The June State of Spam Report highlights the ongoing trend in the decline of image spam first reported last month in the May State of Spam Report. Image spam, which reached a high of 52 percent of overall spam in January, has shown a noticeable decline in most recent months, dropping around 10 percent each month in March and April to just 16 percent in May. One reason for the drop image spam is that spammers are always going to follow the money. The drop in image spam over the last two months tells us they think they can find a more effective way to get their messages into inboxes. While we have seen this decrease in image spam, the percentage of overall spam continues to remain the same at an average around 65 percent of email traffic for May.

While image spam continues to show a marked decline, spammers are implementing new tactics for driving traffic to images. One trend we have noticed is an increase in spam that uses links and embedded URLs to reference images hosted elsewhere. This particular tactic is very similar to the traditional image spam, but whereas traditional image spam consisted of a raw image embedded in the body of the spam message, this new tactic embeds links to image hosting sites to reference the spam images.

Additional highlights in the June State of Spam Report include:

• Scams and fraud spam on the rise. Combined, these two categories of spam continued to rise from 9 percent in March to 13 percent in May. This upward trend is indicative of the continued shift in spammer behavior to targeted, financially-motivated attacks and the success that they are generating.

• Spam trends in Asia Pacific and Japan (APJ). This regional focus sheds light on the differences in the percentage of spam in specific categories we have seen globally and that is local to APJ. While the percentage of spam in specific categories seen in APJ is very similar to the global market, there are a few exceptions. The two main exceptions are the higher percentage of scams and the lower percentage of health-related spam seen in APJ. One reason for the higher percentage of scams is a spam type referred to as ‘invoice spam’ which is unique to the APJ region. The purpose of this spam is to create fake invoices from a ‘legitimate’ company and sell them to generate a profit. These invoices come complete with directions on how to complete the transaction.

For additional insights into these highlights, as well as graphics and samples, refer to the June State of Spam Report.

Many types of spam are common, such as email, SMS, splog (blog spam), and snail mailer. Dave Cole discussed these in Spam: It's Not Just for Email. Today, I would like to talk about one that isn't discussed as much because it isn't as common yet: spam in multiplayer online games, or, as I like to call it, "smog".

In recent years many big titles in massive multiplayer online games have been released, and are played by millions of people all over the world. With big groups of players, there are always a few that will pay to get ahead, and spammers know that they can exploit them.

I asked several of my close friends who play online games if they've seen smog messages, and they've all experienced the same thing: offers of gold, items, and quick levels in exchange for payment. One such message offered approximately 10 gold pieces for one dollar, and free character advancement for approximately $10 per day (for a process that takes up to 20 days). Assuming the spammer has automated tools that perform "gold farming" and character advancement, and tools that can improve multiple characters in parallel, this could be a profitable activity.

I also asked about classic spam topics in online games, such as ads for cheap medication and fake watches, but nobody I talked to had seen those. I think it's likely that spammers are targeting a younger audience that's more interested in their 70th level characters than medications.

There is a major advantage for makers of online games over email, however: the game company owns the server, and the game company can stop or slow spam at the source. Email, being open to the world, doesn't have that advantage.

So what have game companies done to prevent spam? Many games have a "report spam" button that lets players report spammers for investigation. Some games disallow or restrict free trials, forcing spammers to pay for accounts that can be shut down. Companies may also make it difficult to automate smog messages. Blizzard, for example, has recently implemented a new, advanced login protocol, dubbed "lockdown," on their Battle.net game servers. Lockdown helps prevent automated programs from logging into the server, reducing the quantity of automated spam.

This problem is still, at best, minor. But as online games become increasingly popular, the battle between the spammers and the game companies may also increase. And for all you gamers out there: don't get lost in the smog.

The May ‘State of Spam’ report is now online. This month’s report highlights several interesting spam trends seen by Symantec, including the reduction in image spam, image uploading hosting solutions used in stock spam, company character assassination spam, and a new twist on the 419 spam technique.

419 spam is name d after an article of the Nigerian Criminal Code which deals with fraud, and has primarily been used to defraud individuals with stories about African dictators and the sale of natural African reserves such as oil and gas.

We’ve all seen these scams. Typically they begin with a greeting and then immediately claim to need assistance in the transfer of funds to the U.S. Some try to tug on your heart strings with a story of loss, while others just make a direct play for your purse strings. But the point is, it’s a complete stranger asking for access to your bank account. Does anyone truly trust someone they’ve never met with such confidential information?

Enter the new Nigerian scam. This one poses as an American soldier stationed in Iraq - a timely shift on an old technique. The soldier has stumbled across a wealth of gold and diamonds. You are now being emailed by a soldier, an American soldier who wants to share his new-found wealth with you. Is this person really a stranger? He is an American, so it’s not like you’re sending your money to the great unknown of a stranger or foreigner, right? This one is much easier to fall for. It not only brings the promise of wealth but also the thought of dealing with a fellow American, a trustworthy soldier no less, familiar even if you do not know him personally.

Sometimes the soldier in the scam is injured. He requests the money be shared with charities; you get your portion of course, but how thoughtful of him to also include charities in his monetary giveaway! All of a sudden the game changes - it’s no longer the Nigerian scams written in poor English where you to deal with a stranger for the purpose of purely obtaining cash for personal gains. Instead it’s the injured American soldier who wants to share his fortune with you *and* charity.

Hello spammer - this Nigerian scam twist is very similar to the premise of a movie that starred George Clooney. We still know you’re scamming for our bank accounts, and that you’re probably not an injured American Soldier nor trustworthy!

Security Response has seen a large spam run of what appears to be the latest in the line of Trojan.Peacomm variants. While this is nothing new, this time around the attachments are in the form of password-protected zip files. The recipient is tricked into unzipping the attachment with the included password, then running the unzipped file, to counteract activity related to an unknown worm (with which the recipient has undoubtedly been infected).

We've seen samples arrive in email messages with subjects including, but not limited to, "ATTN!", "Spyware Alert!", "Spyware Detected!", "Trojan Alert!", "Trojan Detected!", "Virus Activity Detected!", "Virus Alert!", "Virus Detected!", "Warning!", and "Worm Activity Detected!". The attachments are generally a .gif image file (this image contains the zip password) and the executable in the form of patch-[random four digits ].zip.

The executable contained within the zip file is detected by Symantec antivirus software as Trojan.Packed.13, and is actually nothing new. It is simply a minor variant of Trojan.Peacomm that has been repacked in an attempt to avoid existing detection. If executed, this sample drops a file named wincom32.sys, which is also already detected, this time as Trojan.Peacomm.

In response to the mass spamming of unsolicited password-protected zip files, Symantec Security Response will be releasing a Trojan.Peacomm!zip detection. This detection is scheduled for release in definitions dated April 12, 2007. While Symantec customers are already protected from this threat with current definitions, it is recommended that users obtain the latest LiveUpdate definitions once they become available.

Alright, I’ll fess up: spam has never been just for email, in spite of our cluttered inboxes that loudly protest to the contrary. Spam’s early commercial origins point back to a message to 6,000 recipients on Usenet by a couple of immigration attorneys named Canter & Siegel from Phoenix, Arizona back in 1994 who were promoting their services to enroll people in the national green card lottery. From these roots, spam moved on to its dominant format today: email. Nonetheless, the flood of SMTP-based spam we see today may obscure the other flavors of spam that have popped up, including IM spam, SMS spam, and the Web 2.0 buzzword-friendly “splog”.

I’ll spare you all the gory details on IM and SMS spam, they’re pretty straightforward. IM spam has yet to reach major proportions, but it’s certainly out there, plugging spy software, ringtones, and other services. SMS spam has been highly visible overseas since 2001, especially in Asia where SMS has been used heavily for some time, prompting Japan to enact new legislation to combat the scourge. Additionally, South Korea’s Ministry of Information and Communication moved to implement limits of 1000 messages per day per user to curb rogue marketers. In January of this year, Illinois Attorney General Lisa Madigan filed suit against two SMS spammers who blasted off no less than 5 million unsolicited text messages to cell phone users across the country in late 2006. Hold onto your seatbelt, the SMS spam phenomena has only ju st begun.

IM and SMS spam, as nasty as they may seem, don’t appear to be as prevalent as splogs, based on recent statistics. Splogs are fake blog sites developed with the intent of pumping traffic to affiliated Web sites or manipulating search engine results through linkflooding or other tactics. Usually, they make use of other sites’ legitimate content by “scraping” their text and re-posting as their own to improve the appearances of having real, original content. A recent study claims that 74 percent of all blogs are actually splogs created purely for advertising purposes. Even if they’re off by an order of magnitude with their numbers, that’s still a ton of splogs per legitimate blog. This threatens to diminish the overall credibility of blogs themselves as it seems to be easier to bump into junk in the blogosphere than real content.

Will we soon long for the days of simple email-based spam while sorting through garbage splogs and irritating SMS spam? It’s a little early to tell if we’re headed towards that type of nostalgia but what is clear is that spam isn’t just for email anymore.

The Symantec “State of Spam” report for April 2007 is now online. This month’s report includes a spotlight on spam trends in the Europe, Middle East, and Africa (EMEA) region. One of the highlights is a discussion on the categories of spam detected in EMEA. I found this particularly interesting because there were some marked differences between worldwide spam and EMEA-specific spam. The most notable instances were the financial and scam categories.

Whereas spam related to financial goods and services accounted for 20 percent of worldwide spam, it accounted for 31 percent of spam detected in EMEA. Spam messages detected in the EMEA region that were categorized as scams were double the number reported worldwide. While only six percent of all messages globally were scams, 12 percent of spam in EMEA included scam messages. The common theme apparently is how the spammer can relieve you of your money, be it through bogus financial gains of penny stocks or finagling it through scams such as the Euro lotto.

Globally, the top spam category was health, but in EMEA this was not the case. While the rest of the world was being subjected to spam advertising weight loss drugs and herbal remedies, EMEA was being spammed with messages on how to increase wealth and what financial investments to make.

Another trend that is emerging in EMEA is the spamming technique of inserting Russian and German text in the bodies of messages. Spammers do this to obfuscate the text enough to escape filtering by anti-spam products. This is a twist on an old obfuscation technique that we refer to as a “Shakespeare attack,” in which spammers will insert random excerpts from a book somewhere in the body of the spam message. Often times this text is generated by a randomizer to ensure that the same excerpt is not delivered in every message. In EMEA, this Shakespeare text is being generated in Russian and German languages instead of English.

The “State of Spam” report also reveals that multi-language spam is now being used in EMEA. Where English was once the language of spam, several additional European languages are now successfully being utilized to send spam messages. These languages are now fully integrated into spam and spammers are taking full advantage. I would insert a lame joke about resistance being futile, but it’s not. Being well staffed with multi-language capabilities, we’re prepared for languages other than English.

For more on these issues and other spam trends that Symantec has observed over the past month, please read the latest “State of Spam” report.

Webmail has become ubiquitous - most people have at least one account and some people use several. As the folks at Google pointed out this April Fool’s Day, we’ve gotten to the point where the idea of relying on postal mail for communication is almost completely absurd. Services like Google’s Gmail, Microsoft’s Hotmail, and Yahoo! Mail all offer an incredibly large amount of storage and can be accessed from almost any internet-connected machine.

This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book, and prompts you to email your contacts using your Webmail address as the reply-to.

It’s difficult to recall all of the mass-mailing worms we’ve seen that have used similar strategies for propagation. Melissa and Lovebug would be good examples.

Fortunately, Tagged isn’t actually sending the emails as the user whose login credentials they’ve borrowed, the email is just coming from Tagged’s server so it’s not difficult to blacklist. But Tagged’s signup process is sparse on the details about why they ask for the information they want, and what they’re going to do with it. Clearly they’ve snagged all the email addresses in your address book, which would be useful for sending future advertising-based spam, but they’ve also taken your Webmail login credentials and not really told you what they intend to do with it.

It’s interesting in that they’ve circumvented the need to mock-up your Webmail site, but still had the effect of a phishing attack. With the search capabilities of most modern Webmail services, and the amount of people doing online banking, it doesn’t take a lot of imagination to see where this kind of site could head. Though we’ve all heard it before, the best way to avoid these situations is to avoid giving your credentials to third-party sites. Just like you wouldn’t give your banking info to your mailman, you shouldn’t give your banker a copy of your mailbox key.

Twice a year, Symantec produces the Internet Security Threat Report, a comprehensive report outlining the major trends in Internet security over the previous six-month period. One security concern that is of interest to many people is the growth of spam and spam-related issues. Symantec monitors the source and volume of spam from around the world and uses this information to discuss the major trends in the spam-related landscape.

One trend that has been relatively steady is the largest country of origin for spam messages. In the second half of 2006, around nine out of 20 spam messages were sent from the United States. This highlights that although some other countries are gaining notoriety for being spam havens, the United States is still the number one spa m distributor in the world. In fact, spam from the United States outnumbers spam from the second closest country, China, at a rate of seven to one. So although countries like China, Russia, and Brazil are touted as being the origin of the new wave of spam, they have a long way to go to catch up to the spam juggernaut that is the United States.

This is not to say that the spammers themselves are American. The purveyors of illicit pharmaceuticals, gurus of pink sheet penny stocks, and so-called representatives of “your bank” may very well be from China, Russia, Brazil, and other countries, but the spam itself is sent mostly through American computers. This has much to do with the way spam is distributed throughout the Internet. Spammers use computers infected with Trojans and other malicious code as surrogates to send out their bulk emails. This is so that when a spam email is received, it can not be easily traced back to the original sender.

The malicious emailing programs installed on computers around the world can be used to send emails directly from the computer, to send emails through the ISP of the computer’s owner, or used to bounce an email along to another compromised computer. When a computer is used to send a spam email directly, it is detected by Symantec as a spam zombie.

In the most recent Internet Security Threat Report, Symantec has kept track of and compiled a list of the top countries where these spam zombies were detected. Not surprisingly, the United States topped this list as well, although with only a slight lead over other countries. Compared to the much larger proportion of spam received from the United States, this can mean one of two things: spam zombies in the United States are being used to send exceptionally large volumes of spam compared to spam zombies in other countries, or that more spam from the United States is sent through ISPs and other sources than directly from spam zombies in the United States. Since many of the countries with many spam zombies have high broadband penetration (Germany and France, for instance), it is not likely that spammers are able to get a higher throughput of spam from American computers, especially since these countries are the source of much less spam than the United States. The most likely explanation is that spam mers are more likely to use ISPs or free email addresses in the United States to send their spam.

As the spam landscape develops, Symantec is constantly tracking and analyzing data so that everyone – from home users to network administrators to executives – can become aware of what the future of the Internet will bring. For more information, download a copy of the latest Symantec's Internet Security Threat Report.

Replica watches are all the rage these days. It seems with all the spam that I’ve seen lately about replica watches, they are the "must have" of the season. Come get your replica watch at hundreds and sometimes thousands of dollars off the retail price of the authentic version!

Replica watches are not a new thing. No, they have been hawked on the Internet and streets of major cities for a long, long time. What we at Symantec have recently been seeing, is wave after wave of email spam regarding replica watches over the past few days. Most of these attacks have been high in volume.

What specifically are theses spammers hawking? Replicas of Rolex, Cartier, Breitling, Omega, Hermes, a nd many other top brands. When you click on the link provided in the spam emails, the intent of the spammers becomes obvious as you are taken to Web sites with large pictures of the wares that they are trying to sell. Every time I open a link to a replica site, I can almost hear the distant call of a hawker on a street corner shouting out his wares, “Get your Rolex here! I've got Omega for you!”

I do not endorse the purchasing of replica watches via a spam advertisement, nor do I think they are the must have of the season. What season would that be anyway? What I find interesting is the apparent increase in this spam type with no direct correlation to anything. For example, we will usually see an increase in flower-related spam close to Mother’s Day and an increase in fine chocolate spam close to Valentine’s Day. Increases in products, like replica watches, usually occur closer to more general gift-giving times, like graduation and Christmas, which is why I am surprised that spam about replica watches seems to be peaking now. I think there would be a more lucrative time for this product.

In most of the replica watch attacks we’ve seen, the spammer has utilized the hijack technique as described in this past blog. The body is often a legitimate-looking message such as a newsletter, which (at the end or beginning) contains a URL to a Web site selling replica watches. The headers look like spam with the "from" and/or "subject" lines consisting of spam content. This should be a flag that lets the end user know that the message contained within is spam. As these messages are easily identifiable as spam by the Symantec Brightmail AntiSpam solutions, there is a high likelihood that you will not get your replica watch unless you go looking for leads elsewhere.

No, this is not a new Monty Python skit. This is a real operation and is being implemented right now by the Securities and Exchange Commission (SEC). Operation Spamalot has halted trading in 35 companies. Their reason is basically that information regarding these companies have been spammed out through email to millions of people touting false or misleading information in order to drive up stock prices. We in Security Response have spoken of this phenomenon before in a couple of recent blogs, Spam and Stock Speculation and Trojan.Peacomm Part 2.

But now, the SEC has stepped in and is trying to put a stop to this activity and protect investors. They also state that there is an ongoing investigation to find the people who are responsible for this "misconduct." Until the people behind the spamming are caught, this type of scam will probably continue. The possible financial gain is such that the individual(s) responsible will probably continue taking these risks. When an organization as powerful as the SEC stands up and takes notice, this clearly shows that it's not just another meaningless email that has found its way to your inbox.