Spam and phishing in Q1 2016
Spam: features of the quarter
Trending: dramatic increase in volume of malicious spam
The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.
Number of email antivirus detections on computers with a Kaspersky Lab product installed
In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year.
With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it. It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors). This is something that built-in protection at the email client level does not provide yet. Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email.
Attachment containing a Trojan downloader written in Java
Also worth noting is the diversity of languages used in malicious spam. In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages.
Attachment containing the Trojan banker Gozi
Most emails imitated notifications of unpaid bills, or business correspondence.
The malicious .doc file in the attachment is a Trojan downloader. It downloads and runs the encryptor Cryakl using macros written in Visual Basic
Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine
Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor. The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts. In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique. In addition, the emails had different content and were written in different languages. This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world.
Examples of emails with the Locky encryptor
The content of the emails was related to financial documents and prompted users to open the attachment.
If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands. This process was analyzed in more detail in our blog.
As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic.
Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet. Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users.
In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage. They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate. The email claimed the technology came from the US Department of Defense, was easy to use and widely available. The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc.
‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories. The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime. Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money. Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money.
Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime. This was an attempt to dispel any doubts about their honesty and persuade recipients to reply.
The theme of terrorism came up again in tales related to the current situation in the Middle East. For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds. A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money.
Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users.
We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products.
Also trending: significant increase in volume of ‘Nigerian’ spam
It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity. In Q1 2016 we observed a significant increase in the volume of this type of mailing. In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch. Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from.
Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers.
Spammer methods and tricks: short URL services and obfuscation
In our spam and phishing report for 2015 we wrote about obfuscation of domains. In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal.
Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed.
First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link.
Both the link which the user follows and the link to the uploaded image in the email are obfuscated:
In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links:
Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”. In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing.
Russian-language spam also used obfuscation and short URL services, but the algorithm was different.
For example, to obfuscate links the @ symbol was used. To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used). If the site does not require authentication, everything that precedes the @ symbol will simply be ignored. It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service.
The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing.
Proportion of spam in email traffic
Percentage of spam in global email traffic, Q1 2016
The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p. By February, however, the amount of spam in email traffic had dropped to its previous level. In March it grew again, though less dramatically. As a result, the average percentage of spam in Q1 2016 amounted to 56.92%.
Sources of spam by country
Sources of spam by country, Q1 2016
The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%). China rounded off the Top 5, accounting for 5.09% of global spam.
Russia fell from last year’s second place to seventh (4.89%) in Q1 2016. It followed closely behind France (4.90%), which was sixth biggest source of spam.
Spam email size
Spam email size distribution, Q4 2015 and Q1 2016
The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew by 2.7 p.p. from the previous quarter. The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%. The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%.
Malicious email attachments
Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the Top 10 malware families.
Top 10 malware families
- Backdoor.Win32.Androm. Andromeda.
A typical representative of this family is an obfuscated Java script. This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.
This is a family of VBS scripts. As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software.
The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer.
This is a family of universal Andromeda/Gamarue modular bots. The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves. The bot functionality is extended with plug-ins that can be loaded at any time.
The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server. They are used to distribute spam and steal personal data.
A typical representative of this family is an obfuscated Java script. The malicious programs of this family download and run ransomware on the user’s computer.
This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts. The stolen information is sent to the criminals’ server. Some members of the Trojan Fareit family are capable of downloading and running other malware.
The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks.
The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza. The main aim of this family of Trojan bankers is to steal payment data from users.
The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc. The user has to enter their personal data on this page, which is then forwarded to cybercriminals.
Countries targeted by malicious mailshots
There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016.
Distribution of email antivirus verdicts by country, Q1 2016
Germany (18.93%) remained on top. China (9.43%), which ended 2015 in 14th place, unexpectedly came second. Brazil (7.35%) rounded off the Top 3.
Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%.
The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth.
In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users.
Geography of attacks
The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter. The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p.
Geography of phishing attacks*, Q1 2016
* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country
Top 10 countries by percentage of users attacked:
Organizations under attack
The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases. It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity. After the security system is activated, the user sees a banner in the browser warning about a potential threat.
Distribution of organizations affected by phishing attacks, by category, Q1 2016
In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter. Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively.
Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information.
Distribution of online stores subject to phishing attacks, Q1 2016
Apple Store was the most popular online store with phishers. In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%. Behind it in second place was another popular online store –Amazon (21.6%).
Example of a phishing page designed to steal Apple ID and bank card data
Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3. It came 19th in the overall ranking of organizations affected by phishing attacks.
Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email.
Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers.
Top 3 organizations attacked<
Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies. These companies have lots of customers around the world which enhances the chances of a successful phishing attack.
The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016.
|Organization||% of detected phishing links|
In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.).
Interestingly, phishing on Facebook is delivered in almost all languages.
Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog.
In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter. But it is too early to speak about a growth trend. The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period.
The US remained the biggest source of spam in Q1 2016. The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection.
Spam messages are becoming shorter. In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam.
Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically. The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average. This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader.
This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic. The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage. The picture of malware distribution by email has changed significantly this year. In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots.
Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016.
It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments. Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.
Incoming search terms