You can count on Cloudmark to bring together the latest trends, insights, and conversations about network traffic abuse. Visit often to stay up to speed on email, mobile, web, and DNS security threats.
The Information Commissioners Office (ICO), a UK regulator, took a large stride this quarter towards curbing the problem of mobile spam. Using intelligence from the GSMA Spam Reporting Service (SRS), powered by Cloudmark, ICO officials were able to raid the operations of a SMS spammer in Wolverhampton. On May 22nd, officials searched both offices and a residence connected with the spammer, seizing computer equipment and paperwork. From the hundreds of confiscated SIM cards, the ICO estimated that the SIM farm could have been responsible for 350,000 to over a million spam text messages. These types of SIM farms deploy large-scale devices that can accommodate upwards of 32 SIM cards at once allowing spammers to send hundreds of SMS per second.
“This shows why reporting messages to us and your mobile network operator is so crucial. Without the reports we got through the 7726 system, we wouldn’t have been able to carry out this raid today.” -Andy Curry, Enforcement Manager at the ICO
Below is a graph of the 7-day moving average for reported SMS spam in the UK. There was a slight increase immediately following the raid. We believe this is because the publicity for SRS generated by the raid caused increased participation in the system. However, the 7-day average number of reports then dipped to a minimum of 28 percent below that of the day of the ICO raid. During the four-week period following the raid, SRS received 17 percent fewer spam reports than in the previous month.
Unfortunately, SMS is an attractive medium for both spammers and malicious attackers. When one operation shuts down, others soon replace it, and law enforcement is ill equipped to respond with the same speed with which these operations can spring up. While levels have taken a downturn in the wake of the ICO raid, it appears that levels began to rise at the end of the quarter. If the spammers were hired by an outside group to deliver advertisements on their behalf, perhaps the outside group has found a new provider.
Over the three months, several types of SMS spam in the UK saw peaks in volume. Most apparent among the changes was the significant — over 50 percent — drop in May for Accident Compensation offers peddled via text messages. However, it doesn’t appear to have been caused by the ICO’s action as volumes for this category plummeted two weeks prior. One category, insurance quote offers, seems to have disappeared entirely while several other types saw subtle dips in average volumes.
The US also saw major swings in SMS spam this quarter but in the other direction. Advertising for counterfeit designer goods nearly tripled its share of the US reports each month, while phishing attempts, last quarter’s most common, fell to third.
For years, texts yelling “WE BUY JUNK CARS!” slammed mobile devices in parts of southern Florida in the US. Sent from within the area, these messages alone were enough to make the region on the most prolific sources of spam in North America. Then, following legal action against the spammer, this Florida-based spam went quiet last November.
Coincidentally, a perennial springtime spam favorite reemerged hitting phones all across the country in record numbers – from south Florida. The new flood is actually an old and well-known form of spam, “free” cruise offers. This spring however, the sheer volume of these free cruise ploys propelled the category to the number two spot overall in the US. This cruise spam campaign is about 70% of the Win Free Stuff Spam category and contributed just over 18% of all US SMS reports during the second quarter.
Like the junk car spam before it, these unwanted texts came almost entirely from within Florida. Over 88 percent of all free cruise SMS messages were from various area codes in Florida with most concentrated in the Miami area. Caribbean Cruise Line can be credited with purveying these offers. However, a very similarly named Celebration Cruise Line operates the actual cruise ship responsible for sailing to Grand Bahama, the destination for this cruise spam.
Nothing in life is free, though. Victims are required to sit through hours of timeshare offers, from which Caribbean Cruise Line profits handsomely, prior to qualifying for the “Free” cruise. After this gauntlet of timeshare pitches, it’s revealed that the cruise isn’t all that free. Many victims report being charged a myriad of hidden fees for various reasons. The unclear terms and questionable tactics have netted the company hundreds of complaints with the Better Business Bureau.
This is not surprising since the cruise ship actually departs from south Florida. Many of these messages prompted recipients to call varying numbers, but each number used was almost always the same as that of the sender who was also using, again, a number from south Florida.
It was interesting to watch as the spammer’s methods devolved. Initially, 75-95 percent of all cruise spam reported each day used one common call-to-action (CTA) phone number. The frequency with which the spammer cycled these numbers and message began to increase dramatically throughout the quarter as filters and aggressive number blocking by the carriers took a toll on the spammer’s deliverability. In the face of further-increasing deliverability challenges, the sender began masking the CTA phone number in more colorful (and less readable) ways: first by spelling out numbers, and later by inserting random punctuation and misspellings, and even using Roman numerals.
Unlike many of the countries we have featured in our quarterly country report, there appear to be no large-scale spam operations sending from Mexico. The spam that we do see coming out of Mexico is mostly from computers infected by Cutwail and other botnets. In fact, Mexico has a smaller percentage of its IP address space blacklisted by Cloudmark (0.16 percent) than the US (0.22 percent). However, Mexican ISPs are not doing enough to control botnet-infected machines, so Mexico is still a significant source of international spam.
It is interesting to compare Mexico with the cybercriminal syndicates operating out of Eastern Europe. Since the collapse of the USSR, an excellent educational system combined with a depressed economy has left many talented programmers looking for work, and the less principled have turned to crime just to make ends meet. In Mexico, talented young programmers have more access to US companies ready to sponsor them for H-1B visas, and the few Mexicans predisposed to a life of crime are likely to find drug smuggling far more profitable than credit card fraud.
The largest international recipient of spam from Mexico is the US, but this is actually only 44 percent of the total email traffic that Mexico sends to the United States. This compares with 90 percent of the traffic from Russia, 80 percent of the traffic from Argentina and 64 percent of the traffic from Brazil. There is also a large volume of legitimate email as well. Brazil and Australia also receives significant amounts of spam from Mexico, but with even lower total percentages. Japan and Western Europe do not do so well, with 89 percent of the email from Mexico to Japan being spam, and 96 percent of the email from Mexico to Ireland.
Mexican ISPs have significantly different levels of outbound spam detected by the Cloudmark Global Threat Network, ranging from around 30 percent to 80 percent.
There are some fairly simple things that could be done to improve matters. Blocking the outbound ports 25 and 587 that are used by SMTP is one way. Alternatively, ISPs could pass those ports through a transparent SMTP proxy that applies policy- and content-based spam filtering. We hope that in future Mexican ISPs will be more aggressive in reducing spam traffic from compromised computers on their networks.
At the end of this quarter, the US still remains the country with the most IP addresses blacklisted by Cloudmark, while Romania remains in second place. However, a dramatic increase in the blocked IP addresses in China may have them challenging Romania for the number two spot soon. We have seen a 70 percent growth in the number of blocked IP addresses in China over the past three months.
Russia continues to improve, and Germany continues to deteriorate. Currently, Germany has more than twice as many blocked IP addresses as Russia, when just four months ago they had the same number. As is often the case, just a few bad actors are responsible for most of the problems. Most German ISPs are well managed and have safeguards against spammers and botnet infections, so they have very few IP addresses we have to block. However, there are three hosting companies that have no safeguards against spamming and are responsible for 65 percent of all the blacklisted IP addresses in Germany.
In terms of the percentage of IP address space blocked, Romania continues to hover around 20 percent, ahead of Panama, which dropped to less than 10 percent. The improving trend in Belarus has continued, and they are now down to less than 5 percent. Iran is also continuing to trend downwards and may well be replaced in fourth place by Vietnam or the Ukraine before long.
We should note that there are some other countries with a high percentage of blocked IP addresses, such as Belize with 13.8 percent, but we don’t include them in our reports as they lack enough IP addresses in total to have a significant impact on world spam.
When computer security is in the news, spammers are not far behind, exploiting the publicity surrounding newly discovered bugs and data breaches to try to make computer security even worse. In Q2, there were several spam attacks that referred to the widely reported Heartbleed bug. However, instead of protecting themselves against the bug, victims who were taken in by these emails were likely to find they had installed a Trojan or had their login credentials stolen. Likewise, a spam attack referring to the eBay data breach had nothing to do with eBay and was simply an attempt to sell a questionable background check service.
One message, with the unlikely subject, Looking for Investment Opportunities from Syria, purports to be from a popular password management service. We also saw the same message with the more reasonable subject, Reminder: Change your passwords. It asks the user to run the attachment to provide further protection against Heartbleed. In fact, it installs a Trojan allowing the hackers to take control of the victim’s computer. Apart from the subject, there are several warning signs that this email is not genuine including Yahoo! Mail being used for the Reply-To address along with errors in grammar and capitalization.
References to Heartbleed were also used in phishing attacks (http://tech.firstpost.com/news-analysis/new-phishing-scam-exploits-heartbleed-fear-to-con-users-222657.html ) and attempts to lure the user to a malicious web site (http://www.allspammedup.com/2014/04/heartbleed-spam/).
The eBay data breach was also used in at least one spam attack. The messages implied that the recipient might be the victim of identity theft resulting in false arrest records. The call to action URL redirected to a background check service called Instant Checkmate. This business had been around since 2012 but had generated numerous consumer complaints. They are said to imply that they have an arrest record for an individual when all they have is a postal address, tricking consumers into signing up for their paid service. There are also complaints that customers who believe they were paying a one-time fee found a recurring monthly charge on their credit card.
As a general rule, email users should be particularly careful after any well-publicized computer security problem, not just because of the problem itself, but also because of the spammers who will try to take advantage of it.
Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.
With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.
Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.