2013 was a year of change in the spam landscape.
The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.
Figure 1. Spam volume from 2008
The Slow Death of the Blackhole Exploit Kit
The Blackhole Exploit Kit (BHEK) is a notorious exploit kit that was widely used in numerous spam campaigns. This exploit kit was highly adaptive, incorporating vulnerabilities, current “hot topics,” and even social networks into several campaigns.
In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year. The volume may have lessened but this didn’t make such campaigns less effective. For example, we saw spammed messages just hours after the official announcement of the birth of the “Royal Baby.” In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.
Figure 2. Number of BHEK campaigns from March 2012 to December 2013
The end of the third quarter was marked by the arrest of Paunch, a person believed to be the creator of the BHEK. We noted that in the two weeks after his arrest, we found no significant BHEK spam runs. The number of BHEK spam runs dwindled until there was none in December.
Health Spam Spikes
Entering the third quarter, we noticed an increase in the number of health-related spam. At one point, this type of spam constituted 30% of all spam we saw, with over two million samples spotted daily. The content of these messages ran the gamut from weight loss tip to pharmaceutical products.
What’s notable about this particular spam run is that these messages have evolved from using traditional “direct” approaches (with an image of the product and call-to-action to buy) to more “subtle” methods. Health spam now uses a newsletter template to peddle products. The purpose of the newsletter template may be two-fold: to avoid detection by anti-spam filters and to appear more legitimate to users. Several messages even claimed to be from reputable news sources such as CBS, CNBC, CNN, the New York Times, and USA Today.
Figure 3. Sample health-related spam
These messages were sent from computers in various countries, including India (10%), Spain (8%), Italy (7%) and the United States (6%).
The spike wasn’t the only notable health spam we saw this year. We also saw several spammed messages that leveraged the controversial Affordable Care Act or Obamacare, even before it was officially launched. Once users click on the links in these messages, they were led to survey scam sites.
The Change in Malware Attachments
Aside from advertising and selling pharmaceutical products, spam is also used to distribute malware. Even though there may be more complex ways of infecting systems, the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.
Figure 4. Volume of spam messages with malicious attachments
From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware.
UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible.
Spam, 2014 and Beyond
We anticipate that the 2013 spam landscape will set a precedent for the threats we’ll see in the upcoming year:
- Spammers will blend old spam techniques in order to avoid detection and successfully victimize users.
- Spam will still be used to spread malware.
- Social networking spam will experience a drastic increase in terms of spam volume.
You may read our upcoming annual year-end report for more information and insights about spam and other elements about the threat landscape in 2013.