016 and its sponsors.

“The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information.” reads a blog post published by Kaspersky in SecureList.”We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same.”

The experts noticed that crooks behind the spam campaign used multiple email addresses and different addresses in the body of the message. Kaspersky also observed advertising spam in different languages asking targeted people to buy a 2-euro commemorative coin.

The experts expect to see a significant growth in Euro 2016 themed spam in the next weeks, and unfortunately, this kind of attacks could be very effective.

“This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.” continues the post.

Spammers all geared up for Euro 2016!
23.4.2016 Zdroj: Kaspersky Spam
Major football tournaments such as the World Cup and the European Championship, traditionally attract a lot of spammer activity. Euro 2016 will be held this summer in France, and it’s not only the fans and players who are getting ready but also Internet fraudsters. The latter have started sending out fake notifications about lottery wins dedicated to the upcoming tournament. Their emails often contain attachments adorned with graphic elements including official emblems, the Euro 2016 logo and those of its sponsors.

The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information. We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same. The fraudsters also use different email addresses and change those used in the body of the message and the attachment.

We have also come across advertising spam in different languages, for example in Dutch, asking recipients to buy a 2-euro commemorative coin issued specifically for Euro 2016.

We expect to see a growth in football-themed spam as the start date of Euro 2016 approaches. This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.

Malicious spam campaign capitalizes the global interest in the Zika virus

20.2.2016 Spam

The cybercrime ecosystem is getting ready to exploit the media attention on the Zika virus infections for illegal activities. Be careful!
What is the relationship between the Zika virus and a malware? It’s just a matter of opportunity, the cyber crime ecosystem is getting ready to exploit the media attention on current issues for illegal activities. The Zika virus is a Public Health Emergency, as announced on February 1, 2016, by the World Health Organization (WHO). Zika seems to be responsible for birth defects, the population in the Americas were first victims of the virus.

Security experts at Symantec have spotted a malicious spam campaign seeking to exploit the interest in the event.

“Newsworthy events on a regional or global level often provide fertile ground for cybercriminals seeking to capitalize on the interest in these events. In this case, the Zika virus’ impact in countries like Brazil is being leveraged, while the potential impact in other countries make it a prime candidate for more malicious spam.” states a blog post published by Symantec.
Most cases of the Zika virus were reported in Brazil, the same country where cyber security experts have spotted the malicious spam campaign.

The campaign that targeted Brazilians relies on malicious spam email that present to be sent by the Saúde Curiosa (Curious Health), a Brazilian health web portal.

The messages used the following subject:

“ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates to: “Zika Virus! That’s Right, killing it with water!”

The text of the message includes buttons and attachments displaying the message “Eliminating Mosquito! Click Here!” and “Instructions To Follow! Download!” as well as a file attachment.

The button redirect victims to the file hosting service Dropbox where experts discovered the same file attached to the spam emails (JS.Downloader) used by crooks to download additional malware onto the infected machine.

Symantec provided the following suggestion to limit the exposure to this specific hacking campaign:

For information about the Zika virus, visit the World Health Organization’s website
Always look for trusted news sources, regionally and globally, for additional information
Avoid clicking on links or opening attachments in unsolicited email messages
Run security software on your computer and ensure that it is up to date

Kaspersky Security Bulletin. Spam and phishing in 2015
16.2.2016 Zdroj: Kaspersky Spam

According to Kaspersky Lab, in 2015

The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014.
79% of spam emails were no more than 2 KB in size.
15.2% of spam was sent from the US.
146,692,256 instances that triggered the ‘Antiphishing’ system were recorded.
Russia suffered the highest number of phishing attacks, with 17.8% of the global total.
Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers.
34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores).
New domain zones in spam

In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing.

In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReport
Tweet
However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone.

This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases.

Spammer tricks: methods for expressing domain names

Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.

In 2015, 79% of spam emails were less than 2 KB in size #KLReport
Tweet
In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages.

Special features of the IP protocol: different IP formats

The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly!

These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats:

oct – hex

oct – dword

hex – dword

Addresses in hexadecimal format can be written with and without dots separating the numbers:

Kaspersky Security Bulletin. Spam and phishing in 2015

Additionally, 4294967296 (256^4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address.

In 2015, 15.2% of spam was sent from the US #KLReport
Tweet
In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly.

In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid:

You can also insert any number of forward slashes in the address:

Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to).

Obfuscation of an IP address, or how many ways can a number be written in Unicode

We have already written about the obfuscation of key words in spam using various Unicode ranges.

The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics.

We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.:

Obfuscation of domains

As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing).

To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities:

Interpreting URL symbols

URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence:

It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find

If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu.

In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm.

For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link.

Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding):

As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively.

Reiteration of a popular domain name

Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times:

Emails without a URL

It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code.

Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results:

World events in spam

The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering.

In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them.

Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions.

Statistics

Proportion of spam in email traffic

In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year.

The proportion of spam in email traffic, 2015

The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points.

Sources of spam by country

Sources of spam by country, 2015

In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points.

In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReport
Tweet
As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.).

The size of spam emails

The size of spam emails in 2015

The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails.

Malicious attachments in email

The Top 10 malicious programs spread by email in 2015

The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals.

Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites.

Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks.

Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient.

Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run.

Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals.

Malware families

Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap.

MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology.

The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families.

In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReport
Tweet
The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, 2015

For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014.

The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country.

We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places.

Special features of malicious spam

In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs.

As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations.

In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #banking
Tweet
The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds.

In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages.

In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android.

In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux.

The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment.

With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase.

Phishing

Main trends

In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components.

Methods of distributing phishing content

The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising.

Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015.

The fraudulent page to which the victim is redirected by a pop-up advert

Other popular themes of the year

As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers.

This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money.

Phishing email sent on behalf of FedEx

The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services.

Email tricks

Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering.

These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations.

Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page.

We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file.

A phishing email with an attached PDF file containing a redirect to a phishing website

The geography of attacks

Top 10 countries by percentage of attacked users

Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year.

The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015

Top 10 countries by percentage of attacked users

Japan 21.68%
Brazil 21.63%
India 21.02%
Ecuador 20.03%
Mozambique 18.30%
Russia 17.88%
Australia 17.68%
Vietnam 17.37%
Canada 17.34%
France 17.11%
Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.).

The distribution of attacks by country

Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year.

Distribution of phishing attacks by country in 2015

Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.).

Organizations under attack

The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases.

Distribution of organizations subject to phishing attacks by category, 2015

In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories.

Top 3 organizations attacked

Organization % of detected phishing links
1 Yahoo! 14.17
2 Facebook 9.51
3 Google 6.8
In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name.

Conclusion and forecasts

In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant.

The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam.

The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.