IBM X-Force Report: Spam on Decline, Don’t Start Celebrating Just Yet

7437 the end is near
Ah, spring is in the air! You can tell, without need of a calendar, that old man winter has wheezed out his last stale breath of frigid air. The ground begins to thaw and grass, the guiltless victim of months of snow and ice, appears and begins to show signs of life. Birds sing sweetly, announcing the dawn of each new day like we’ve all been victims of a cruel joke – inmates wrongfully accused, now subject to reprieve. That’s all nice and fine, you might think, but what about the true sign that spring is here?  Worry not: perhaps the surest sign that spring is in the air is the day that IBM’s security group, X-Force, publishes its annual report on the state of all things Internet security. That happened this week when the group published its 2011 Trend and Risk Report, and as usual, it’s a good read right from the Executive Overview.

The report has a lot to offer this year, such as IBM X-Force officially dubbing 2011 the “year of the security breach” to an unprecedented number of security breaches at certificate authorities. From a never before seen increase in Mac Malware to a three times increase in the number of Shell command injection attacks, 2011 was indeed a black year for anyone focused on keeping the Internet safe from malicious attackers. But what about spam?

Spam on the Decline

According to X-Force, spam continues to see a decline, with overall spam numbers weighing in at their lowest volume since mid-2008. X-Force attributes this decline to the takedown of several high-value botnet targets, something we’ve been saying all along, so there’s nothing terribly shocking about X-Force’s numbers. The report breaks down the year in spam into six phases, the first five dating from December, 2010 to August 22, 2011 and having been discussed in detail in IBM’s X-Force 2011 Mid-Year Trend and Risk Report. What’s most revealing about the last quarter of 2011 are phases five and six. While there was definitely a decrease in the overall amount of spam, what’s truly revealing is not the significant decrease in spam volumes, but rather the significant increase in the percentage of plain text and image spam.

Plain text: there’s nothing plain about it

IBM X-Force notes the near continuous increase in plain text spam as being a very significant trend. “In previous years we have seen between five and 30 percent of spam written in simple plain text. This is the first time that we observed these high values—sometimes more than 80 percent in phase five—over a longer period of time.” Plain text spam, the report notes, “makes it even harder for content-based spam detection because there is no fixed feature like a special kind of attachment or suspicious html code sequences that can be used to build patterns.”

Spammers are fans of Homer, and we don’t mean Simpson

If spammers can read – and the jury is still out on that one – then they must love ancient Greek epics. Trojans are the attachment of choice for purveyors of spam, notes the X-Force report. “In the second half of 2011, we saw three spikes of emails with ZIP attachments between 18 and 43 percent, each measured on a daily basis. Trojans are the favorite type of malware attachment. More than 50 percent of ZIP attachments during the peak at the end of July contained the Trojan:Win32/Fivfrom.gen!B.” To entice users to open the attachments, the report notes, several variations on spam sent during phase 3 (March through May, just after the takedown of Rustock) were used, notably “ a message that the user’s credit card will be charged for an amount over one-hundred USD and that the user can find the details in the attached file.”

Now you see me, now you don’t

Image spam was perhaps the most surprising development at the end of 2011. While earlier instances of image-based malware used the image to deliver the spam message (for example showing some pills or displaying a URL), the majority of the newer image spam is “logos of legitimate organizations or companies,” the report states. “The text of the email states something similar to: Your transaction failed, please click on the link to see the details” or “We have received a complaint about your business, please click here.”

But wait! There’s more!

There’s much more in this very interesting report, so surf on over to the IBM X-Force site to check it out for yourself.

Leave a Reply