Malware in spam email: Risks and trends in the Australian Spam Intelligence Database

Spam photo
Abstract

A 10 percent sample of a 2016 dataset of 25.76 million spam emails provided by the Australian Communications and Media Authority’s Spam Intelligence Database was scanned for malware using the VirusTotal Malware database. Nearly one in 10 (9.9% or 255,222) emails were identified as malware compromised and, similarly, 9.9 percent were identified as inactive. Of the compromised URL sites, nearly one-third (31.8% or 81,176) could be further classified as phishing (58.4%) or trojan-compromised URLs (40.6%) or dedicated malicious websites (1%). All 115,025 unique file attachments found in the entire sample (0.5% of all spam) were also scanned and 31.4 percent (36,405) were compromised with various forms of malware. The majority of compromised attachments were found in images (55.6%), followed by PDFs (15.0%) and binary files (10.0%). Various trojans and ransomware were the most common malware, and these and others identified in the sample are described.

References

URLs correct as at May 2020

Alazab M & Broadhurst R 2016. Spam and criminal activity. Trends & issues in crime and criminal justice no. 526. Canberra: Australian Institute of Criminology. https://www.aic.gov.au/publications/tandi/tandi526

Australian Competition and Consumer Commission (ACCC) nd. Whaling & spear phishing. https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/phishing/whaling-spear-phishing

Australian Cyber Security Centre 2018. Phishing.

Australian Cyber Security Centre 2017. Malicious email mitigation strategies guide.

AV-TEST 2018. Malware statistics & trends report. https://www.av-test.org/en/statistics/malware/

Bhutani A & Wadhwani P 2019. Global cyber security market size worth $300bn by 2024. Global Markets Insights. https://www.gminsights.com/pressrelease/cyber-security-market

Biasini N, Brumaghin E, Mercer W & Grady C 2017. Jaff ransomware: Player 2 has entered the game. Talos, 12 May. https://blog.talosintelligence.com/2017/05/jaff-ransomware.html

Broadhurst R et al. 2018. Malware trends on ‘darknet’ crypto-markets: Research review. Report for the Korean Institute of Criminology. https://ssrn.com/abstract=3226758

Broadhurst R, Skinner K, Sifniotis N, Matamoros-Macias B & Ipsen YG 2019. Phishing and cybercrime risks in a university student community. International Journal of Cybersecurity Intelligence & Cybercrime 2(1): 4–23

Cisco Talos Intelligence Group 2018. Email and spam data. https://talosintelligence.com/reputation_center/email_rep

FireEye 2016. Threat research: Locky ransomware. https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

Fortinet. 2017. Threat Reports: Threat Landscape Report. Retrieved July 11, 2018, from: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report.pdf

F-Secure 2018a. Trojan-Downloader: JS/Locky. https://www.f-secure.com/v-descs/trojan-downloader_js_locky.shtml

F-Secure 2018b. Trojan Downloader.JS.Nemucod. https://www.f-secure.com/v-descs/trojan-downloader_js_nemucod.shtml

Gardiner B 2016. Financial institutions at growing risk of trojan attacks: Report. https://www.cio.com/article/3497548/financial-institutions-at-growing-risk-of-trojan-attacks-report.html

Gudkova D 2014. Kaspersky security bulletin: Spam evolution 2013. https://securelist.com/kaspersky-security-bulletin-spam-evolution-2013/58274/

Gudkova D, Vergelis M, Shcherbakova T, Demidova N 2018. Spam and phishing in 2017. https://securelist.com/spam-and-phishing-in-2017/83833/

International Telecommunication Union 2019. Measuring digital development: Facts and figures 2019. Geneva: ITU Publications. https://www.itu.int/en/ITU-D/Statistics/Documents/facts/FactsFigures2019.pdf

Internet Society’s Online Trust Alliance 2019. 2018 Cyber incident & breach trends report. https://www.internetsociety.org/breach2019/

Internet World Stats 2019. Usage and population statistics. http://www.internetworldstats.com/stats.htm

Kortepeter D 2017. Cerber ransomware: How it works and how to handle it. http://techgenix.com/cerber-ransomware/

Lloyd S 2018. The entire history of URL shorteners: From TinyURL to Twitter’s t.co. https://blog.rebrandly.com/the-history-of-url-shorteners/

Lynmich S 2017. HEUR.Trojan.Script.Generic Virus manual removal guide. Yoo Care. https://blog.yoocare.com/heur-trojan-script-generic-virus-manual-removal-guide/

McAfee 2018a. McAfee Labs threat advisory: W97M/Downloader: X97M/Downloader.

McAfee 2018b. Virus profile: Nemucod.

Microsoft 2018. Malware encyclopedia: Nemucod. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=JS/Nemucod

Microsoft 2014. TrojanDownloader: W97M/Adnel. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:W97M/Adnel

Montti R 2018. Goo.gl shutting down: These are your options. https://www.searchenginejournal.com/goo-gl/246569/

Morgan S 2016. Cyber crime costs projected to reach $2 trillion by 2019. https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/?sh=34e20a363a91

Scamwatch 2019. Scam statistics. https://www.scamwatch.gov.au/about-scamwatch/scam-statistics?scamid=29&date=2019

Spamhaus 2018. The definition of spam. The Spamhaus Project. https://www.spamhaus.org/consumer/definition/

Statista 2020. Global spam volume as percentage of total e-mail traffic from January 2014 to December 2019, by month. https://www.statista.com/statistics/420391/spam-email-traffic-share/

Symantec 2018a. Internet security threat report, volume 23. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Symantec 2018b. Malicious code classifications and threat types.

Symantec 2018c. Writeup: Nemucod.

Symantec 2017. White paper: ISTR ransomware 2017. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

Symantec 2016a. W97M.Downloader | Symantec.

Symantec 2016b. Ransom.Cerber. Symantec. https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-030408-0817-99

Symantec 2015. JS.Nemucod. https://www.symantec.com/security-center/writeup/2015-120112-4419-99

TechCrunch 2009. URL shortening wars: Twitter ditches TinyURL for bit.ly. https://techcrunch.com/2009/05/06/url-shortening-wars-twitter-ditches-tinyurl-for-bitly/

TechHive 2018. Locky ransomware.

ThreatMiner 2018. AV: JS.Nemucod.E. https://www.threatminer.org/av.php?q=JS.Nemucod.E

Tran KN, Alazab M & Broadhurst R2013. Towards a feature rich model for predicting spam emails containing malicious attachments and URLs. 11th Australasian Data Mining Conference (AusDM 2013), Canberra, Australia, in Zhao YC, Kok-Leong Ong KL, & Liu L (eds), Conferences in Research and Practice in Information Technology (CRPIT), vol. 146.

US Department of Homeland Security 2016. Malware trends. Industrial Control Systems Emergency Response Team (ICS-CERT) and Advanced Analytical Laboratory (AAL). https://www.us-cert.gov/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf

Vergelis M, Shcherbakova T, Demidova N & Loseva D 2015. Kaspersky security bulletin: Spam and phishing in 2015. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07194944/KSB_SpamPhishing_2015.pdf

VirusTotal 2018. Reports: VirusTotal.

Wikimedia 2018. Spam blacklist: Meta. https://meta.wikimedia.org/wiki/Spam_blacklist