Spam and Phishing Landscape: June 2009

While the McColo shutdown is all but a distant memory and spam levels are consistent with the levels observed over a year ago, the fight against cybercrime continues in earnest for June 2009. The FTC's recent efforts to shut down Internet service provider Pricewert LLC is another example of how security professionals can work together in the fight against cybercrime.

Symantec assisted by providing security intelligence to back up the FTC's case in the form of information on what threats were detected as being associated with the ISP, for example the Cutwail botnet. However, a repeat of the spam volume decline observed following the closure of McColo in November 2008 is not expected in this case. Those behind Pricewert LLC are already taking their business elsewhere—perhaps learning from their past experience—and it is expected that this will be more of a blip rather than a significant decrease in any malicious activity.

In addition to the recent efforts to shut down Pricewert LLC, during the most recent spam battles several additional vectors have been observed that have contributed to spam volumes averaging 90% of all email in May 2009.

•    Image spam has re-emerged, with an average of 6.5 percent of all spam messages in the last 30 days containing an image. During May 2009 image spam peaked at 21.9 percent of all messages. One consequence of the re-emergence of image spam is that the average size of spam messages has increased, with 14 percent of messages larger than 10kb. When you consider that less than three percent of messages were larger than 10kb in January 2009 this increase in message size is significant.

•    While image spam has increased, it is spam messages containing URLs in the message body that continue to be the predominant spam trend. During the last 30 days, 91.7 percent of all spam messages contained a URL. These URLs are often associated with sites that allow users to set up free accounts, including free webhosting accounts, and URLs that are registered and operated by spammers. These URLs are used to promote certain products and services, and spammers often rotate the URLs used in their spam attacks in an effort to evade anti-spam detection.

Click here to download the June 2009 State of Spam Report, which highlights the following trends:

Spam Highlights: May 2009
Spammers Appeal To Revive Auto Companies
Twitter Used As Bait to Phish For Personal Information
Spam Diploma Mills Continue To Turn Out More “Offers”
Fight Diabetes, But Not With Spammer’s Help
Zombie Host IP Activity May 2009.

In addition, the June 2009 State of Phishing Report has also been made available here, which highlights the following trends:

•    Symantec observed that 42% of phishing URLs were generated using phishing toolkits; an increase of 100% from the previous month.
•    There was a 14% decrease from the previous month in non-English phishing sites.
•    More than 98 Web hosting services were used, which accounted for 6 percent of all phishing attacks; a decrease of 5 percent from the previous month.
•    Symantec observed a new trend of phishing attack towards the popular social-networking site Facebook.