Symantec Internet Security Threat Report - 2011

Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012

Spam Activity Trends

Spam in 2011

Despite a significant drop in email spam in 2011 (dropping to an average of 75.1% of all email in 2011 compared with 88.5% in 2010), spam continues to be a chronic problem for many organizations and can be a silent-killer for smaller businesses, particularly if their email servers become overwhelmed by millions of spam emails each day. With the power of botnets, robot networks of computers infected with malware and under the control of cybercriminals, spammers can pump out billions of spam emails every day, clogging-up company networks and slowing down communications. There were, on average, 42 billion spam messages a day in global circulation in 2011, compared with 61.6 billion in 2010.
In 2011, we saw spam, phishing and 419 scams exploit political unrest (e.g. the Arab spring), the deaths of public figures (e.g. Muammar Gadhafi, Steve Jobs and Amy Winehouse) and natural disasters (e.g. the Japanese tsunami). They are the same topics that newspapers cover and for the same reasons: they attract readers’ attention.
Unlike spam, phishing activity continued to rise (up to 0.33% or 1 in 298.0 of all email in 2011, from 0.23% or 1 in 442.1 in 2010). The proportion of phishing emails varied considerably by company size with the smallest and largest companies attracting the most, but the proportion of spam was almost identical for all sizes of business.
Figure 11: Percentage of email identified as spam, 2011. Source: Symantec

Impact of botnets on spam

Overall in 2011, botnets produced approximately 81.2% of all spam in circulation, compared with 88.2% in 2010. Between March 16th and March 17th, 2011, many Rustock command and control (C&C) servers located in the US were seized and shut down by US federal law enforcement agents, resulting in an immediate drop in the global spam volume from 51 billion spam messages a day in the week before the shutdown to 31.7 billion a day in the week afterwards.

The changing face of spam

Between 2010 and 2011, pharmaceutical spam fell by 34%, in large part owing to the demise of the Rustock botnet, which was mainly used to pump-out pharmaceutical spam. In contrast, messages about watches and jewelry, and sex and dating both increased as a percentage. Not only were there fewer spam emails in circulation, but smaller message sizes were the most common and English remained the lingua franca of spamxxix, with Portuguese, Russian and Dutch the next most popular languages (albeit with a much smaller ‘market share’).
As the popularity of social networking and micro-blogging sites continues to grow, spammers increasingly target them as well as traditional email for their messages. Having your content go viral is not just the dream of legitimate marketers, but cybercriminals distributing malware and spam are also finding new ways to exploit the power of social media and are even tricking users into spreading their links for them.
Figure 12: Top ten spam email categories, 2010-2011. Source:

URL shortening and spam

Spammers are making greater use of URL shortening services, even establishing their own shortening services along the way. These sites take a long website address and shorten them, making them easier to share. This has many legitimate uses and is popular on social networking and micro-blogging sites. Spammers take advantage of these services to hide the true destination of links in their unwanted messages. This makes it harder for users to know what they are clicking on and it increases the work needed for spam filtering software to check if a link in an email is legitimate or not.
Spammers sometimes redirect a website address through many different shortened links. There are so many shortening services that if one gets shut down or improves security, spammers can move on to the next site. In May 2011, the first evidencexxx of spammers using their own URL shortening services appeared, and spammers were hosting their own shortened Web sites redirecting visitors to spam Web sites. These shortened links first pass through bona fide URL shortening services, in a bid to hide the true nature of the spam URL from the legitimate shortening service.
Initially, spammer-operated link shorteners were rudimentary and based on freely-available open source tools. Spammers used these services to make it more difficult to detect and block spam activity based on the URLs involved, and further conceal the true location of the promoted sites. They generated different URLs for use in different environments, such as social networking, micro-blogging and email campaigns. Spammers also used fake profiles on Twitter to send messages containing the same shortened links, with each profile using different trending topics to promote their messages.
As an added bonus, link shortening sites can give them feedback through a dashboard provided by the URL shortening service about the number of click-throughs on a given link so that they can use this information to target the messages better. In other words, they can find out what people like to click and send out more of that, increasing the effectiveness of their campaigns.
xxixAppendix C: Spam and Fraud Activity Trends