Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime , Government

'Trump' Spam Trumps All Other Spam

Love Him or Loathe Him, Surname Dominates Spam Emails, Proofpoint Finds
'Trump' Spam Trumps All Other Spam
Source: Proofpoint

With the U.S. midterm elections occurring on Tuesday, one keyword remains king for spammers: "trump."

See Also: Five Steps to Masterminding an Effective Security Awareness Program

Love him, loathe him, or if you couldn't care less, spammers continue to reference President Donald Trump, halfway through the Republican's first term, as part of their effort to trick individuals into clicking on links, directing users to advertising, malware and other threats to their personal information.

"Spam actors rely on strong brands to generate clicks." 

Regard spammers' choice as an exercise in unapproved branding. "As our previous studies have shown, spam campaigners understand the value of brands, and for spam as for ballots, and whether for or against, the election is all about Trump," security firm Proofpoint says in a blog post.

Comparison of the frequency of subject line search terms to the median frequency across all searches (Source: Proofpoint)

Of course, social engineering spam artists have long pursued a simple goal: To trick victims into opening their emails. Sometimes that also extends to phishing attacks, and attempting to get victims into opening an attachment they send, which is designed to download malware onto a system.

The Art of the Click

So far, so 2000s. What has continually changed over the past two decades, however, has been attackers' choice of subject matter. They've long stayed topical, namedropping everything from timely sporting events (Super Bowl, World Series, Olympics), to diet fads (Atkins), to celebrities (Brittney Spears, Angelina Joley, Oprah Winfrey), to job offers ("LinkedIn new messages," "CV"), to dating ("Katya 21y.o, new message for you"), holidays (Christmas, New Year), pharmaceuticals and sometimes even information leaks (WikiLeaks).

"Spam actors rely on strong brands to generate clicks," Proofpoint says. "Whether these brands are popular or polarizing, spammers include them in subject lines, email bodies, URL landing pages, social media comments, and more to drive clicks and eyeballs, even if the actual spam or affiliate pages are completely unrelated to politics."

Indeed, regardless of the keywords used, Proofpoint says the vast majority of spam remains so-called "affiliate spam," which uses links that lead to advertising pages or sales sites that have nothing to do with whatever recipients clicked on. These sites may launch drive-by attacks against users, attempting to install malware designed to ransack systems for personal information, install keystroke loggers and steal online banking credentials and other passwords. Or they may lead to money mule recruitment pages, often disguised as "work from home" opportunities.

How do spammers pick and hone the keywords they use? "While we can only speculate on particular methodologies, which may vary from spammer to spammer, the common thread is brand strength," Chris Dawson, threat intelligence lead at Proofpoint, tells me. "We consistently see these actors choosing terms for their email subject lines - and even for hidden text in the body of spam emails - that play off the strongest brands. Even if those brands are polarizing, they still generate clicks."

What's Hot: Midterm Elections

What's topical right now, of course, are U.S. midterm elections.

To see which election keywords were most popular, Proofpoint reviewed hundreds of thousands of spam emails sent since Sept. 27, assessing subject lines and email bodies for the following keywords:

  • cruz
  • democrat
  • desantis
  • election
  • giuliani
  • kamala
  • kobach
  • mid-term
  • midterm
  • ocasio
  • pelosi
  • republican
  • romney
  • sessions
  • trump

"In all of our filters, regardless of the specific keywords, the term 'trump' dominated spam subject lines," Proofpoint says. "In political party-related searches, 'trump' appeared 4.6 times as often as the next nearest term, 'democrat', and 10 percent more often than all other search terms combined."

Work-from-home spam deployed in response to political social media content (Source: Proofpoint)

The firm says it also searched on the surnames of all candidates running for Congress, but found returned negligible hits for all but Sen. Ted Cruz, R-Texas, and Rep. Nancy Pelosi, D-California, the minority leader of the House of Representatives.

In August and September, meanwhile, Proofpoint reports that it also saw a surge in spam being disseminated via social media networks

During that time period, "overall social media spam volumes increased by over 200 percent, with roughly 5 percent of all spam consistently focused on political topics or leveraging political accounts and pages," it says.

'Referendum on the Sitting President'

But does attackers' choice of spam provide a preview for which parties and candidates may emerge victorious from the midterms?

More likely, it's a no-brainer look at the main theme underlying the 2018 U.S. midterm elections. As Proofpoint notes: "Midterm elections are frequently regarded as a referendum on the sitting president, regardless of the other candidates on the ballot."

While most election results likely won't get posted until the early hours of Wednesday, spammers are playing a different game, and voting in their communications with what they think is most likely to get clicked. As far as they're concerned, thematically speaking, they've been voting early and spamming often.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.