Surge in attachment spam a sign of desperation, say experts

Overall spam levels flat so criminals try to rebuild bots

Botnet criminals have flooded the Internet with a surge of attachment spam in recent weeks in a desperate attempt to rebuild a spam-distribution industry under pressure, security experts have suggested.

Although this surge has been widely reported as a significant return for spam generally, levels are in fact subdued. It is more likely a sign of stress for a part of the cybercrime economy that has had a bad year.

Figures from M86 Security (see below graph) show a spike in attachment spam (emails with malware files attached) beginning at the beginning of August, which at one point accounted for a quarter of all spam seen by the company. That is more than a blip - attachment spam normally makes up fractions of a percent of all spam.

Fellow security company Commtouch also reported attachment spam as having risen 500 percent between 8 and 12 August on the back of a campaign using the common lure of fake UPS or DHL package notifications. Sophos has posted a useful analysis of one of the current crop of bogus package delivery messages.

Putting the attachment surge in context, figures from the same companies show that overall spam is still at historically low levels after the closure earlier this year of Rustock, one of the most prodigious spam botnets. Overall, then, spam levels appear to be continuing their gradual decline.

So where is the new wave of attachment messages coming from and does the latest campaign have any deeper significance?

Most of the messages appear to originate with an unremarkable botnet called Cutwail, backed up by activity from two other small players, Festi and Asprox. The attachments themselves are designed to hit computers with a range of malware, including fake antivirus campaigns and the SpyEye banking Trojan as well as to recruit them to relay spam.

This looks pretty mundane. The carriers are bog-standard DHL emails backed by attachments that serve the same Trojans that make up most Internet malware campaigns. The innovation level is very low and has echoes of a campaign run by criminals in March and April.

According to M86 product manager, Ed Rowley, the campaign is probably a symptom of the stress the spammers are under at a time when the phenomenon has lost some of its old potency.

"I think it is linked to the low levels of spam. We have seen spam drop and this is an attempt to rebuild the botets, " he said. "The criminals are trying to lay the foundations of future attacks."

This view is echoed by Daniel Axater, CEO of Swedish mail filtering company CronLab, which has also noticed the attachment phenomenon. "Any views on why this sudden surge would be speculation, but to me it looks like they're trying to use this attack to expand the size of the botnets," he said.

Criminals are always trying to increase their empires, but what points to the desperation of criminals is that they are using such hackneyed and generally easy-to-spot methods to carry out this task. Attachment spam is generally a last resort because while dangerous it is also difficult to slip past spam filters. Most users, especially corporate users, will never see the emails at all.

Any botnetter willing to try the high-visibility technique will have to compensate for this filtering by sending large number of messages to have any chance of success. That in turn raises the campaign's visibility further.

That several security companies have noticed the campaign within the same period of days suggests that the returns are likely to be very modest, mainly hitting users on small, poorly-defended ISPs running obsolete and unpatched operating systems such as XP.

After years of effortless success, spammers have had a relatively bad time of it this year, especially after the downing of major spam relays such as in September 2010 and Rustock in March this year. Without some innovation, that decline could be set to continue.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitysophosM86 SecurityPersonal Tech

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Bitdefender 2018

Roam freely in the digital world. Critically acclaimed performance and security at your fingertips.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?