Malware in Spam Email: Trends in the 2016 Australian Spam Intelligence Data
18 Pages Posted: 3 Jul 2019
Date Written: September 2, 2018
A 10% sample dataset from a 2016 dataset of 25.76 million spam emails provided by Australian Communication and Media Authority’s (ACMA) Spam Intelligence Database (SID) was scanned for malware using the VirusTotal Malware Database over March-June 2018. Nearly one-in-ten (9.9% or 255,222) were identified as malware compromised and, a further 9.89% were identified as invalid (or inactive at the time of scanning). Adjusting for these inactive or unrated URLs overall 10.84% of the URLs were identified as comprising malware, often obscured by URL shortening services. Of the malware compromised URL sites, under a third, (81,176 or 31.8%) where unique sites comprising mostly phishing (58.3%) or malware compromised URLs (40.8%). A small number (786 or 0.001%) of dedicated malicious websites were also identified.
All 115,425 file attachments found in the entire sample (0.44% of all spam) were also scanned and 31.43% (36, 405) were found to be compromised with various forms of malware. The majority of compromised attachments where found in images (55.6%), followed by pdf (14.5%), binary (9.9%), text/office files (9.3%), and zip files (5.8%). Various trojans, and ransomware were the most common malware and these and others identified in the sample are described.
Compared to the 13,450,555 spam e-mails captured in 2012 by SID and scanned for the presence of malware by Alazab & Broadhurst (2016) attachments remain a high risk: 21.4 % of the 492,978 found with attachments were malicious compared to 31.4% in the present study. The prevalence of attachments had declined from 3.66% of all spam in 2016 to 0.44% of SID 2016. Of the 6,230,274 emails in the 2012 sample that contained a URL, 22.3 percent of the web links were malicious but in the 2016 SID only 10.8% were found to be malicious.
Keywords: cybercrime, malware, spam
Suggested Citation: Suggested Citation