Rise of .in URLs in Spam

Symantec has observed an increase in spam messages containing URLs using the country code top-level domain (ccTLD) for India. This chart shows percentage of spam containing .in URLs:

While there were few daily spikes last year, clearly there has been more activity in the last two months.

Looking back at last year, the ccTLD for India (.in) ranked tenth on our TLD distribution list:

Rank TLD % of URL Spam
1 .com 58.89%
2 .ru 9.16%
3 .info 8.57%
4 .net 6.10%
5 .org 3.39%
6 .br 2.56%
7 .ua 2.10%
8 dotted quad 0.69%
9 .uk 0.59%
10 .in 0.50%

However, the .in ccTLD jumps to the fifth spot when looking at the last month (while the percentage more than quadruples):

Rank TLD % of URL Spam
1 .com 68.47%
2 .ru 7.13%
3 .net 5.45%
4 .br 3.20%
5 .in 2.34%

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .in URLs is hit & run spam. Back in March of this year Symantec noted an increase in hit & run spam and .in URLs appear to be associated with it.

Here are top ten subject lines from .in URL spam over the last five days:

Subject: Avoid Retail Markup
Subject: What Retailers Don't Want You to Know
Subject: Visitors Pass
Subject: Visitors Pass Alert
Subject: 4 foods that KILL fat and 7 food chemicals that CAUSE it
Subject: Visitors Pass Notification
Subject: Warning- You may not be protected by Norton. Update Now.
Subject: Health coverage with or without pre-existing conditions.
Subject: Special 2012 Savings - Eliminate entire phone bill
Subject: DirectBuy Visitors Pass Notification

Please note the use of the Norton brand above is unauthorized and that message is not from Symantec. Rather than providing antivirus software updates, as the message claims, these messages instead often deliver various malware to users.

Symantec will continue to monitor this trend and create additional filters to target these attacks. In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.