Posted: 2 Min Read Threat Intelligence

Latest Intelligence for February 2018

The Chafer attack group remains highly active, global spam rate declines, and the email malware rate rises again.

Some of the key takeaways from February’s Latest Intelligence, and the threat landscape in general, include the Chafer attack group mounts further operations against targets in the Middle East, the email malware rate remains low, and a mobile threat attempts to log into Facebook accounts to steal credentials.


After a significant drop last month, the email malware rate rose again in February. However, at 1 in 645 emails, the current rate is still quite a bit lower than what was generally seen in the second half of 2017. This is likely due to lower levels of email activity by the Necurs botnet, little of which served up malware during February.

Figure 1. The email malware rate rose again in February to 1 in 645 emails
Figure 1. The email malware rate rose again in February to 1 in 645 emails

The Chafer attack group has been observed carrying out further operations against organizations in the Middle East, according to new research by Symantec. The group has been seen working its way further into targets in the telecom and transport industries, using new tools to traverse the networks, primarily to carry out surveillance activities. This recent activity indicates that the group remains highly active, working to hone its tools and tactics.


The global spam rate declined slightly in February, dropping to 55.1 percent. However, the rate remains above 55 percent, as it has for 6 of the last 7 months. The Finance, Insurance, & Real Estate sector tops our list of industry spam rates, while last month’s top sector, Mining, dropped to fifth place.

Figure 2. The global spam rate declined slightly, dropping to 55.1 percent
Figure 2. The global spam rate declined slightly, dropping to 55.1 percent

While quiet on the email malware front, there were a couple large spam runs sent by the Necurs botnet during the month. The first run was a continuation of a run we mentioned last month: a classic fake romance-themed scam, using a simple subject line of “hi”. This scam continued into February and the lead-up to Valentine’s Day, offering the semblance of a romantic encounter in order to scam the user.


My name is [RANDOM NAME] and i'm writing you to tell you that you are super cute from your photos on Facebook.

I myself am from Russia, but now I live in the USA.

I want to get to know you more! If you have the same, email me, this is my email [PREDETERMINED DOMAIN].

Lets know each other better.



The second major Necurs campaign came later in the month and contained an attached PDF with advertisements for online pharmaceuticals. The subject lines were a random “Offer”, “Discount”, “Sale”, “Coupon”, or “Final sale”, followed by a random 7- to 9-digit number.


The phishing rate dropped in February, coming in at 1 in 3,331 emails. While slightly lower than January, overall rates have hovered in the 1 in 2,000-3,000 range for the last 10 months. The Agriculture, Forestry, & Fishing sector had the highest industry phishing rate with 1 in 1,854 emails, followed by Retail Trade at 1 in 2,505 emails.

A phishing scam mimicking a customer service notice from Netflix has been making the rounds, attempting to trick recipients into divulging personally identifiable information such as credit card numbers. The phishing emails attempt to trick a user into believing their Netflix membership will be suspended if they do not validate their billing information.

Mobile & Social Media

Manual sharing topped social media scams in February, comprising 62.78 percent of scams, while Fake Offers dropped more than 10 percentage points, from 29.75 percent to 19.49 percent. Coming in third for February, Like Jacking increased 1.29 percentage points at 17.25 percent.

A newly discovered version of the Fakeapp Android malware family has been discovered by Symantec researchers attempting to log into Facebook accounts in order to steal user names and passwords, as well as a variety of personal details available in the user’s profile. The threat gains access to the user’s account by displaying a fake login page once it has compromised the device. The threat will periodically display this message until the user credentials or the threat is removed.

Figure 3. Fake Facebook login dialog displayed by this Fakeapp variant
Figure 3. Fake Facebook login dialog displayed by this Fakeapp variant

This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.

About the Author

Ben Nahorney

Cyber Security Threat Analyst

Ben works for Symantec’s Security Response team, where he dives deep into the threat data, looking at long-term trends, and surfacing occasionally to submit blogs, whitepapers, graphics, and video content.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.