Reports released by different security vendors highlight that spam campaigns grew tremendously in 2016, as exploit kit activity fell after the three major players went down.

Over the past few years, there's been a balance between spam and exploit kit activity, with spam being considered the cheaper and more inefficient method of infecting users, while exploit kits were more expensive but more efficient.

2016 saw the death of three major exploit kits

Whenever possible, crooks often opted to deploy exploit kits to distribute their malware, which inevitably led to various exploit kits becoming very popular, entering the day-to-day vernacular of any infosec professional.

Exploit kits timeline
Exploit kits timeline (Source: SenseCy)

But 2016 has been a disastrous year for exploit kits. In April, the Nuclear exploit kit shut down shortly after Check Point published an in-depth report detailing its infrastructure.

In late May, Russian authorities arrested the cybercriminal gang behind the Lurk banking trojan, who apparently ran the Angler exploit kit as a side activity.

Furthermore, in September, the Neutrino exploit kit, who filled the gap after the first two shut down, suddenly reduced its activity and entered a private mode, only catering to a very small list of clients.

Exploit kit activity is at 25% compared to early 2016

Both SenseCy and the Microsoft Malware Protection Center have noticed this sudden drop in exploit kit activity.

According to Microsoft, exploit kit activity is at 25% compared to 2016's peak level, recorded in the month of February.

Monthly encounters by exploit kit family
Monthly encounters by exploit kit family (Source: Microsoft)

SenseCy also reports on this very same drop, and cites it as a reason why old attack vectors such as malware loaders and macro malware have made a comeback in the past year.

Email spam returns to record levels

Most macro malware and malware downloaders are distributed via spam email campaigns. According to Cisco's 2017 Annual Cybersecurity Report, spam campaigns accounted for 65% of all email traffic in 2016, with spam levels reaching record levels not seen since 2010.

Spam levels in the past few years
Spam levels in the past few years (Source: Cisco)

According to Cisco's experts, most of this spam comes from botnets specifically built for sending spam, such as Necurs, a common source of spam that spreads the Dridex banking trojan and the Locky ransomware.

Most of the spam, according to Cisco, appears to carry malicious attachments, which when opened deploy malware using various techniques.

Type of malicious attachments found in spam emails
Type of malicious attachments found in spam emails (Source: Cisco)

Around 80% of all spam emails contained malicious attachments. The rest was classic spam schemes, such as pharma spam (selling pharmaceuticals and diet pills), pump-and-dump spam (spreads false rumors to influence stock prices), adult spam, and others.

According to cyber-security research firm Cloudmark, in 2016, pharma spammers appear to have migrated away from Oprah to other celebrities to peddle their fake products.

Malvertising increased 132% in 2016

Besides spam, other noticeable cyber-crime trends include the increased adoption of HTTPS for hosting malicious sites and a 132% increase in total malvertising attacks during 2016.

According to RiskIQ, the security firm behind the malvertising figure, most malvertising attacks redirected users to various types of online scams, malicious file downloads, and phishing pages.

In total, RiskIQ reports of 7.6 million malvertising attacks recorded in 2016, compared to only 3.2 million in 2015.