You can count on Cloudmark to bring together the latest trends, insights, and conversations about network traffic abuse. Visit often to stay up to speed on email, mobile, web, and DNS security threats.
From Gen Y to Baby Boomers, people everywhere are embracing the potential offered by the always-on connectivity of smartphones and other mobile devices. But ease and affordability may not be the only factor driving widespread adoption; our inherent trust in the devices and the medium no doubt have equal affect.
This inherent trust in mobile phones is not at all surprising, after all, telephones have been in our homes and widely trusted for generations. Indeed, nearly everyone in the Western world and in many developing countries grew up with traditional landline telephones. As such, telephones have always been a part of the current generations’ lives; cellular is merely a transition of that trusted device into a mobile platform.
Attackers are well aware of this wide acceptance and use this trust to their advantage. As an example, many believe that any communications via their smartphone — whether via traditional call or via SMS — must be from someone they know or have done business with.
This stems from the logic that their numbers must be private because cellphone numbers are not automatically published in familiar "white pages." Such logic furthers the notion that any calls or SMS received on the device must somehow be personally intended for them.
Compounding the trust in the devices, mobile phones — particularly smartphones — tend to be always-on, giving us instant communications and connectivity regardless of where we are or what we might be doing. The combination can be lethal, resulting in hasty decisions and impulsive reactions that can — and often do — lead to compromise.
Global smartphone adoption rapidly increased in 2012, with some developing countries leap-frogging desktop computers altogether and going straight to the era of mobile. Simultaneously, mobile device use increased in developed countries, drawing users away from the desktop. Further, a lack of trust in email due to spam and malware has increasingly driven the use of text-based messaging systems, including SMS.
The proliferation of mobile devices across the globe has led to an accompanying proliferation of SMS and mobile messaging. As much as 72% of adults indicated that they use their mobile device to send and receive SMS texts according to a study conducted on behalf of Cloudmark. In fact, most mobile users send more total texts than they place phone calls each month.1
Equally important, SMS message open rates exceed approximately 90%.2 This contrasts to email, which averages an open rate of roughly 20-25% with an average wait time of 24 hours.3,4 The end result: SMS provides a ripe opportunity for scammers and attackers.
A recent study conducted on behalf of Cloudmark suggests that spammers have noticed the widespread adoption of SMS. Of adults in the U.S., 60% claim to have received spam SMS text messages within the last year. These campaigns are also seeing returns. Out of U.S. adults who received unsolicited text messages, 13% clicked the link provided. Similarly, 9% claimed that they have called the phone number given in an unsolicited text. Even mobile users that recognized nefarious messages might be at risk as 41% indicated that they would reply "STOP" to unwanted texts. Doing so may incur hefty charges for the victim when replies are sent unknowingly to premium-rate numbers.
Unsolicited text messaging can take many forms, ranging from commercial offers to highly criminal phishing scams. While all unwanted messages may be considered spam, this section focuses on SMS spam that fall into the category of scam, fraud, or malicious.
A key component to success of SMS spam is that the message appears fresh and original. Spammers pay keen attention to their return on investment (ROI), tweaking the message as necessary to ensure higher open rates.
As illustrated in Figure 1, spammers targeting the U.S. and U.K. employed on average 30,000 unique pitches per month or approximately 359,000 unique pitches throughout 2012 in an effort to keep messaging fresh and ensure higher open rates. The highest churn rate occurred in December 2012, with more than 53,000 unique pitches.
Pitches employed by spammers often take advantage of events meaningful to intended recipients. This quasi-targeting of the pitch may make a particular message appear to be more legitimate.
As an example, scams purporting to be Payment Protection Insurance (PPI) compensation are common in the U.K. but not in other parts of the globe. This is due to a High Court ruling in 2011 that resulted in banks refunding consumers billions of pounds for mis-sold insurance policies.
Word spread quickly as this type of complaint rose to account for nearly 60% of all claims in 2012, the most ever received regarding any single type of claim.5 Rising popularity about the topic and intrinsic ties to finances made PPI Compensation scams a ripe target for those targeting the U.K. in 2012.
By the same token, time-related events also factor into SMS spam pitches. While tax-related scams did not comprise a significant portion of global SMS spam overall, the trajectory of tax-related spam does reflect the time-sensitivity exploited by scammers.
In Figure 3, note the heightened volume of tax-related SMS spam in the U.S. prior to the April 15th filing deadline. A second, smaller increase is also seen just prior to October 15th, the tax filing extension deadline. It is safe to anticipate that levels of tax-related SMS spam will rise once again in the first quarter of 2013, as tax season kicks off.
In other instances of SMS spam, it appears spammers may be test-driving certain message pitches to determine their viability. Over the course of 2012, spammers appeared to interchangeably leverage the popularity of the Walmart, Best Buy, and Target stores.
Figure 4 demonstrates the volume of SMS spam related to these bogus gift card scams that employed themes masquerading as the Walmart, Best Buy, or Target name. Note the staggered peaks between each spoofed retailer, indicative of the possible ROI monitoring mentioned previously.
Retail-themed scams attempt to trick the recipient into believing they have won — or will win — a free gift card, simply in exchange for taking part in a survey. The survey carries hidden terms and conditions that make the gift card nearly impossible, or very expensive, to actually win. To make the gift card attractive, scammers need to make the recipient believe it will be awarded for a trusted merchant.
While retail analysts debated which device or operating system dominated the market in 2012, Apple products were a clear favorite among scammers. Throughout the year, iPad, iPhone, and iPod themed scams dwarfed spam themed around Android devices or Windows.
In Figure 5, the sharpest peak occurred in February 2012 as news of a prospective iPhone 5 swept the blogosphere. The trend was sustained through April, before finally declining in the summer months — only to experience a mild peak again when the real iPhone 5 was actually released.
Spammer’s clear preference for Apple seems to be out of sync with consumer buying habits however. During 2012, 68.8% of all smartphone units shipped were Android, dwarfing all other operating systems combined.6
Perhaps the most insidious SMS threat to date, phishing exploits users trust in their mobile phone by sending urgent sounding messages designed to elicit an immediate — and often not well thought out — response.
While phishing may be the most insidious of SMS threats, it is by no means the most prevalent. However, SMS phishing tends to be tightly targeted (by bank, carrier, or geography) and tends to occur in cycles. In 2012, the highest peak of SMS phishing occurred in September and October 2012. Following this peak, the cyclic nature of scammers' campaigns was demonstrated. The bulk of pitches shifted back towards gift card scams, likely motivated by the holiday season.
Unlike traditional phishing wrought via email, SMS phishing adds an air of legitimacy by instructing recipients to dial a phone number as opposed to visiting a website. Using virtual voice systems, the recorded messages typically claim to be fraud service divisions for major banks.
Those who respond are led to believe a fraud investigation is ongoing — usually regarding their bank debit card – and that, in order to prove their identity, they must enter their card number, PIN, and other sensitive information.
Phishing for debit cards can be particularly devastating to victims who may have little recourse to recoup the stolen funds. Unlike a credit card, debit cards may not carry fraud protection. Further, even if stolen funds can be recouped, there may not be enough money leftover to pay bills due in the interim. This may not only lead to other immediate financial difficulties, but could pose long-term credit problems.
The SpamSoldier attack was the first example we have seen of a simple Android botnet propagated via SMS being used to send SMS Spam. The initial attack was seeded by SMS messages promising free versions of popular games. Following is a typical example of an SMS message used in the attack:
The downloaded file contained an initial loader program and a pirated copy of the game. When run, the loader program set up a service to send SMS spam, delete its own icon and install the pirated game. The loader also added a filter to incoming SMS messages, to block any that did not come from phone numbers already on the user's contacts list. (This presumably prevented notification from irate recipients of subsequent SMS spam sent from the infected device).
The spamming service then sent a series of HTTP GET requests to a command and control server which responded with the next spam SMS message to be sent and fifty phone numbers to which the spam would be sent. The resulting spam sent out to this list was a blend of affiliate revenue related spam and messages intended to further the infection.
After a brief trial in October, this attack started regular activity in mid November and saw a rapid ramp up in volume beginning on December 8th. The first command and control server was taken down on December 12th and all other domains used by the attack taken down on December 19th.
During the attack, it is estimated that the spammer sent between five and ten million SMS messages, resulting in between one and two thousand mobile devices being infected with the malware.
While SMS spammers employed many different scam and fraud campaigns, 'Receive a Gift Card' scams were the most prevalent, comprising nearly half of all SMS spam. Perhaps an indication that recipients respond most to free offers: the second most prevalent SMS spam type professed to offer free iPads and iPhones. Both types of spam typically require completion of a lengthy and possibly privacy-compromising survey. Unfortunately for the victim, the convoluted terms of service make winning nearly impossible — and in rare instances when a respondent may actually qualify, the costs associated with compliance far outweigh the product's value.
|Attack Type||2012 Volume|
|Receive a Gift Card Scam||44%|
|iPad/iPhone Test and Keep Scam||11%|
|Cash Advance / Payday Loan Spam||8%|
|Bank / Account Phishing||5%|
|SMS Service Spam||4%|
|Job Listing Scam||3%|
|PPI Compensation Scam||3%|
|We Buy Junk Cars Spam||3%|
|Dating / Romance Scam||2%|
|Automobile Listing Spam||2%|
In aggregate during 2012, 23% of the world's email was spam. From January to December, the ratio of email spam increased 2.57%. This is contrary to other trends of continuing decline that began in late 2010, following the takedown of several high-volume spam botnets.
Spam rates vary significantly by country. Figure 8 shows Benin had the highest overall spam rate. Of all email originating from the country, 98% of emails were spam. Four of the top ten highest spam rate countries were located in Africa, four were located in Europe, and two were located in Asia-Pacific.
|Country Name||Spam Percentage||Period Change|
Countries with the lowest spam rate included Greenland at only 4% of email being spam. The United States had the 5th lowest spam rate at only 14%.
To calculate a norm, the median rate of spam across all countries combined was used. For reference, the median spam rate was 73% while the average was slightly lower at 65%.
|Country Name||Spam Percentage||Period Change|
|St. Kitts and Nevis||13%||-8%|
|Isle of Man||15%||-5%|
|Turks and Caicos Islands||16%||-12%|
As seen in Figure 10, below, spam rates increased in French Polynesia, Guam, Turkmenistan, Honduras and Luxembourg. It is interesting to note that among countries that experienced the greatest spam rate changes, none appeared in the top ten highest or lowest.
Another trend observed in 2012 was the increased use of "blended" threats spanning multiple messaging types. These attacks used a combination of emails, SMS messages, instant messaging conversations, and mining of social network relationships to send spam.
In affiliate webcam spam, a spammer sends a sequence of SMS messages that to an untrained eye may appear to be one half of an interactive conversation.
The seemingly conversational SMS messages typically have three distinct phases. After sending a message for each phase, the chat bot waits for a reply before sending a message for the next phase.Phase 1:
Note that in Phase 1, the attackers presume the recipient will reply with "who is this" or a similar response, and thus the chat bot is programmed to respond accordingly.Phase 2:
Note that in Phase 2, the attackers have already presumed the recipient will issue a challenge or continue to verify the sender's identity and thus the chat bot programmatically deflects accordingly.Phase 3:
Once the conversation shifts to Yahoo Messenger, a second scripted conversation continues, this time driving traffic to a website containing an "Accept" button. Clicking the accept button on the landing page opens two browser windows — one to an adult dating site and one to a webcam site.
The webcam site is one of thousands owned by a single company; each cam site has the same content and offers an affiliate program that pays $40 per signup.
In the second example of blended messaging threats, a spammer searches social networks to find plausible real names to use when sending spam emails. Here is a sample sequence of steps a typical spammer may follow:
Subject: FOR Frank
From: Bob Smith <firstname.lastname@example.org>
To: "email@example.com" <firstname.lastname@example.org>
The email address for Bob Smith is not Bob's real email address. However, the name is relevant to Frank so it's more likely that Frank will not notice the spoofed address and believe the mail is legitimately from his friend Bob.
Additionally, since Frank believes the message is from Bob, he is more likely to take any action designated in the mail, such as clicking a link or opening an attachment.
To counter these projected trends, both subscriber and mobile network operator must join forces to actively combat SMS spam.
To guard against scams in both email and SMS text messaging:
While email continues to be a steady source of spam, SMS text messaging may well be the new frontier. Spammers' adoption of SMS may be due in part to users' inherent trust in mobile communications — believing that any phone call or text message is personally meant for them.
Further, unlike computers, most of us keep our cellphones with us at nearly all times, setting the stage for potentially more impulsive and risky reactions (such as clicking links or texting premium rate numbers).
Judging from the peaks and valleys in SMS types and pitches, it appears spammers may still be testing the best methods to increase their ROI and get their bearings in this still relatively new medium.
Albeit still in its infant stage, 2012 also heralded the transition to more severe SMS-facilitated mobile attacks, a trend we fully expect to see carryover and further develop in 2013.
These trends may be further exacerbated by increased capabilities of smartphones in the coming year, setting the stage for even more sophisticated and coordinated attacks — including the potential for more mobile botnet activity.
Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.
With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.
Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.