Video Screencast Help
Symantec Intelligence
Showing posts tagged with Spam
Showing posts in English
Paul Wood | 06 Dec 2011 | 1 comment

Global spam is now at the lowest it has been since November 2008, when the rogue ISP McColo was closed-down. The effect on spam volumes back then were very dramatic and spam accounted for 68.0% of global emails. More recently the decline has been much slower, but spammers have also adapted to using more targeted approaches and exploiting social media as alternatives to email. Moreover, pharmaceutical spam is now at the lowest it has been since we started tracking it, accounting for 35.5% of spam, compared with 64.2% at the end of 2010.

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and...

Paul Wood | 15 Apr 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Analyst, Symantec.cloud

On the 16th of March Rustock, the largest of the spamming botnets, was taken down. As you would expect,  global spam levels started to drop, as can be seen when you look at the number of mails being delivered  to one of our spamtraps.

However, on the 26th March we saw a large increase in the amount of data traffic hitting our spamtraps,  despite the number of actual emails continuing to decline.

Investigation revealed that the reason for this was that the Cutwail botnet had started sending much  more emails with zip file attachments than normal, meaning the average size of each mail was much  higher than normal. The chart below shows that there have been a couple of spikes in early March, which  may have...

Paul Wood | 22 Mar 2011 | 0 comments

On 21 March 2006, Jack Dorsey sent the first ever Twitter message or ‘tweet’ with five simple words “just setting up my twttr”.  Five years later, 140 million tweets are sent in a host of different languages every day via the micro-blogging service which boasts over 200 million registered users worldwide and is valued at an estimated $7.7 billion following an auction of shares in March 2011.

Although Twitter’s 100 million messages a day may seem paltry compared to the roughly 66 billion email messages sent each day on average in March 2011 before the Rustock botnet was disrupted; (52 billion of which were spam). The prolific growth of micro-blogging platforms...

Paul Wood | 17 Mar 2011 | 0 comments

Posted on behalf of Mat Nisbet, Malware Data Analyst, Symantec.cloud

 

Brian Krebs posted on KrebsonSecurity a report about the Rustock botnet apparently going quiet yesterday, and spam from the botnet ceasing. I can confirm that at around 15:30 UTC, on 16 March, spam identified as coming from the botnet known as Rustock ceased sending spam, as shown below:

In the chart above, the spike on this chart is actually normal behaviour for Rustock, as can be seen from this next chart, covering a longer time period:

For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5% of all spam. At it’s peak it...

Paul Wood | 28 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese, Russian, Latin (with diacritics) and many other characters like 寿司and 한글. It has been possible to include these characters in some domains for several years, but until last year, top-level domains (like .ru for Russia) were not internationalized like this. Several top-level domains now have internationalized versions, for example .рф for Russia.

I recently saw some German pharmacy spam (targeted at Germany, Austria and Switzerland). The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site:

Figure 1 – example of spam email using URL shortening service redirecting to IDN domain

 

Most of the spam is in...

Paul Wood | 24 Feb 2011 | 1 comment

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

As 419 or advance fee fraud scammers have demonstrated in recent days and weeks, they are particularly adept at using current events to their advantage. We've covered how scammers have also used Egypt's recent revolution to try to get money from their victims.

I recently identified a 419 scam message trying to take advantage of the unrest in Libya. It seems that as countries around the world scramble to evacuate their citizens from the deteriorating situation in the country, 419 scammers are also rushing to send out messages to capitalise on the unrest and publicity.

The scam message claims to be written by someone connected to Libya's Senussi crown (overthrown by Muammar al-Gaddafi in his 1969 coup d'état). The scam follows a fairly...

Paul Wood | 17 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

It has only been a few days since the resignation of Egypt's long-standing president, Hosni Mubarak, who resigned after intense political pressure following days of widespread protest across the country. As we've seen in the past, 419 or advance-fee fraud scammers (who typically promise large amounts of money, but demand upfront fees or payments first) are quick to react to current events. For example, in the aftermath of Haiti's devastating earthquake in January 2010, 419 scammers impersonated the Red Cross, requesting donations.

We recently saw a German language 419 scam claiming to be from the former Egyptian president's lawyer:

 

The scammer claimed that he needed the recipient's help to retrieve $2.5m of the president's funds, frozen in a Belgian...

Paul Wood | 15 Feb 2011 | 0 comments

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

 

MessageLabs Intelligence recently tracked a new pharmaceutical spam campaign promoting a supposedly "Google-accredited" online pharmacy. This is obvious brand hijacking: Google does not host or approve any pharmacy sites. We contacted Google about this, and a spokesperson responded with, "Google has a track record of fighting similar types of scams, and we also recommend that users carefully review online offers that look too good to be true before entering any of their information: http://googleblog.blogspot.com/2009/12/fighting-fraud-online-taking-google.html".

The spam message contains text promoting a drug for preventing hair loss, and a link to a blog the spammer has set up on a popular free blogging site, shown in the screenshot below:...

Paul Wood | 04 Jan 2011 | 0 comments

Posted on behalf of Mathew Nisbet, Malware Data Analyst

Over the 2010 Christmas holiday, the level of spam in circulation has dropped drastically. For example, at the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008. As can be seen from the global spam level estimates in figure 1 below, the amount of spam worldwide has dropped dramatically since 25th December 2010.

Figure 1 - Global spam volumes

 

The main cause of this drop is a from a huge reduction in output from the Rustock botnet, by far the most dominant spam botnet of 2010. Since 25th December, Rustock seems to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5% of all spam worldwide. Further  contributing to the massive reduction in spam levels...

MarissaVicario | 21 Jan 2010 | 2 comments

On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks.  Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks).

gumblar1.gif

gumblar2.gif
Gumblar: malicious sites blocked by MessageLabs

Some general statistics

•    Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains
•    Originally the malware was served up via a malicious site called gumblar.cn in April 2009, and the threat was named after that...