The Spam Omelette

Date: 10/28/2008

Author: Bogdan Botezatu

Welcome to the first issue of the Spam Omelette, a weekly newsletter focused on spam trends.

We analyzed a significant amount of spam messages in order to create a visual map with the most frequently used words in spam messages. This map is intended to provide visual cues for undesrstanding what are the new trends in spam messages, while providing significant insight to researchers on the current spam campaigns.

Testing methodology

To create the map, we analyzed approximately 7 million spam messages collected through BitDefender's worldwide network of honeypots (A honeypot is an e-mail message that is only used to collect spam. It acts as if it was used by a human operator and is usually publicly displayed on discussion groups and forums.). The large number of analyzed messages and the global distribution of honeypots are guarantees of a reliable result.

The entire spam stock has been automatically parsed for words. Some commonly used words have been eliminated, since they have no relevance - our goal is to get a top of the "real" words, not to count how many times "a", "and" or "the" occur in these messages.

Given the enormous amount of spam messages processed, the dataset is quite large, which somewhat hinders a deep analysis. We ran a "normalization" script that simplifies the number of occurrences of a word. The procedure focuses mostly on the proportion of words, rather than on the exact number of occurrences. For instance, the word "offer" occurs in 20 percent of the analyzed spam messages, while the word "free" only occurs in 15 percent of the e-mails.

The spam map was created using Wordle, a public word cloud generator developed by Jonathan Feinberg for IBM.

The resulting spam map offers visual clues about the trends in the spam industry. The visual approach is more eloquent than simple word statistics, as it provides significant details about spammers' focus shift at a single glance.

The Top 5 Results

An OFFER you can not refuse

This week's champion in spam messages is the word "offer". Each spam message offers something: better sexual performance through prescription drugs, cheaper OEM software or fashionable accessories - everything at a discounted price.

Get yourself a cheap software LICENSE

Cheap OEM software accounts for a significant number of spam messages sent during this week. More and more users are lured into buying keys for OEM software (programs that are eligible for purchase only along with a new computer). This practice is extremely dangerous, as users are highly likely to receive an activation patch or a serial number obtained illegally, thus losing their right to support. Another common scenario is loss of warranty, lack of support and exposure to piracy charges because the OEM license is actually installed in an old computer.

Everything is on discount. Enjoy the new PRICES!

One of the most important marketing strategies is claiming new and lower prices than ever. It does not matter whether you're actually selling products at more expensive prices, as few people would stop to compare your previous offers. The spam world works by the same rules, so almost every advertised good or service is available at a special price, only for you, and - of course - the other millions of recipients.

HEALTH has always been an issue

Drug spam is usually associated with Viagra, Cialis and Levitra. However, the latest spam messages advertise a wider range of prescription-based drugs, as part of the extremely large Canadian Pharmacy business. Further research inside the BitDefender labs revealed that this type of spam is mostly sent by computers infected with the Rustock.C rootkit.

Moreover, the Canadian Pharmacy spam message come disguised as legitimate news flashes sent by sites such as CNN, NBC and CBS. Users are even provided with a forged link to unsubscribe, but clicking on it would only confirm the spammer that the address is in use and operated by a human user.

CHECK this out to get infected

Most spam messeges advise receivers to „check something out" in order to learn more about an offering. Our spam research revealed that most of the messages containing the word „Check" direct the user to a fake video website that attempts to plant malware on the user's computer using drive-by techniques.

As the user lands on the compromised website, a JavaScript triggers the download of an infected exe impersonating a codec. The executable file is infected with various variants of Trojan.HTML.ZLOB and Trojan.Agent.AKEO, two pieces of malware that install rogue security utilities on the host machines.

What's new in the spam landscape?

The spam landscape is usually offering the same products, information and services, although the message count may vary in time. However, two new types of spam have re-emerged in significant proportions: the Russian Brides and the Luxury Replica categories.

The Russian Brides messages are old extortion schemes in which allegedly hot girls from Russia contact men from the United States or from the rich countries of Europe in order to get married. However, they ask their victims to cover for their transportation and accomodation fees and right after the money transfer has been authorized, they disappear forever.

Luxury accessories are yet another type of goods heavily advertised in the analyzed e-mails. The product palette ranges anywhere from designer watches to branded purses. Such replicas are in fact cheap knock-offs that are less likely to please a potential buyer, that is, only if they get shipped as promissed. This increase in the product spam count may be a sign that Srizbi, Pushdo and MegaD (the botnets that deal with knock-off products) are on the rise again.