Spam continued to be the scourge of inboxes around the world in February, when the spam rate surged to 89.4 per cent, an increase of 5.5 per cent over the previous month. As expected, a number of spam campaigns were launched related to Valentine’s Day. But the jump in spam can’t be blamed entirely on this holiday.
Instead, Canadian pharmaceuticals were a primary cause in recent months. According to the latest MessageLabs Intelligence Report, pharmaceutical spam accounted for approximately two thirds of all spam. Since then, pharmaceutical spam has risen above 80 percent of spam, and “Canadian Pharmacy” is one of the most well-known brands.
MessageLabs Intelligence found that the spikes in volumes this month were driven by a Canadian Pharmacy-style spam campaign and that the Grum and Rustock botnets were generating the surge.
Beginning in early February, Grum expanded its spam output by 51 percent, making it responsible for 26 percent of all spam. Typically, it accounts for 17 percent. Global spam volumes hit their highest levels for the month on February 17, when Rustock’s additional output increased global spam volumes by 25 percent.
Specifically, Grum increased the volume of one spam campaign with the subject: “Hi.” A closer examination indicated that it was a Canadian Pharmacy-style spam run, typical of the kind that we have seen in significant volumes in 2009 and continuing into 2010.
Much of the pharmaceutical spam in circulation is connected with this Canadian Pharmacy Web site or similar ones, such as Canadian HealthCare and United Pharmacy. The spam includes hyperlinks leading to such Web sites with a variety of pills for purchase.
The sites share almost exactly the same underlying design and the same prices. A mash-up even exists between the Canadian Pharmacy and the United Pharmacy sites. For example, clicking on the FAQ of Canadian Pharmacy takes you to the FAQ of United Pharmacy.
This strongly suggests that the spammers promoting these Canadian Pharmacy Web sites represent a single spam operation. The use of multiple botnets to distribute several high-volume spam campaigns has produced the recent growth in global spam rates.
We have observed an explosion of new brands focused on different geographic regions and suspect they are all related to the Canadian Pharmacy operation. Based on this latest pattern of spikes, we can predict likely surges in spam over the coming weeks.
We have also seen a new Web site called “Toronto Drug Store” appear on the spam landscape. After reviewing its contents, we found it shared similar branding and content with other pharmaceutical sites, such as Canadian Health & Care Mall, Canadian Pharmacy Network and My Canadian Pharmacy.
These sites are also selling the same pills at the same prices, with the same specials, content and designs. The original spam emails have similar wording and designs. This suggests that these Web sites are being run by one operation or being franchised by a small number of groups.
Our analysis indicated that pharmaceutical spam and the associated Web sites are falling into these two main operations: the more established Canadian Pharmacy and the emerging Toronto Drug Store. Canadian Pharmacy may need to watch its back as such new entrants try to expand.
In addition to this pharmaceutical spam issue, the February 2010 MessageLabs Intelligence Report revealed other ongoing threat trends that should be watched in the fight against viruses and other unwelcome content:
- In Canada, the spam rate was 88 percent and one in every 364.8 emails contained malware.
- Globally, the virus rate was one in every 302.8 emails.
- Global phishing activity was one in 456.3 emails. When viewed as a percentage of all email-borne threats such as viruses and Trojans, phishing emails had grown to 56.1 percent, an increase of 5.1 percent
- An average of 4,998 new Web sites per day was identified as harboring malware or other unwanted programs such as spyware and adware, an increase of 184 percent over January.
- The most spammed industry sector was engineering, with a spam rate of 93.1 percent.
- The public sector was the most targeted for malware with one in 88.1 emails being blocked as malicious.
The threat scene clearly remained very active in February. Organizations of all sizes need to continue to monitor these trends and adopt security services and solutions that can protect and manage their business critical information.
Matt Sergeant is a Senior Anti-Spam Technologist with Symantec Hosted Services