Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email messages per day in the course of providing email security to more than 50,000 businesses and 18 million business users.
Spam and virus volumes this year have continued their upward trend. Q2’10 has seen a sharp 16% increase in spam volume over Q1’10. Virus traffic has moderately increased 3% increase this quarter, however Q2’10 virus was 260% higher than Q2’09. These trends tell us that the spammers are still extremely active, and their botnets produce high levels of spam and virus traffic.
By the by numbers
Spam volume shot up 16% from Q1’10 to Q2’10. Overall, however spam levels are down 15% from Q2’09.
Virus volume grew quickly at the beginning of the quarter, shooting up 90% from March to April, but then quickly dropped off. We saw only a modest 3% uptick from Q1’10 to Q2’10 at the aggregate level. Compared to Q2’09, this represents a 260% increase.
One interesting trend we noticed is size of individual spam messages rising 35% from Q1’10. This points to the fact that spammers are sending more image-based spam, as well as viruses as attachments.
New methods of attack
We have also seen a recent surge in obfuscated (hidden) JavaScript attacks. These messages are a hybrid between virus and spam messages. The messages are designed to look like Non Delivery Report (NDR) messages, which are legitimate messages, however they contained hidden JavaScript which in some cases tried to do things the user may not have been aware of.
In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected, which is more virus-like. Since the messages contained classic JavaScript which generates code, the messages could change themselves and take multiple forms, making them challenging to identify.
Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning which allowed us to write manual filters and escalate to our anti-virus partners quickly. In addition to this, we updated our Postini Anti-Spam Engine (PASE) to recognize the obfuscated JavaScript and capture the messages based on the underlying code to ensure accuracy.
The classics
Although they’ve added a few new tricks to their bag, spammers continue to exploit tried and true techniques, including:
• False Social Networking Messages
Social networks continue to be one of the most frequently spoofed domains for the purpose of spreading phishing scams and virus downloaders. These messages do not actually come from social networks but look similar to legitimate social networks messages. Such messages often contain links to external websites which contain malicious content and/or attempt to harvest user login information. The Postini Anti-Spam Engine is very good at detecting such messages, but users should always be cautious when handling messages from popular social networking sites.
• Current events
As always, spammers continue to spoof major news stories, and this quarter, we saw an increase in spam involving the World Cup. Here is one example of a virus downloader that our spam filters caught:
• Shipping scams
The shipping scam is a favorite of spammers. This quarter we saw a more wide spread outbreak of messages claiming to be from major shipping companies because spammers get a higher success rate with these type of scams. The subject for the message made it look like an invoice and the message body contained random text such as news stories that did not look particularly "spammy." Each message had an attached zip file that presumably was intended to contain some sort of virus payload; however, the data was corrupt and did not pose any actual threat.
Stay safe from phishing scams
With the global economy continuing to lag, we have seen a continued upswing in “friend-in-need” phishing attempts, where hackers break into the email account of unsuspecting users and then hand-type a message to send to the victim’s email contacts.
The most common message told a story of the person being mugged while traveling abroad and requesting money to be sent to them in order to help them get home. The hacker is preying on the generosity of the victims friends in the hopes that one or more of them will send money to them. These messages can be difficult for spam filters to identify since they are hand typed and not sent in bulk. It goes without saying, but be wary of emails requesting money – regardless of the sender.
In response to these outbreaks, our engineers have released several updated filters to combat new spam waves.
Conclusion
Spam volume fluctuates in the short term, but overall, for the last 3 quarters spam volume has been relatively flat. Spammers continue to exploit techniques that have proven results, but as we have seen with obfuscated JavaScript attacks spammers are always experimenting with new techniques to stay ahead of security measures. Google Postini Services customers are protected from the brunt of these increases in spam volume.
For more information on how Google’s security and archiving services can help your business stay safe and compliant, please visit www.google.com/postini.
Posted by Adam Hollman and Gopal Shah, Google Postini Services team
5 comments:
Our school (Maine Township HS DIST 207) in Park Ridge, IL - uses Postini, I (as the admin) barely need to tweak any settings! We are very very pleased with Postini's performance.
#Corrections
"It goes without saying, but be *weary* of emails requesting money".
We are weary of them all right, but you probably mean "wary".
Thanks to those who pointed "weary" out. Fixed!
The bit about catching the NDR spam in your spam traps early is somewhat of a gloss-over of what really happened for us! Well you may have caught them but your response could have been quicker!
For well over a week we were hit by this issue and i constantly submitted spam samples to our Postini reseller support guy and through the postini message header analyser.
The NDR emails, though they changed over the period had consistent patterns that should have been easy for definition based filtering to pick up, yet the spam and a/v filter definitions through postini were not updated as quickly as one would expect to recognise these. Though the obsfucated javascript in html attachments were awful to compare due to the garbled text they consisted of, later html attachments used simple metatags with consistent redirects to repeatedly the same websites; or when the website redirect changed to another site, the infected page always ended with "/index3.html" for instance.
In the end we had all htm/html attachments to be automatically quarantined until a fair few days later we were given the all clear that Postini had got this under control.
Previous to this I'd submitted some of these attachments to ESET, and NOD32 was picking these html attachments up as trojans within a day or so. Postini was no where as responsive as this, Postini's filtering should have been updated more often during this period in my opinion! Saying that I definately haven't seen one of these fake NDRs since we were given the all clear - you got there in the end!
Post a Comment
Thank you for sharing your feedback with the Google Enterprise team. We will respond to open issues addressed in Comments with future posts on this blog. We appreciate your interest in Google Enterprise.