Short URLs In Spam Reach Historical Peak: MessageLabs Intelligence Report
Average daily values also show a significant increase
July 24, 2010
PRESS RELEASE
MOUNTAIN VIEW, Calif. – July 22, 2010– Symantec Corp. (Nasdaq: SYMC) today announced the publication of its July 2010 MessageLabs Intelligence Report. Analysis reveals that the percentage of spam containing shortened hyperlinks has increased significantly over the last year. Spam containing shortened hyperlinks hit a one day peak of 18 percent, or 23.4 billion spam emails, on April 30, 2010 doubling last year’s peak levels when spam with shortened hyperlinks accounted for 9.3 percent of spam, more than 10 billion spam emails, on July 28, 2009. In addition to higher peak levels, average daily values also show a significant increase in use of the tactic. In the second quarter of 2009 there was only a single day where when shortened hyperlinks appeared in more than 1 in 200 of spam messages. In the second quarter of 2010 there were 43 days when at least 1 in 200 spam messages contained shortened hyperlinks and 10 days where at least 5% of all spam contained these links.
“As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services. “When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails.”
Further analysis of spam containing shortened URLs revealed that the Storm botnet, which returned to the threat landscape in May 2010, is responsible for the greatest volume of botnet spam containing short hyperlinks, accounting for 11.8 percent of all spam containing shortened hyperlinks. A large proportion of short URL spam this quarter also originates from other sources, including unidentified botnets.
“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet such as unidentified spam-sending botnets or non-botnet sources such as webmail accounts created using CAPTCHA-breaking tools,” Wood said.
MessageLabs Intelligence found that on average one website visit is generated for every 74,000 spam emails containing a shortened URL link. The most frequently visited shortened links from spam received more than 63,000 website visits.
Earlier this month, MessageLabs Intelligence reported on the increased risk from web threats. So far in 2010, the number of threats blocked by the MessageLabs Hosted Web Security Service is over 20 percent higher than in 2009 on a per client per month basis. An analysis of the blocked domains in 2010 reveals that almost 90 percent of malicious websites were legitimate and had been compromised by malware without their owners’ knowledge.
Also in July, MessageLabs Intelligence identified a new, malicious phishing attack using PDF Reader Updates as a hook. The attack was seeking to collect its victims’ credit card details and by early July, MessageLabs Intelligence had blocked more than 26,000 of these “PDF Reader Update” phishing attacks
Finally, MessageLabs Intelligence uncovered multi-step targeted attacks in July in which the attacker first gained unauthorized access to a website belonging to one organization and uploaded a fake landing page with obfuscated JavaScript containing malicious code. Next, the attacker sent unsolicited emails purporting to be from a webmail account to select recipients at a second organization. The emails contained a link to the malicious landing page created earlier on the first organization’s website.
Other report highlights:
Spam: In July 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 88.9 percent (1 in 1.12 emails), a decrease of 0.4 percentage points since June.
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 306.1 emails (0.327 percent) in July, a decrease of 0.04 percentage points since June. In July, 17.1 percent of email-borne malware contained links to malicious websites, an increase of .4 percentage points since June.
Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.
Phishing: In July, phishing activity was 1 in 557.5 emails (0.179 percent) an increase of 0.02 percentage points since June. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had decreased by 3.2 percentage points to 60.2 percent of all email-borne malware and phishing threats combined.
Web security: Analysis of web security activity shows that 30.5 percent of malicious domains blocked were new in July, an increase of 0.2 percentage points since June. Additionally, 13.0% of all web-based malware blocked was new in July; an increase of 0.5 percentage points since last month. MessageLabs Intelligence also identified an average of 4,425 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 176.9 percent since June.
Geographical Trends:
Spam levels in Luxembourg rose to 2.4 percentage points to 93.5 percent in July positioning it as the most spammed country.
In the US, 89.8 percent of email was spam and 88.1 percent in Canada. Spam levels in the UK were 87.8 percent.
In the Netherlands, spam accounted for 90.4 percent of email traffic, while spam levels reached 88.6 percent in Australia and 89.5 percent in Germany and 91.8 percent in Denmark.
Spam levels in Hong Kong reached 90.6 percent and 86.7 percent in Singapore. Spam levels in Japan were at 86.2 percent and 92.1 percent in China.
Virus activity in Taiwan was 1 in 50.0 emails, keeping it as the most targeted for email-borne malware in July.
Virus levels for the US were 1 in 520.1 and 1 in 430.8 for Canada. In Germany, virus levels were 1 in 487.8, 1 in 767.7 for the Netherlands, 1 in 516.3 for Australia, 1 in 398.9 for Hong Kong, 1 in 874.5 for Japan and 1 in 696.1 for Singapore.
New Zealand became the most targeted for phishing attacks in July with 1 in 111.2 emails comprising a phishing attack.
Vertical Trends:
In June, the most spammed industry sector with a spam rate of 92.6 percent remained the Engineering sector.
Spam levels for the Education sector were 89.1 percent, 89.0 percent for the Chemical & Pharmaceutical sector, 89.6 percent for IT Services, 89.9 percent for Retail, 87.3 percent for Public Sector and 87.4 percent for Finance.
In July, the Engineering Sector became the most targeted industry for malware with 1 in 112.0 emails being blocked as malicious.
Virus levels for the Chemical & Pharmaceutical sector were 1 in 449.0, 1 in 377.5 for the IT Services sector, 1 in 706.1 for Retail, 1 in 227.3 for Education and 1 in 256.2 for Finance.
The July 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at http://www.messagelabs.com/intelligence.aspx.
Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.
You May Also Like