Spammers are resilient, switching tactics to send spam from compromised user accounts in the wake of recent botnet takedowns.
Spammers don't need botnets to send masses of spam anymore, as they switch
to using legitimate Web email accounts, according to the latest quarterly
report on Internet threats.
Spammers are increasingly relying on compromised Web mail accounts to push
out their email messages, researchers found in Commtouch's quarterly Internet
Threat Trend Report released July 12. The report is based on the analysis of
data collected by the company's cloud-based GlobalView Network service during
the second quarter of 2011.
After Microsoft and Department of Justice officials worked together to seize
several command-and-control servers belonging to the Rustock
botnet in March
, global spam levels dropped 30 percent. Generally, once a botnet
, spam levels drop temporarily but return to normal levels after a
few weeks, according to Commtouch. Last quarter saw spam levels stay at the
"relatively low levels" weeks after the takedowns occurred.
"Spammers are trying to outmaneuver IP-based spam blocking techniques
as well as law enforcement that have both effectively targeted
," said Amir Lev, Commtouch's CTO.
Rustock was one of the largest spam botnets in operation, at one point
accounting for nearly half of all spam being sent worldwide. Spammers appear to
have not yet recovered
from the takedown
attempt but, instead of fighting back, appear to have
changed tactics, Commtouch researchers found.
"The new tactic therefore calls for the use of compromised accounts to
send spam as opposed to using botnets," the researchers wrote.
Email-borne malware attacks surged in the second quarter as cyber-criminals
sent messages designed to steal log-in credentials, log in to email accounts
and send spam from those accounts, according to the report. The preferred
method appeared to be compromising a Web mail account from one of the major
services, including Yahoo, Google's Gmail and Microsoft's Hotmail. In many
cases, the attackers compromised a user with a weak password and then spammed
all the contacts.
Criminals "are now using a combination of malware and phishing to
compromise legitimate accounts," Lev said.
There were larger malware outbreaks and more phishing attacks last quarter
because cyber-criminals are trying to acquire enough compromised accounts to
make spamming viable. The number of compromised accounts is important because
spammers face some restrictions with compromised accounts. The mail provider
would notice a significant uptick in volume if the cyber-attackers tried to
send out thousands of emails at once and would shut down the account, Commtouch
said. Spam would still be sent, but in smaller volumes.
Overall, global spam levels declined during the second quarter, averaging
113 billion messages per day, the lowest figure recorded in three years,
The move away from botnet spam can also be explained by the better IP
reputation mechanisms used in anti-spam products to successfully blacklist
zombie IP addresses and spam, according to Commtouch. It's harder for anti-spam
technologies to stop spam originating from compromised Web mail accounts using
IP reputation because the addresses exist within legitimate address ranges
belonging to the providers.
However, botnet infection rate has not declined, as 377,000 zombies were
activated daily during the second quarter, compared with the 258,000 zombies in
the first quarter. India continued to have the most zombies last quarter, with
17 percent of all zombies worldwide.
Pharmaceutical spam was the most popular type of spam sent during the second
quarter, representing 24 percent of total volume. This was a drop from the
first quarter, when it accounted for 28 percent.