In-Depth

Latest Spam and Phishing Trends Revealed in Symantec Report

Spam dominates e-mail; phishing attacks mimic support chat sessions.

• By James E. Powell
• 08/24/2010

Some disheartening news for e-mail and network administrators highlighted Symantec's just-released International Spam & Phishing Roundup report.

Spam still made up the vast majority of all messages sent last month, rising from 88.3 percent in June to nearly 91.9 percent in July. The report also found that spam concerning health issues (including promotions for online pharmacies and counterfeit drugs) rose by 13 percentage points over June.

Hackers may have done an about-face in one popular technique: the number of messages larger than 10K declined nine percentage points, which Symantec says it in part due to a reduction in malware-containing spam. This contrasts with last month’s report, which noted a sharp increase in such spam.

The report also shows that hackers are keeping up with current events. After the World Cup ended in mid-July, they quickly changed e-mail subject lines to exploit the BP oil spill. The most popular subject lines invited recipients to claim part of a $20 billion oil fund or to learn how to be part of a settlement. Mortgage relief took two of the top 10 spots on the report's analysis of e-mail subjects. Russian spammers wasted no time adjusting their subject lines, too; Symantec says they sent fraudulent messages about air conditioners to capitalize on the extreme heat and wildfires in that country.

The phishing landscape was a bit quieter, with attacks decreasing by five percent. Symantec says the decrease was greatest in two sectors: "phishing websites with IP domains and automated toolkit attacks." Specifically, phishing Web sites created by automated toolkits declined by 60 percent, but those with unique URLs rose 10 percent since June.

Phishing attackers are moving to a new venue: chat, especially product support chat. The report says Web sites target login credentials by spoofing a company's interactive support offered via the Web. One phishing site in particular "involved bogus chat sessions to help the page look more authentic, trying to give customers the impression that the phishing website was interactive." The page asks customers for their ID and password as well as their support question. When a user clicks the "Chat" button, a page displays a chat window informing the user that a support technician will be online soon. Everything is made to look legitimate, down to displaying timer to make the experience seem real; Symantec reports that the timer was fake and the times displayed were bogus.

In this scheme, questions from users are ignored. Instead, the chat window shows a message "that the representative had left the chat session. After a couple of minutes the chat session ended and the page displayed an e-mail form. The page stated that online support was down for maintenance and prompted the customer to try again or leave a message for the support representative." Everything looks interactive, but in fact, says Symantec, it's simply an application run by the fraudster, typically using a free Web-hosting service.

When it comes to recommendations, the report lists the tried-and-true suggestions, primarily caution. The report urges users to unsubscribe from legitimate mailings no longer needed, to be caution when providing an e-mail address to site that requires registration, to delete all spam, and to avoid suspicious links in e-mail and instant messages.

The full report is available on the company's site.