Spam peaks at 88%

By Leon Engelbrecht for Symantec
Johannesburg, 04 Apr 2008

Spam averaged at 81% of all e-mail traffic last month, peaking at nearly 88%, a new all-time high, says security software vendor Symantec in its April spam report.

This compares to around 65% in the first half of last year and 70% in the second semester of 2007.

The report also highlights the emergence of 419 scam spam related to the 2010 Soccer World Cup. "Traditionally, 419 spammers used the premise of unclaimed riches to lure their victims, but now they have also started using the 2010 South African World Cup as a ruse to entrap their victims," the report says.

The fraudsters request e-mail recipients to download a Rich Text File, claiming the attachment file is a winning lottery ticket notification. The document claims the draw is sponsored by "British American Tobacco Companies (sic) SA" and includes contact details for a "Mark Thambo" (sic) at a Yahoo address. As usual, the "winner" must supply the fraudsters with personal information.

Another trend that could be replicated in SA involves the close of the US tax year later this month. The Symantec report says some spammers have taken to disguising themselves as the fearsome US Internal Revenue Service (IRS).

One group of IRS frauds claim they will refund taxpayers once they input their credit card information on a site that does not bear the IRS URL. "The site is fraudulent and nothing more than a collection tool for credit card and other personal information," Symantec warns.

Another group uses social engineering to get recipients to download a virus. "In one example, the spammer indicates that a new law requires you to download tax software," Symantec says.

"There is no existing law stating that you need a computer to complete your tax returns. If that wasn`t enough of a red flag, the site that you actually download the 'software` from is not a government site. Instead, it is merely an IP address.

"In the body of the message, the URL does appear to be a legitimate government site, being 'irs.gov/softwareupdate`. However, when you click it, you are redirected to the IP address hosting the virus. Upon going to the official IRS site (irs.gov) and manually typing in irs.gov/softwareupdate, 'The requested page does not exist. Please check your URL` error message is displayed."

Symantec warns that, at first glance, "this message does appear to be legit, at least on the surface, carrying legitimate-looking 'From` and 'Subject` lines, as well as a seemingly credible link referencing the IRS".

Another example, cited by Symantec, harnesses TurboTax, a popular US tax software. "Here the spammer is also advising the recipient to download software updates to comply with new IRS requirements. The first red flag would be the 'From` line which does not look like it originates from the business as it contains a '.cn` domain."

"The second red flag is that the URL, which the 'turbotax.com/update` resolves to, does not resolve to the TurboTax official Web site, but instead to an alphanumerically randomised URL consisting of a blank page with a pop-up that asks you to download a suspicious file."

Symantec says a user should be able to identify that the e-mails are not legitimate by analysing them using common sense and a few best practices.

"Do not download anything from an e-mail on your computer unless you are sure that the e-mail is genuine and comes from someone or some company that you know and trust. Also, be sure to use a mail security technology that offers up-to-date protection against the complete suite of security threats. You can always call a company`s support line from a phone number retrieved on their official site with details of the message and ask them to confirm its validity."