Spam Trends: September - November 2023

Modern day spam is rarely benign: as a delivery system, spam is almost always a component of a subsequent cybercriminal activity. We measure spam activity by analysing spam reports from high-confidence blocklist sources that have low false-positive rates. Since little or no “benign” email is marked as spam by these sources, we treat all reported spam from our feeds as deliberate acts, or predicate acts to subsequent crimes including as phishing, counterfeiting, or scams. We use the term “criminal act” intentionally, because most modern day spam is sent without informed consent, from compromised devices or from accounts where the emission of spam violates acceptable use. Using the Council of Europe’s Convention on Cybercrime as our model of law, we consider this a criminal misuse of device. The unauthorized software (malware) that emits spam emails uses system and nework resources at the expense of unauthorized software. Again using the Convention of Cybercrime as our model, we consider this a criminal act of data or system interference.

Spam domains reported declined for the third straight quarter

While the raw counts have declined, spammers continue to rely heavily on domain names for their campaigns. In our Interisle study, Cybercrime Supply Chain 2023, we reported that spam campaigns were the largest consumers of criminal domains. How large? Over 1 million domains were reported for spam activity from September 2022 to August 2023. We are still seeing in excess of 200,000 domains reported monthly for spam in the final quarter of 2023.

Bulk registrations

Cybercriminals rely upon domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced. While the domain name system was never intended to supply criminals with thousands of domains in a matter of minutes, it does so year after year. Bulk registrations increased significantly from May to December, possibly an indicator of a shift resulting from Freenom’s exit from the commercialized ccTLD business.

Spammers impersonate brands, too!

Fake web sites used to in impersonation or fraud campaigns often use exact matches or of brands or labels that look deceptively like brands in phishing domains. Spammers do this as well. For the quarter, we identified more than 15,000 spam domains that contained some form of impersonated brand in their compositions.

PayPal, Google, UPS, USPS, and Amazon were the most impersonated.

We also measured spam domains by industry sector.

The technology sector was the most frequently impersonated, followed by financials and crypto services. Healthcare, and delivery services are also heavily targeted.

Read URLs carefully before you visit a web site.

Spammers used fewer domains but more reseller accounts

Subdomain resellers offer hosting and DNS services on a domain name that the provider owns. Users create an account and are assigned a hostname of the format subdomain.domainname.tld. In our study, Cybercrime Supply Chain 2023, we reported that Over 500,000 subdomain hostnames served as resources for cybercrime at 229 subdomain resellers.

Our 2023 Phishing Landscape study revealed that cyber attackers are increasingly turning to these services to host phishing pages.

Our spam data suggests that these services are popular for spam as well.

In May and December of 2023, we saw marked increases in subdomain user accounts reported as spam hostnames.

It appears that cybercriminals have learned how to create accounts in bulk at some of these services, so it is imperative that the providers implement strong anti-abuse measures.

The increased use of subdomain user accounts may also be an indicator that criminals will opportunisticallly use any namespace to support spam campaigns.

Top-level Domains

COM, CN, TOP, ONLINE, and NET had the most spam domains reported.

Unsurprisingly, 5 new gTLDs had the highest spam score. Watch out for domains ending in BEAUTY, LIVE, VIP, CAM and SITE.

For complete rankings, visit Spam Activity in Top-level Domains.