Email activity in July: Ham, Spam, Viruses and Phishing

This month we see a change in the top country for spam - for the last two months China was dominating, and especially last month at 41.84% of all spam received - but this month the US is back at the top. In tenth place, Great Britain has stayed static.

Although spam is relentless, originality in spam is limited ……. so instead, a little knowledge into the latest research for spam filtering is given. This research hopes for the inclusion of ISPs in the U.K to work towards stopping spam. This will result in a real-time list of e-mail sources that ISPs can use to investigate misuse. Through heuristic analysis, an ISP should be alerted to strange behavior, one example given is if a customer starts sending 10 times the number of e-mails as in the previous day/week/month..

It is at the beginning of this research …. but how does it incorporate bulk emails - in the article, the content of the spam is not looked at instead the traffic is analysed so how do you determine whether these bulk mails are legitimate? It may indicate a trend towards “licensing”, and, therefore, charging bulk emailers for the privilege of sending their advertising messages.

Viruses: … And the battle continues

This month there have been some new viruses, but, unlike last month, there was not a significiant outbreak. Across all borders for spam, phishing and viruses, the US has taken pole position. Since February, GB has always been at the top of our virus list, but the US is truely getting their independence from the rest of the countries!!

Another MySpace virus came out this month which is known as JS/SpaceFlash , this virus attacked over one million users. An unusual aspect of this virus was that it was a Flash object that resided purely on the victims MySpace pages, rather than installing itself on their personal computers. The site is now requiring the latest version of Flash to prevent future occurrences.

A virus that has been in the headlines this month is the vulnerablity in microsoft powerpoint. It affects PowerPoint 2000, 2002, and 2003.
This vulnerability was given the name Trojan.PPDropper.B by Symantec and it arrives as a Powerpoint attachment in an email where the sender is xxxxxx@gmail.com. When the powerpoint document is executed its title page slide is displayed in Chinese characters and a file which contains exploit code drops the Trojan horse onto victims computer. This trojan is capable of turning off anti-virus applications, it allows others to access the computer, steals information, records keystrokes and installs itself in the Registry.

Position	Virus	Percentage
	Worm.SomeFool.Gen-2		34.71%
	Worm.SomeFool.P		20.05%
	Worm.Bagle.pwd-eml		9.76%
	Worm.VB-9		7.50%
	Worm.SomeFool.Gen-1		7.40%
	Exploit.HTML.IFrame		6.36%
	Worm.SomeFool.Z		4.32%
	Worm.Mytob.LQ		4.02%
	Worm.Mydoom.M		3.73%
	Trojan.Downloader.Small-1714		2.14%

Somefool.Gen2 is still top of the viruslist and with no surprise Somefool.P is following behind. The bagle is not toasted yet - Worm.Bagle.pwd-eml has increased by 5 places since last month - was I wrong saying the battle between Somefool and bagle was over. This email worm for the Windows platform. The subject line contains a name of a person and the main attachment is a zip file which is encrypted with the password given in the image file, and when unzipped the bagle is released. The bagle, then harvests email addresses from the victims infected computer and sends itself in emails using these addresses.

Phishing: Where have all the phishes come from?

This month, a huge outburst of phishing atttacks occurred at the last weekend, see the graph below. The banking industry is still one of the highest sectors to be targetted, maybe even more so with the low success rates in the implementation of two-factor authenication. Although man-in-the-middle attacks for two-factor authenication have been known for a while, they have been brought back into the lime light recently. The failure of one solution was seen on July 10th by a man-in-the-middle attack. The email received was supposedly from Citibank and a link to a fake website was given in the content of the mail.

This month we see a new season for the phishes, last month Midamerica, Barclays and Paypal were first ,second and third respectively, but, as seen below, this has all changed. Natwest phishing attacks, similar to the trend of phishing attacks for Midamerica last month, did not come in a steady flow, but in an outbreak over three days; 17.6% occurred on 29th, 37.9% on 30th, 44% on 31st. Like the blitz on Natwest, phishing attacks on the Bank of Scotland and Fifth Third Bank occcured on the last 3 days as well. The nature of the emails, and the volume, makes it likely that the same attacker was behind all of these.

Last month we saw Korea as the top country, but this month it has moved down by a significant percentage to second place (18.56%).
This decrease coincides with the quantity of Paypal phishing attacks knocked off the top three as well. US is back at number one position with a whopping 40.64% - this is highest percentage seen in a while for geographical location of phishes. The majority of these phishing attacks were targetting customers of

and samples of each can be viewed at the Phishery where you can gorge yourself on as many processed phish as you like, without worrying about getting any bones stuck in your throat.

This entry was posted on Saturday, August 19th, 2006 at 8:08 am and is filed under E-Mail, Phishing, Spam, Viruses. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.