Spammers set up their own URL-shortening sites
Symantec Announces May 2011 MessageLabs Intelligence Report
-Spammers establish their own fake URL-shortening services for the first time ever, contributing to rising spam rates-
Symantec Corp. (Nasdaq: SYMC) today announced the publication of its May 2011 MessageLabs Intelligence Report. This month’s analysis reveals that, for the first time ever and as predicted by MessageLabs Intelligence in its Annual Security Predictions for 2011, spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.
Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.
“MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”
To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.
“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”
Other report highlights:
Spam: In May 2011, the global ratio of spam in email traffic from new and previously unknown bad sources increased by 2.9 percentage points since April 2011 to 75.8% (1 in 1.32 emails).
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 222.3 emails (0.450 percent) in May, a decrease of 0.143 percentage points since April.
Endpoint Threats: The most frequently blocked malware targeting endpoint devices for the last month was the W32.Ramnit!html, a worm that spreads through removable drives and by infecting executable files.
Phishing: In May, phishing activity was 1 in 286.7 emails (0.349 percent), a decrease of 0.06 percentage points since April.
Web security: Analysis of Web security activity shows that approximately 3,142 Web sites each day were harboring malware and other potentially unwanted programs including spyware and adware, an increase of 30.4 percent since April 2011. 36.8 percent of malicious domains blocked were new in May, an increase of 3.8 percentage points since April. Additionally, 24.6 percent of all web-based malware blocked was new in May, an increase of 2.1 percentage points since last month.
· Russia became the most spammed in May with a spam rate of 82.2 percent.
· In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
· In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
· Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
· In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
· The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
· In the US virus levels were 1 in 540.3 and 1 in 334.5 for Canada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
· In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 for Hong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 for Singapore.
· In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3.
· In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
· Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
· In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
· Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.
The May 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at http://www.messagelabs.com/intelligence.aspx.
Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com <http://www.symantec.com/> .