April Showers
April, usually a dull, grey month, in between Winter and early Summer. And the Spam report for this month, is much like the weather. After the excitment of the Winter’s WMF exploit, and the corresponding upsurge in spam, unsolicited email has been coming along in a steady deluge. Read on for an overview of the key trends and highlights in email attacks and spam sending for the month of April.
On the virus side, things have certainly quietened down from previous months. The number of new viruses, with significant impact, has decreased considerably. Indeed, it has been left to our old faithful, Netsky.P (aka Somefool.P), to keep the side up. The trend, in what new viruses there are, continues to be an email with a social engineering content to trick the victim into running a small code downloader. This then proceeds to download the trojan proper. However, these just can’t keep up with the pace set by NetSky.P - even though it is now over two years old. Our view of viruses contrasts quite a lot with those of the anti-virus vendors - which have reported seeing more activity from mytob variants. But although these feature, the Netsky.P virus still dominates. Maybe there are geographical/regional variations.
If virus activity is remaining fairly constant, with no significant outbreaks, then this is contrasted by the increase in phishing attacks. These are becoming increasingly sophisticated in their social engineering content, although they seem to have stopped attempting tricks to bypass spam filters (which makes them easier to read for any humans they reach). Because of this increase in phishing activity, this month we’ve broken out details of phishing from viruses, to present them in all their glory in their own separate section.
Across all domains that we filter, spam accounts for over 70% of all emails sent. Within each domain, there are variations from 95% through to around 20%. It is probably a reasonable assumption, that for an average domain, around 30% - 35% of all email is spam (our results are skewed by providing service for people with significant spam problems).
OK, on with the report.
World of Spam
The geographical breakdown for spam, viruses and phishing emails for April can be seen below.
In the main, the level of spam originating from the top few countries, is proportional to the number of broadband connections in that country. This explains the high presence of the US and Korea. The exception is China, which continues to provide hosting for some of the large spam operations. With our focus on the UK, it is interesting to note the relatively low representation of IPs located in the UK as a source for spam, although we can only speculate on the reasons for this.
The majority of spam that we see is still in the English language, although other european languages (French, Spanish and German) do have some representation. However, the trend for Chinese language spam is increasing. We may throw a spotlight on this factor in a future report.
Spam: All of the day, and all of the night
The following picture shows, for each day in April, the relative proportions of email: Spam, Ham, and viruses received.
The graph shows that we provide a service primarily to commercial operations: which don’t send a lot of email at the weekend. The four day easter holiday is easy to spot in the middle of the graph. By contrast, spammers don’t take the weekends, or the easter holiday, off. This probably shows the level of automation in spam delivery - rather than any particularly strong work ethic on the part of the spammers.
Viruses: Lazing on a Sunday afternoon
Overall, the number of viruses in April has decreased from the level in March: we’ve not seen a significant outbreak since the new year.
In contrast to the pattern for spam, viruses do take the weekend off. This illustrates a key difference between spam and viruses sending. Viruses are sent from machines which are used less at the weekend - this may indicate that viruses are still a big problem for the UK’s businesses. This is underscored by the high degree of localisation in viruses sending - with the top country for originating viruses being Great Britain. With nearly 40% of all viruses, it far outweighs the other countries, especially when the number of available sources (broadband connections) is taken into account. second and third respectively. Last month, Mexico was in the top three, but now has moved down to 7th place.
| Position | Country | Percentage | ||
|---|---|---|---|---|
| 1 | United Kingdom |
|
37.9% | |
| 2 | United States |
|
19.8% | |
| 3 | Korea |
|
15.7% | |
| 4 | Spain |
|
5.6% | |
| 5 | France |
|
5.2% | |
| 6 | Turkey |
|
4.1% | |
| 7 | Mexico |
|
3.5% | |
| 8 | Poland |
|
3.3% | |
| 9 | Brazil |
|
2.7% | |
| 10 | China |
|
2.2% |
Phishing Protection
This month, around 1 in every 200 emails is a phishing attack. As well as increasing in number, the sophistication is also increasing - it can be almost impossible to tell if a site is real or legitimate. The top targets are shown below. Roll on two factor authentication. In the meantime, change your password frequently.
Attacks aimed at Barclay’s customer continue to dominate, with the Alliance and Leicester following behind. The top 10 targetted organisations are shown below.
Virus Activity
As noted above, in terms of overall activity this month, SomeFool (aka Netsky) rules the roost, with SomeFool.P being by far the most common variant. For new viruses, variations of Mytob are still appearing, although the number of incidents is still low - nothing like an outbreak.
| Position | Virus | Percentage | |||
|---|---|---|---|---|---|
| 1 |  |
Worm.SomeFool.P (NetSky.P) |
|
26.6% | |
| 2 |  |
Worm.SomeFool.Gen-1 |
|
12.8% | |
| 3 | |
Worm.SomeFool.Gen-2 |
|
11.1% | |
| 4 |  |
Worm.Mytob.LQ |
|
9.3% | |
| 5 |  |
Exploit.HTML.IFrame |
|
8.7% | |
| 6 | |
Worm.Mytob.CW |
|
5.0% | |
| 7 | |
Worm.Mytob.S |
|
4.6% | |
| 8 | |
Worm.SomeFool.Z |
|
4.6% | |
| 9 | |
Worm.Lovegate.R |
|
3.0% | |
| 10 | |
Worm.VB-9 |
|
2.1% | |