Posted: 3 Min Read Threat Intelligence

Latest Intelligence for January 2018

The Necurs botnet shifts from malicious emails to other email scam campaigns and the email malware rate declines.

Some of the key takeaways from January’s Latest Intelligence, and the threat landscape in general, include the Necurs botnet is seen pushing cryptocurrency-related email, a malware scam purports to come from the FBI, and a mobile threat says “Congratulations, you won!”


The email malware rate dropped in January, coming in at 1 in 786 emails. This decline mirrors the low rates that we saw in the first quarter of 2017, when activity by the Necurs botnet all but disappeared. This January, it appears that the folks behind Necurs have shifted tactics, moving away from malicious emails in order to push other email scams.

The most interesting of these scams appears to be a new pump-and-dump campaign pushing cryptocurrency. This isn’t the first time that Necurs has been involved in sending pump-and-dump email, though it is notable that the botnet was pushing a minor cryptocurrency called Swisscoin. Some of the common email subject lines seen include the following:

  • Could this digital currency actually make you a millionaire?
  • This crypto coin could go up fifty thousand percent this year
  • Let me tell you about one crypto currency that could turn 1000 bucks into 1 million
  • Forget about bitcoin, there's a way better coin you can buy.

It’s possible the Necurs operators are testing the cryptocurrency waters, resulting in a downturn in malicious emails as they do so. However, the largest email campaign pushed by Necurs in January was a run-of-the-mill dating scam. The subject lines simply said “hi” and appear to be attempts to establish correspondence with the recipient under the guise of a potential romantic encounter. Such scams generally lead to the attacker requesting the victim to wire money.

Figure 1. The email malware rate dropped in January to 1 in 786 emails
Figure 1. The email malware rate dropped in January to 1 in 786 emails


The overall spam rate remained constant in January, coming in at 55.3 percent again this month. This follows a twelve-month high in November and maintains spam rates above 55 percent in 5 of the last 6 months. The Mining sector leads industry related rates at 58.1 percent, followed by the Finance, Insurance, & Real Estate sector.

A recent spam campaign purporting to come from the FBI was seen targeting U.S. citizens in January. The emails, appearing to be messages from the Internet Crime Complaint Center (IC3) division, inform the recipient that they are due compensation from a previous cyber attack. The email asks them to fill out an attached form to claim monetary compensation, which if opened will attempt to compromise the user’s device with malware.


The phishing rate decrease slightly in January, at 1 in 2,836 emails. The Finance, Insurance, & Real Estate sector had the highest phishing rate with 1 in 1,900 emails, followed closely by Agriculture, Forestry, & Fishing with a phishing rate at 1 in 1,993 emails.

An old and well-known desktop malware scam has recently made the jump to mobile devices. These “You won” scams have existed for years, and besides being tailored to mobile, appear to follow a familiar process. For instance, the user encounters a scam page spoofing a well-known grocery chain that appears to offer promotions or prizes if the user fills in a survey form. The forms ask the user to fill out personal information, which if provided, are sent to a remote server, potentially for use in further scams or for identify theft.

Social Media

Manual sharing topped social media scams in January, though its overall percentage dropped to 54 percent. There appears to have been a swing to fake offers in January, which increased 22.56 percentage points from 7.19 percent to 29.75 percent. Like jacking increased 2.21 percentage points at 15.96 percent and came in third for January.

Figure 2. Fake offers increased from 7.19 to 29.75 percent in January
Figure 2. Fake offers increased from 7.19 to 29.75 percent in January

This is just a snapshot of the news for the month. Check out the Latest Intelligence for the big picture of the threat landscape with more charts, tables, and analysis.

About the Author

Ben Nahorney

Cyber Security Threat Analyst

Ben works for Symantec’s Security Response team, where he dives deep into the threat data, looking at long-term trends, and surfacing occasionally to submit blogs, whitepapers, graphics, and video content.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.