In 2019, spam and phishing

Pinterest LinkedIn Tumblr

Figures for the year

  • The share of spam in mail traffic was 56.51%, which is 4.03 p.p. more than in 2018.
  • The largest source of spam this year was China (21,26%).
  • 44% of spam e-mails were less than 2 KB.
  • Malicious spam was most commonly detected with the Exploit.MSOffice.CVE-2017-11882 judgment.
  • The Anti-Phishing system was activated 467,188,119 times.
  • 17% of unique users have experienced phishing.

Trends of the year

Beware of novelties

In 2019, the attackers were more active than usual in exploiting major sports and film events to gain access to users’ financial or personal data. Premieres of TV shows and movies, and sports broadcasts were used as bait for those who want to save money by watching unofficial means.

A search for Watch latest X for free (where X = Avengers movie, Game of Thrones season, Stanley Cup game, US Open, etc.) provided links to sites that offer the possibility to do exactly that. Clicking through to these sources really started the broadcast, only to stop after a few minutes. To look further, the user was asked to create a free account (only an email address and password were required). However, when the Continue button was clicked, the site asked for an additional confirmation.

And not just any information, but bank card details, including the three-digit security code (CVV) on the back. Click site Outsource Support in India. The site administrators assured that the money would not be debited from the card, but that this information was only needed to confirm the user’s location (and therefore the right to view the content). But instead of continuing the broadcast, the crooks just put the details in their pockets.

In 2019, spam and phishing

In 2019, spam and phishing

New gadgets were also used as bait. Cybercriminals have created fake pages that mimic Apple’s official services. The number of bogus sites increased sharply after the unveiling of the company’s new products. And while Apple was just preparing to release the next gadget, fraudsters offered to sell it to people with itchy hands. All the victim had to do was follow a link and enter their AppleID data – the purpose of the attackers.

In 2019, spam and phishing

The price of fame: attackers exploit popular resources

In 2019, scammers found new ways to exploit popular resources and social networks to spread spam and sell non-existent goods and services. They actively used Youtube and Instagram commentary to post ads and links to potentially harmful pages, and created numerous social media accounts which they promoted by commenting on popular bloggers’ posts.

For extra credibility, they left a lot of false comments on posts on topical subjects. As the account became more widely known, it started posting messages about promotions. For example, a sale of branded goods at knock-down prices. Victims got a cheap imitation or just lost their money.

A similar scheme was used to quickly promote videos in combination with coil reviews from new flash customers.

Another scam involved fake Instagram accounts. The stars asked the fans to fill out a survey and receive a cash payout or the chance to enter a prize draw. For this not-to-be-missed opportunity, of course, a small fee was due in advance… After the cybercriminals received the money, the account simply disappeared.

In 2019, spam and phishing

In addition to distributing links via comments on social networks, scammers used another delivery method in the form of Google services: invitations to meetings sent via Google Calendar or reports from Google Photos that someone had just shared a photo were accompanied by a comment from the attackers with links to fake promotions, surveys and awards ceremonies.

Other Google services were also used: links to files in Google Drive and Google Storage were sent in fraudulent emails, which cannot always be recognised by spam filters. Clicking on it usually opens a file containing adware (e.g. fake pharmaceutical products) or another link leading to a phishing site or a personal data collection form.

In 2019, spam and phishing

Although Google and others are constantly working to protect users from scammers, the latter will forever find new loopholes. Therefore, the most important protection against such schemes is to pay careful attention to messages from unknown senders.

Malicious transactions

In Q1, users of the Automated Clearing House (ACH), an electronic payment system that facilitates payments in the US, became victims of fraudsters: we recorded mailings of fake ACH notifications about the status of a payment or a debt. By clicking on the link or opening the attachment, the user risks infecting the computer with malware.

In 2019, spam and phishing

Anyone order bitcoin?

Crypto-knowledge continues to interest crooks. In addition to the standard forgeries of known cryptographic currency exchanges, cybercriminals have begun to create their own resources: these resources promise lucrative exchange rates, but steal either personal data or money.

In 2019, spam and phishing

In 2019, spam and phishing

Crypto forces and blackmail

While cybercriminals attempted to blackmail users into claiming they had compromised malware in 2018, in 2019 e-mails came in from a CIA agent (name varies) who allegedly handled an open case against the recipient of the message about the storage and distribution of pornographic images of minors.

The case, the alleged e-mail, was part of an international operation to arrest more than 2,000 paedophile suspects in 27 countries around the world. However, the agent knew that the recipient was a well-intentioned person with a reputation to protect, and for $10,000 Bitcoin, he would be willing to modify or destroy the file (all information about the victim to make the email credible was collected in advance on social networks and forums). For someone who is really afraid of the possible consequences, that would be a small price to pay.

In 2019, spam and phishing

Legal entities find themselves in an even more desperate situation when faced with similar threats. For them, however, it was not about sextortion, but about spamming. The blackmailers sent a message to the company using the public email address or an online return form with Bitcoin’s ransom request. If refused, the attackers threatened to send millions of spam emails on behalf of the company. This, cybercriminals assured, would encourage the Spamhaus project to recognize the source as a spammer and block it forever.

In 2019, spam and phishing

Business in focus

The growing trend of attacks on business is not only reflected in attempts to cyber-blackmail companies. The reputation of many companies has been tarnished by sending spam via feedback forms. Having previously used such forms to attack the company’s employees’ mailboxes, cybercriminals developed their methods in 2019.

For example, messages about successful registration on a certain website were received by people who had never heard of it. After finding a security breach on the site, spammers used a script to bypass the CAPTCHA system and register users en masse via the feedback form. In the Username field, attackers have inserted the message text or a link. As a result, the victim whose postal address was used received a registration confirmation e-mail from a legitimate sender, but with a message from the scammers. Moreover, the company itself had no idea what was going on.

In 2019, spam and phishing

A much more serious threat came from disguised mailings in the form of automatic notifications of services used to create legitimate mailing lists: scammers’ messages were carefully disguised as notifications of new voicemail messages (some commercial products have a voicemail exchange function) or incoming e-mails blocked in the distribution queue. In order to gain access, the employee had to go through an authentication process, after which the company account details were found in the hands of the attackers.

The scammers have developed new methods to extract confidential data from unsuspecting company employees. For example, by sending e-mails requesting urgent confirmation of the company’s account details or payment information with a convenient link. If the user has swallowed the bait, the authentication data of his account has gone directly to the cybercriminals.

In 2019, spam and phishing

Another attack on business used a more complex scheme: the attackers tried to make the recipients of the emails believe that the company’s management offered a salary increase in exchange for a performance appraisal.

The message turned out to have come from HR and contained detailed instructions and a link to a false evaluation form. However, before going through the procedure, the recipient had to enter some data (in most cases it was indicated that the e-mail address had to be that of the company). After the identification or evaluation button was clicked, the identification information entered was duly transmitted to the attackers, giving them access to business correspondence, personal data and probably confidential information, which could later be used for blackmail purposes or sold to competitors.

A simple system consisted of sending phishing emails that supposedly came from services used by the company. The most common were false reports from HR recruitment platforms.

In 2019, spam and phishing

Statistics: spam

Share of spam in mail traffic

The share of spam in mail traffic rose by 4.03 percent to 56.51 percent in 2019.

Share of spam in world postal traffic, 2019 (download)

The lowest figure was recorded in September (54.68%) and the highest in May (58.71%).

Spam sources by country

In 2019, as in the previous year, China retained its crown as the country that emits the most spam. Its share has increased considerably compared to the previous year (9.57 p.p.) to 21.26%. It remains ahead of the United States (14.39%), whose share increased by 5.35%. Russia ranks third (5.21%).

Fourth place went to Brazil (5.02%), despite a loss of 1.07 p.p. Fifth place in 2019 was claimed by France (3.00%) and sixth place by India (2.84%).  Vietnam (2.62%), fourth in the previous period, rose to seventh place.

The TOP 10 is completed by Germany, which moves from third to eighth place (2.61%, down 4.56 p.p.), Turkey (2.15%) and Singapore (1.72%).

Spam sources by country, 2019 (download)

Size of spam mail

In 2019, the share of very small emails continued to rise, but less dramatically than the year before – from just 4.29 p.p. to 78.44%. At the same time, the share of e-mails between 2 and 5 Kb decreased by 4.22 p.p. compared to 2018 to 6.42 %.

Unwanted emails by size, 2019 (download)

The share of larger e-mails (10-20 KB) changed little, 0.84 p.p. less. But there were more junk mails from 20 to 50 KB: these messages accounted for 4.50% (+1.68%). In addition, the number of e-mails from 50 to 100 KB increased by almost 1%, or 1.81%.

Malicious mail attachments

Malware families

TOP 10 Malware families, 2019 (download)

In 2019, Exploit.Win32.CVE-2017-11882 was, as in the previous year, the most common malware (7.24%). They made use of a vulnerability in Microsoft Office that made it possible to execute random code without the user’s knowledge.

In second place is the Trojan.MSOffice.SAgent family (3.59%), whose members also target Microsoft Office users. This type of malware consists of a document with a built-in VBA script that secretly loads other malware using PowerShell when the document is opened.

The Worm.Win32.WBVB family (3.11%), which contains executable files written in Visual Basic 6 and classified by KSN as unreliable, has moved up from fourth to third place.

Backdoor.Win32.Androm.gen (1.64%), which ranked second in the previous period, ranked fourth This modular backdoor is most often used to download malware to the victim’s computer.

The fifth place in 2019 was taken by the Trojan family Win32.Cryptic (1.53%). This verdict is attributed to Trojan horses that use anti-emulation, anti-debugging and code obfuscation to make them difficult to analyse.

Trojan.MSIL.Crypt.gen (1.26%) came sixth, while Trojan.PDF.Badur (1.14%) – a PDF that leads the user to a potentially dangerous site – climbed to seventh place.

Eighth place went to another malicious DOC/DOCX document with a malicious VBA script – Trojan-Downloader.MSOffice.SLoad.gen (1.14%), which, once opened, can download ransom software to the victim’s computer.

In ninth place is Backdoor.Win32.Androm, and in third place Trojan.Win32.Agent (0,92%).

Countries targeted by malicious mailings

As in the previous year, Germany took first place in 2019. Its share remained virtually unchanged: 11.86% of all attacks (+0.35%). Second place was claimed by Russia and Vietnam together (5.77% each) – Russia was in this position in the previous reporting period, while Vietnam rose from sixth to third place.

Countries targeted by malicious mailings, 2019 (download)

Italy (5.57%) is only 0.2% behind, while the United Arab Emirates is fifth (4.74%), Brazil sixth (3.88%) and Spain seventh (3.45%). The TOP 10 is completed by India (2.67%), Mexico (2.63%) and Malaysia (2.39%), which are practically neck and neck.

Statistics: Phishing

In 2019, the anti-phishing system was activated 467,188,119 times on Kaspersky users’ computers as a result of phishing diversion attempts (15,277,092 times less than in 2018). In total, 15.17% of our users were attacked.

Organisations under fire

The ranking of organizations targeted by phishing attacks is based on the activation of the heuristic component of the anti-phishing system on users’ computers. This section detects all cases where the user attempts to follow a link in an email or on the Internet to a phishing page in cases where this link has not yet been added to the Kaspersky databases.

Classification of categories of organisations under attack from fishermen

Contrary to 2018, most of the heuristic component triggers in this period fell into the banking category. Its share rose by 5.46% to 27.16%. Last year’s leader, the global Internet portal category, one sport dropped to second place. Compared to last year, the share decreased by 3.60 p.p.. (21.12%). The payment systems category remained in third place, with a share of 16.67% (-2.65 p.p.) in 2019.

Breakdown of organisations undergoing phishing attacks by category, 2019 (download)

Geography of the attack

Countries by proportion of users attacked

The leader in this period in terms of the percentage of unique users attacked out of the total number of users was Venezuela (31.16%).

Percentage of users whose computers have activated the anti-visa system among all Kaspersky users in the country, 2019 (download)

TOP 10 countries per attacked user share

Country %
Venezuela 31.16
Brazil 30.26
Greece 25.96
Portugal 25.63
Australia 25.24
Algeria 23.93
Chile 23.84
Meeting 23.82
Ecuador 23.53
French Guiana 22.94

TOP 10 countries per user share attacked

Last year’s leader, Brazil (30,26%), came second with a loss of 1,98 p.p., while Venezuela (31,16%) slipped from ninth to third and won 11,27 p.p.. In third place is the TOP 10 of the newcomers in Greece (25.96%).


Television premieres, top sporting events and the release of new gadgets have been abused by crooks to steal users’ personal information or money.

Looking for new ways to bypass spam filters, attackers are developing new methods to deliver their messages. This year they actively used various Google services, as well as popular social networks (Instagram) and video hosting sites (YouTube).

Cybercriminals continue to use funding in schemes to access users’ personal data, to infect computers with malicious software or to steal money from victims’ accounts.

The main trend in 2019 is the increase in the number of attacks on businesses. Fraudulent schemes previously used to repeatedly attack ordinary users have changed direction, adding new subtleties to cybercriminal tactics.phishing statistics 2019,recent phishing attacks 2019