Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Spam
Showing posts in English
Dylan Morss | 24 Nov 2008 23:45:04 GMT | 0 comments

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “...

Dermot Harnett | 19 Nov 2008 17:21:14 GMT | 0 comments

January to March is traditionally the time when taxpayers in the U.S. become reacquainted with their tax advisers as the mid-April “tax day” deadline looms. Unfortunately, this period has also become a time when phishing directed towards the IRS becomes more prevalent. As reported in the Symantec State of Spam report for April 2008, spammers continued to attempt to disguise themselves as the IRS, dangling an offer of a tax refund to unwitting recipients.
Imagine our surprise when we observed a phishing attack using the IRS brand in November—nearly five months before the next deadline for individual taxpayers. This phishing email indicated that the recipient was eligible to receive a tax refund and directed them to a website where the refund would be processed. The fraudulent site, branded with the IRS logo, is being used as a collection tool for credit card and other personal information.

The spam attack could be trying to take advantage of...

Dermot Harnett | 13 Nov 2008 19:59:49 GMT | 0 comments

The recent shutdown of a San Jose-based Web hosting company named appears to have resulted in a significant short-term drop in spam traffic worldwide. At approximately 21:30 GMT on November 11, 2008, multiple upstream network providers shut down access to hosted systems, based on abuse complaints. One of the results of this action was a quick and dramatic decrease in spam sent worldwide.

The volume change could be measured directly in the Symantec probe network, which saw a 65% drop in traffic when comparing the 24 hours prior to the shutdown to the 24 hours after. It is interesting that shutting down a single hosting company could have such a large impact on overall spam volume, but when you consider that was allegedly hosting a significant number of botnet command-and-control systems, it is not totally surprising. Their IP range has, in the past, been linked with reports of serving up Rustock downloaders and also for controlling...

Dermot Harnett | 13 Nov 2008 15:19:06 GMT | 0 comments

Mark Twain once said, "It's not the size of the dog in the fight, it's the size of the fight in the dog.” And, this idea also seems important when considering image spammers. While image spam has not yet regained the dizzying heights of 2007—when 52% of all spam was image spam—in the last seven days, image spam has hit an average of seven percent of all spam messages. As image spam struggles to find its feet within the overall composition of spam messages, another image spam vector has emerged. By analyzing image spam recorded in the last seven days, Symantec notes that over this period:

•    9.7% of image spam had a message size greater than 100kb
•    48% of image spam had an average size of between 10kb-50kb

In the last 24 hours alone, 28% of image spam had an average message size greater than 100kb:


Dermot Harnett | 05 Nov 2008 21:24:21 GMT | 0 comments

While the U.S. voters have now been heard and are welcoming their new president, it is important for us to remember that the spam campaign is certainly not over. Spam levels averaged in at 76.4 percent of all messages in October 2008. This spam level represents a year-on-year increase of nearly six percent since October 2007.

Over the last year, Symantec has been monitoring spam related to the U.S. presidential campaign. It all began 12 months ago when spammers cast their first votes for Republican nominee Ron Paul. With spam subject lines such as “IRS Fears Ron Paul?”, it was certainly an early indication that it was going to be an interesting year for spam related to the presidential campaigns. February 2008 saw a round of bogus links to Hillary Clinton videos that were cloaking a malicious Trojan. This tactic emulated a popular technique being used by spammers to link malicious code and spam. This trend continued in amongst other types of spam attacks during...

Dermot Harnett | 05 Nov 2008 12:26:25 GMT | 0 comments

As the gut-wrenching roller coaster that world economies have experienced over the last 90 days continues, it is not surprising that spammers are still attempting to tap into the economic angle to try and deliver their spam messages. Spammers often use the “issue du jour” in their spam campaigns. To borrow a phrase coined by strategists for Bill Clinton in 1992 and apply it to today’s issue: "It's the economy, stupid."

Just like Angelina Jolie, Brad Pitt, Paris Hilton, and Britney Spears, the U.S. Treasury Secretary (Henry Paulson) has joined the list of spammers’ favorite “celebrities.” In October 2008, Symantec observed a spam attack that contained a message claiming to come from the U.S. Treasury Secretary. The message suggested that Paulson had been instructed by the United Nations to "wire a sum of $1m into your Bank Account in a Legal way." [sic] In addition to this attack, Symantec also discovered that the FDIC...

Kelly Conley | 15 Oct 2008 12:47:16 GMT | 0 comments

Symantec has observed an increase in the use of image spam attacks over the past few weeks. Symantec defines image spam as an unsolicited message containing an image in the body.

In August, image spam attacks accounted for approximately 1.6% of total spam. In September we observed that image attacks almost doubled, representing approximately 2.6% of total spam. Over 50% of image attacks observed are English, and the second largest group of messages is Russian. In the first ten days of October, image spam messages have averaged approximately 8.6% of total spam. This is the highest mark to date over the last 90 days. From May of this year up to September, image spam was relatively quiet. As stated above, these numbers have been increasing since mid-September. We have not seen image spam of this volume since February of this year.

Commonly seen image spam messages have included Russian online dating offers, random product offerings with an image opt-out, and the all too...

Kelly Conley | 06 Oct 2008 19:14:26 GMT | 0 comments

The trend of spam messages containing URL links to malicious code and/or carrying malicious payloads has dramatically spiked since May of this year. This trend is the focus of our October State of Spam Report, issued today. From June to mid September, the amount of malicious code detected in scanned email messages increased from a tenth of a percent (0.1%) in June to 1.2 % in the middle of September. Now, that doesn’t sound like much, but consider that this represents a 12x increase! The top ten of definitions detected by antivirus rules for this period were led by generic Trojan, Downloader, and Infostealer definitions—making up more than 30% of the malicious code detected.

Also noted in this month’s State of Spam Report is the increase in zombie activity. The report notes that while zombie activity decreased from July to August, it increased more than 100% between August and September. For this period, the EMEA region was the leading source of all zombie IP addresses....

Kelly Conley | 10 Sep 2008 16:34:38 GMT | 0 comments

We have observed a fraudulent spam attack masquerading as an email from Symantec. This email is in Portuguese and contains the Symantec logo and coloring, which make it appear as a legitimate email from Symantec. The “From” line is forged to add further credibility. The “Subject” and “From” lines appear as follows:


Subject:  Security Check
From: SYMANTEC <Worm@bda.267>

Needless to say, this is not from Symantec. The body of the message contains text that indicates that the Symantec Security Check System has tested your computer and found “X” number of dangerous imperfections. The email goes on to say that your computer is infected with the virus “Worm@bda.267.” Users are encouraged to click the provided link to download updates to protect their systems from further damage from this worm. Incidentally, there is no such virus as Worm@bda.267.

If the...

Kelly Conley | 04 Sep 2008 14:38:23 GMT | 0 comments

In August, the "Internet" category of spam showed an increase of nine percent from July and now makes up 27% of all spam messages. This increase is detailed in the Symantec State of Spam Report for September, which will be released today. The escalation of Internet spam can be attributed to the prevalence of malicious code being sent around via spam emails over the past month. It seems that spammers will stop at nothing to deliver their payload-various techniques in spam containing viruses were observed over "the month of the virus." These include the following methods:

  • Sensationalized "fake" news headlines
  • Use of seemingly real news headlines
  • Purported download for the latest version of Internet Explorer
  • Malware + spam + phishing = The triple security threat for financial institutions
  • Airline e-ticket connects malicious code and spam

Sensational (and in many cases...