New spammer tactics – compromised accounts now favored

by

In July’s Internet Threats Trend Report we describe our observations about spam and malware behavior over the past 3 months including:

  • The lowest spam levels in over 3 years
  • Huge email-borne malware outbreaks
  • Double the number of zombies activated daily
  • Greater use of compromised accounts to send spam

The new spammer tactic therefore calls for the use of compromised accounts to send spam as opposed to using botnets.  The blocking of spam from compromised accounts based on IP address is more difficult for anti-spam technologies that rely solely on IP-address-based rules, since these accounts exist within whitelisted IP address ranges (such as Hotmail or Gmail).  One of the primary aims of the larger malware outbreaks and phishing attacks of this quarter is therefore to acquire enough compromised accounts to make spamming viable.

Having observed greater use of compromised accounts, we did some research into the use of compromised accounts for spam.  We looked at spam “from” Gmail and Hotmail and divided it into 2 groups:

  • Spam sent from a zombie with a phony Gmail or Hotmail address in the from field
  • Or, spam sent from a compromised or spammer account at Gmail or Hotmail

As shown, almost 30% of the spam from Hotmail actually comes from compromised or spammer Hotmail accounts.  Gmail spam, on the other hand, is mostly from zombies that simply forge their Gmail addresses.

On the Web security front, Facebook continued to be abused for attacks as more and more consumers expand their use of the social network.  Facebook malware tricked users by promising applications that reveal who was viewing their profiles as well as Osama Bin Laden death videos.  Other malware distribution tactics used during the quarter included:

  • Phony IRS “rejected payment” emails
  • Fake iPhone 5 notifications
  • SEO poisoning
  • Malicious scripts within Adobe PDF files

Additional highlights from the July 2011 Trend Report include:

  • The most popular spam topic in Q2 was pharmacy ads, although these now represent only 24% of all spam, down from 28% in Q1.
  • India keeps its title as the country with the most zombies – 17% of all zombies worldwide.
  • Websites featuring pornography and sexually explicit material were the most likely to contain malware.

 

Go back