Symantec’s May 2011 MessageLabs Intelligence Report revealed a new trend in spammers establishing their own fake URL-shortening services to perform URL redirection. Symantec attributes this month’s 2.9 percentage point increase in spam to the new spamming activity, a rise that was expected following the Rustock botnet takedown in March.
How do spammers use fake URL-shortening services? Shortened links created by spammers on the fake URL-shortening sites actually aren’t typically included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.
“MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years, using a variety of different techniques, so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ — a link between public URL-shortening services and the spammers’ own sites.”
The report notes that many new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.
“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”
Other report highlights:
Spam: In May 2011, the global ratio of spam in email traffic from new and previously unknown bad sources increased by 2.9 percentage points since April 2011 to 75.8% (1 in 1.32 emails).
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 222.3 emails (0.450 percent) in May, a decrease of 0.143 percentage points since April.
Endpoint Threats: The most frequently blocked malware targeting endpoint devices for the last month was the W32.Ramnit!html, a worm that spreads through removable drives and by infecting executable files.
Phishing: In May, phishing activity was 1 in 286.7 emails (0.349 percent), a decrease of 0.06 percentage points since April.
Web security: Analysis of Web security activity shows that approximately 3,142 Web sites each day were harboring malware and other potentially unwanted programs including spyware and adware, an increase of 30.4 percent since April 2011. 36.8 percent of malicious domains blocked were new in May, an increase of 3.8 percentage points since April. Additionally, 24.6 percent of all web-based malware blocked was new in May, an increase of 2.1 percentage points since last month.
Geographical Trends:
• Russia became the most spammed in May with a spam rate of 82.2 percent.
• In the US, 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
• In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
• Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
• In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
• The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
• In the US, virus levels were 1 in 540.3 and 1 in 334.5 for Canada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
• In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 for Hong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 for Singapore.
• In South Africa, 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3.
Vertical Trends:
• In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
• Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
• In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
• Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.
The full report is available here (PDF No Registration Required)
