The Deadly Duo: Spam and Viruses, September 2005

Financial institutions work to shore up opportunities for phishing (define) attacks to affect customers. Financial spam, not including phishing, continues to rise.

To fight phishing attacks, Wachovia altered the way it communicates with customers, among other approaches to protecting account holders. The bank implemented a message center for pertinent contact, rather than allowing for any request of information to happen outside a secured area.

“We’re relying a lot more on what’s called our authenticated email and authenticated message center,” Wachovia company spokesperson, Doug Caldwell, told ClickZ Stats. “If there’s a case where there is account information being requested, you will receive an email saying you have a message in the message center. There will be no live link in the email, you will have to log in to retrieve the message.”

In addition to the message center and continued education of its employees and customers, the financial institution scours the Web to find the URLs of potential phishers, to shut down sites before attacks occur.

Identification of phishing email messages and other classes of spam is getting harder for some spam filters, according to Clearswift. The company finds an increase in spam using legitimate Web sites as jump-off points, making it difficult for anti-spam software filters to eliminate the spam. Spammers are using Yahoo and GeoCities, among other venues, for initial links from spam.

Other changes in approach include a more sophisticated sentence randomization to disguise trigger words, such as “V1agra,” “Levitr@,” and “C!ialis.”

Enforcement by the Nigerian government attributes to the reduction in Nigerian 419 email messages, which accounted for just 1 percent of all scams in September, and 0.1 percent of all spam. Actions taken by Nigeria’s Economic and Financial Crimes Commission resulted in the recovery of cash and assets worth more than $700 million since 2003, according to a report issued in August.

Phishing scams are down to 1.5 percent, but financial spam increased from 31 percent to 33 percent in September. Despite increased interest in online gambling, spam relating to the trend has decreased, as has healthcare spam.

The survey approach is the new favorite among spammers, playing on users’ interest in current affairs. Several “nationwide surveys” offer incentives such as Visa gift cards and laptop computers to recruit users.

The software security firm Symantec identified the top cities for bot-infected computers. The firm finds factors that play a role in the population of infected computers: the size of the city and the rate of broadband growth in the city. In world ranking, Cambridge, England, topped the list for occurrences of bot-infected computers. Princeton, NJ, ranked first in the U.S. list and second in the worldwide list. The firm speculates new students at large universities in both cities caused the spike in September. It also states South America may become prone to bot infection as the growth rate of high-speed Internet continues within the continent.

Analysis using Bayesian filtering (define) by Roaring Penguin Software identified the 10 most used “tokens,” or indicators identifying a spam message. The list includes trafficking and HTML codes commonly used by spammers and language commonly used in spam email. A second list used Bayesian filtering to identify word pairs commonly used by spammers. Recognition of pairs used in spam increases the Bayesian engine’s effectiveness.

Bayesian Filter Identified Spam Triggers
Top 10 Spam Tokens
Position Spam Token
1 B00005MOTG
3 sidebacks
4 pillsheaven
5 20mg
6 htmlfooter
7 cds-for-you
8 RoIex
9 BvIgari
10 PhiIippe
Top 10 Spam Word Pairs
Position Word Pair
1 biz uns
2 Macromedia Corel
3 Professional $79
4 Photoshop Including
5 Professional Including
6 $79 Office
7 Including Service
8 Including ImageReady
9 $79 Adobe
10 $89 Microsoft
Source: Roaring Penguin Software, 2005

A few old viruses reappeared in September. Kaspersky Lab spotted the return of NetSky.x, Mytob.y,, and Mytob.x viruses. Several viruses increased in frequency while Zafi.b held its position. The lab did not pick up on the presence of any new threats.

Top 20 Virus Threats, September 2005
Position Change in Position Name Percentage
1 3 Email-Worm.Win32.Zafi.d 17.17
2 -1 Net-Worm.Win32.Mytob.c 16.69
3 0 Email-Worm.Win32.Zafi.b 11.35
4 4 Email-Worm.Win32.LovGate.w 6.64
5 1 Email-Worm.Win32.NetSky.b 4.32
6 5 Net-Worm.Win32.Mytob.q 3.86
7 -2 Net-Worm.Win32.Mytob.bk 3.10
8 -6 Email-Worm.Win32.NetSky.q 2.99
9 3 Net-Worm.Win32.Mytob.t 2.53
10 4 Net-Worm.Win32.Mytob.u 2.50
11 7 Net-Worm.Win32.Mytob.r 2.02
12 -5 Email-Worm.Win32.NetSky.aa 1.59
13 6 Net-Worm.Win32.Mytob.a 1.56
14 Return Email-Worm.Win32.NetSky.x 1.46
15 Return Net-Worm.Win32.Mytob.y 1.35
16 Return 0.97
17 -8 0.85
18 -3 Email-Worm.Win32.NetSky.t 0.80
19 -9 0.79
20 Return Net-Worm.Win32.Mytob.x 0.77
N/A Other malicious programs 16.69
Source: Kaspersky Lab, 2005

Related reading