The threat level in the field of e-mail security increased in 2012 and will continue to do so in 2013 – despite the fact that spam levels decreased by 53% in 2012 as compared to 2011. Those were the results of analyses performed by the Eleven Research Team which investigated e-mail security trends for 2012 and provides an outlook of coming trends in 2013.
Eleven experts’ conclusion: the share of particularly dangerous e-mails such as malware messages, drive-by attacks, and targeted phishing e-mails considerably increased in 2012. That also heightened the average level of danger for individual unwanted e-mails. More spam, malware, and phishing e-mail is being specifically sent to targeted circles of recipients and is becoming increasingly difficult to differentiate from legitimate messages.
The trend from pure quantity toward a mixture of bulk and highly professional campaigns of unsolicited and dangerous e-mails will also continue in 2013.
The five most important e-mail security trends in 2012:
1. 2012 was the year of targeted spam, malware, and phishing campaigns. Eleven observed a significant increase in country-specific campaigns written in each country’s national language and which use brands popular in each respective country as bait. These efforts are made in an attempt to significantly increase the number of e-mails opened.
2. The role of particularly dangerous e-mail attacks increased in 2012: while spam levels decreased by more than 50% in 2012, levels of malware sent via e-mail skyrocketed. For known viruses, that increase was 226%; for virus outbreaks, it was 153%. The share of known viruses out of all e-mail increased from 0.06 to 0.4%; new malware increased from 0.04 to 0.5%. Simultaneously, spam shares decreased from 87.4% to 75.8%.
3. 2012 marked the first year in which drive-by attacks played a key role in spreading malware. In drive-by attacks, e-mails are sent that attempt to lure recipients into clicking a link in the message. If the website is opened in a browser, the computer is infected with malware. Drive-by e-mail comprised nearly one tenth of all spam e-mail for the first time in September 2012.
4. Spear phishing became a serious issue in 2012. The spectrum ranged from targeted attacks on very small groups of recipients, e.g. employees at a particular company, to phishing e-mails sent to individual recipients. The information needed generally comes from hacking attacks.
5. There were significant fluctuations with regard to the countries of origin for spam in 2012. For example, in the period from August to November, there were four different frontrunners in terms of spam sources. This indicates that spammers frequently change spamming infrastructures to avoid the consequences of botnet shutdowns.
Five trends for 2013:
1. The trend toward targeted attacks will continue. It can be assumed that country-specific campaigns for spam, malware, and phishing will become the norm in 2013 and that target groups will be increasingly narrowed down.
2. 2013 will be the year of spear phishing. Since emerging from the pilot phase in 2012, they are set to become a key weapon in online criminals’ arsenal in 2013. It can be expected that especially critical areas, such as government authorities, will be targeted by spear phishers.
3. The prerequisite for successful spear phishing is recipient data that is as detailed as possible. Online criminals will be focusing on obtaining such information in 2013. It can thus be expected that the number of hacking and phishing attacks that try to get to such data will noticeably increase.
4. Spam trends in 2013 will be subject to stronger fluctuations with regard to spam levels, topics, and countries of origin. Shorter spam waves, longer breaks in between, and quick changes in infrastructure are all part of a strategy that make spam less calculable and which should reduce the consequences of botnet takedowns.
5. Malware campaigns are increasingly targeting users and companies who only rely on signature-based anti-virus solutions and do not use early virus detection. The majority of such waves are thus sent at the start of the campaign and therefore before traditional virus scanners are updated.