State of Spam & Phishing - Symantec

6 downloads 198 Views 4MB Size Report
About 93 webhosting services were used that comprised 11 percent of all phishing, an .... best practices guide, Symantec
June 2010

Report #42

Spam made up 89.81 percent of all messages in May, compared with 89.22 percent in April. As we are approaching mid-year, a section of this month’s report takes a look at top spam and phishing trends in 2010 so far, and how those trends are continuing today. Also get to know what’s being considered as the most annoying spam this month. With social networks continuing to add millions of users to its overall user base, crafty spammers are taking advantage of the popularity of these networks to design new spamming techniques week after week. The State of Spam & Phishing report for this month provides a deep dive on social network spam, highlighting some unique and dangerous techniques deployed by spammers. Other interesting features in this month’s report include the increase in .ru spam and EMEA’s march towards sending half of the world’s spam. On the phishing front, Symantec observed a 9 percent decrease in overall phishing attacks from the previous month. The decrease was contributed to all sectors of phishing. Phishing websites generated from automated phishing toolkits comprised 12 percent of all phishing, a decrease of 3 percent from the previous month. Unique URLs decreased by 10 percent from the previous month. About 93 webhosting services were used that comprised 11 percent of all phishing, an increase of 6 percent from the previous month. The number of phishing websites in non-English languages was nearly the same as the previous month. Among non-English phishing websites, attacks in French and Italian languages were found to be higher in May. Phishing in French was mostly from the E-commerce and banking sector and attacks in Italian were mostly on banking. The following trends are highlighted in the June 2010 report:       

Deep Dive into Social Network Spam Phishing Prepaid Debit Card Accounts Phishing US Servicemen and Veterans First Half of 2010: Spam, Spam and more Spam Most Annoying Spam EMEA’s March Towards 50% May 2010: Spam Subject Line Analysis

Dylan Morss Executive Editor Antispam Engineering

David Cowings Executive Editor Security Response

Eric Park Editor Antispam Engineering

Mathew Maniyara Editor Security Response

Sagar Desai PR contact [email protected]

Metrics Digest Global Spam Categories

Spam URL TLD Distribution

Average Spam Message Size

Spam Attack Vectors

Metrics Digest Spam Regions of Origin

Geo-Location of Phishing Lures

Geo-Location of Phishing Hosts

Metrics Digest Phishing Tactic Distribution

Phishing Target Sectors

Deep Dive into Social Network Spam There is no doubt that social networks are on the rise. One prominent social network reports that there are more than 400 million active users. With its growing popularity, it is not a surprise to see that spammers have hijacked the brands to send spam. Spammers will look at and use every feature that makes a social network, a social network.

In this example, spammers crafted the message in a way that resembles an official notification email from the social network. When users click to read this “important notification”, they are led to a different site: http://odnbo.[DOMAIN REDACTED].net/wharton.html This particular URL is an example of a hijacked domain where the spammer gained unauthorized access to a legitimate server and places an HTML file. This helps the spammer avoid getting filtered based on URL reputation. While the HTML file on the hijacked domain sometimes serves as a mean to deliver the spam content, this spam used a redirect technique to direct the user to yet another site (online pharmacy). Closely examining the HTML file referenced above reveals this:

While this spammers motive was to sell counterfeit drugs, Symantec has observed other attacks with goals of stealing user credentials. When users fall victims to these messages, the account is used cleverly by spammers to send even more spam. This is especially dangerous as users are more prone to trust messages from friends. In a way, this technique is similar to that used by mass mailing worm such as the Melissa virus which used the infected user’s Outlook contact list to mail itself out.

Deep Dive into Social Network Spam (continued) Here are some of many ways that spammers have leveraged social network to send spam: Fake invitations: Spammers spoof the social network brand and send invitations to join the network. The link in the email, however, redirects to a spam website. This vector targets all users, regardless of whether they have an account or not. ‘Merge account’: A spoofed notification is sent to a social network user, prompting the user to merge the account. In the process, the user is asked for account credentials. Once the accounts have been merged, several friend requests (each containing fake profiles) appear. All of these profiles promote spam. The account is also now hijacked and can be used for other spam. Photo tag/Comment: Spammers craft the messages to make them appear as legitimate photo tag/comment notifications. The URL in the message, however, leads to another website promoting spam. Applications: As some social networks allow third party applications, the most popular applications have also been a target for spammers. Symantec has observed spam messages promoting ways to beat other players in popular games used in social network sites. Delivering malware: Various notifications have been spoofed to spread malware. In one example, spammers sent messages prompting users to download a social networks toolbar, which was actually a Trojan. Privacy protection: As popularity of social networks grows, there has been some scrutiny into privacy protection practices. Symantec has observed spam attacks offering a product which informs the users which social network sites are misusing their personal information. Fake survey: Spammers send what looks to be a survey about a social network. Users can be either asked for account credentials, or they can be redirected to a spam website.

In addition to the best practices guide, Symantec urges users to visit the social network website directly in a new browser window (do not click or cut and paste from a link in an email message). Users should also avoid clicking on suspicious links in the notification, even if it is being viewed directly on the social network website.

Phishing Prepaid Debit Card Accounts Symantec observed phishing websites that were spoofing a leading brand that provides prepaid debit card services to U.S. citizens. Legitimate prepaid debit cards help people with daily financial tasks such as make purchases, pay bills, and shop online without the need of a bank account. These services are beneficial to those who do not have the income to maintain a minimum balance in a bank account. The fraudulent websites were created to target a large population of low- to mid-income citizens in the USA who prefer prepaid debit cards.

The phishing website that attacked the legitimate brand states that the user’s “account has been limited.” The user is prompted to update his or her confidential information, such as login credentials and debit card details, in order to re-activate the account. After the credentials are entered, the phishing site provides a message that states the verification was successful and the account has been reactivated. If the user falls victim to the phishing site, the fraudster may succeed in stealing the sensitive information and use it for financial gain. The phishing attack was made up of URLs with randomized domain names that were hosted on the same set of IP numbers and contained the same fraudulent Web page. Randomized domain names are used as a technique to evade anti-phishing detections. The attack was observed primarily during the first half of May 2010. The domains were hosted on servers based in the USA and Bulgaria.

Phishing US Servicemen and Veterans In May 2010, a phishing site was observed spoofing a credit union that provides financial services to members of the US Defense and their family members. The defense forces considered by the credit union include the Army, Marine Corps, Navy and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, the family members who have joined the credit union can extend the membership to their family members. The brand has now grown to serve millions of customers across the US. The phishing site states that the customer’s login has been locked because of several failed log -in attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name and details of the account’s joint owner. The page also includes a fake CAPTCHA that accepts data irrespective of the number entered. When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site.

The phishing site was hosted on an IP domain (i.e. URLs like http://255.255.255.255/) based on servers in Taiwan. Variants of the phishing URL has been utilized to spoof other brands as well.

First Half of 2010: Spam, Spam, and more Spam Our review of the top spam trends during the first half of 2010 reveals that spammers focused on four major categories: 1. Natural Disaster Spam The tragic earthquakes in Haiti and Chile have quickly become spammers’ targets. Symantec has observed that the events were leveraged to send everything from donation money scams and phishing attempts to deliver malware.

2. Current Events/News Spam Aside from the natural disasters, spammers have also kept a close eye on the news. Recently, when a major automobile manufacturer issued a massive recall, Symantec saw spammers using the news to deliver relevant spam messages. The economy also affected the type and content of spam messages sent, which led to a piece in our April report titled “Spam as Economic Indicator”. Also taking advantage of the poor job market, spammers set up fake job seeking sites to lure those who desperately searched for jobs. Keeping up with this theme, spammers have taken advantage of recent disaster in the Gulf of Mexico, and upcoming 2010 World Cup.

First Half of 2010: Spam, Spam, and more Spam (continued) 3. Holiday Spam In addition to spammers capitalizing on current events, we observed that they constantly used various holidays to send spam. During the first half of the year, Symantec monitored spam involving Mother’s Day, St. Patrick’s Day, among others. More recent examples include Father’s Day.

4. Social Networking Spam Spammers are always looking for ways to improve their success rate. Social networks’ exponential growth rate not only provide spammers with a huge potential target, but also another avenue of delivering crafty messages that more users are prone to fall for. Please see “Deep Dive into Social Network Spam” section for more details.

These spam trends have contributed to spam level floating around 90 percent level in 2010 so far.

Most Annoying Spam Symantec’s anti-spam Security Response operation centers located throughout the world provides 24/7/365 coverage against ever-changing threat landscape. Here are few samples of the most annoying spam as identified by analysts who work with spam and phishing threats on an everyday basis. Analysts in Taiwan identified Russian spam to be the most annoying spam. Two factors contributed to this: first, the subject line of messages are very general, and second, messages often have obfuscated phone numbers rather than an URL as the call-to-action. Analysts in Ireland indicated that DHA (Dictionary Harvest Attack) is the most annoying spam. DHA involves spammers sending out large quantities of email to a certain domain to find out which addresses bounce. Spammers then build a list of valid email addresses by noting those that do not bounce. As shown in this example, the content of the message is completely random with no meaning whatsoever.

EMEA’s March Towards 50% EMEA region continues to expand its spam market share as the region sent 48.1% of worldwide spam in May. The chart illustrates the regional breakdown of spam origin this year.

In EMEA region, top ten countries (Netherlands, Germany, France, United Kingdom, Italy, Poland, Romania, Spain, Russia, and Ukraine) made up over 70% of the region’s volume, compared to 65% the previous month.

May 2010: Spam Subject Line Analysis The top two subject lines from April switched places in May as blank subject line rose to the top of the chart. It is interesting that subject line “Amazon.com Deal of the Day” was again used in only 10 days in the month. Unlike last month when it was primarily used with dotted quad spam technique, the messages this month included .ru URLs. This definitely contributed to .ru spam’s rise as it increased by more than 50 percent compared to April. Rounding out the top ten subject lines were additional online pharmacy attacks as well as replica spam.

Checklist: Protecting your business, your employees and your customers Do 

 

  



 

Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. Deselect items you do not want to receive. Be selective about the Web sites where you register your email address. Avoid publishing your email address on the Internet. Consider alternate options – for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services. Using directions provided by your mail administrators report missed spam if you have an option to do so. Delete all spam. Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed websites. We suggest typing web addresses directly in to the browser rather than relying upon links within your messages. Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection visit http://www.symantec.com. Consider a reputable antispam solution to handle filtering across your entire organization such as Symantec Brightmail messaging security family of solutions. Keep up to date on recent spam trends by visiting the Symantec State of Spam site which is located here.

Do Not  Open unknown email attachments. These attachments could infect your computer.  Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.  Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).  Buy products or services from spam messages.  Open spam messages.  Forward any virus warnings that you receive through email. These are often hoaxes.

* Spam data is based on messages passing through Symantec Probe Network. * Phishing data is aggregated from a combination of sources including strategic partners, customers and security solutions.