Cloudmark 3Q13Global Messaging Threat Report July – September 2013
Football, Finances, and Fall SMS
The world’s most popular sport, football, is big business for all types of markets. In England, August 17th kicked off the start of its annual Premier League. However, this Saturday also marked the beginning of another weekly staple in the UK: sports betting SMS spam. Each weekend, as clubs face off with one another, mobile subscribers face off against bandwagon spikes in SMS spam attempting to part excited fans from their money.
Above, Figure 1 depicts the percentage of daily SMS spam in the UK that marketed various online sports betting services. Highlighted are the six Saturdays that coincide with the start of each week for the Premier League. On these days, the sports betting category soared in volume. As Liverpool went into the fourth week undefeated, Saturday, September 14th had the quarter’s biggest spike with 52% of all reported UK SMS spam for the day relating to betting sites.
Payday Loans, another favorite among UK SMS spammers, topped the list this quarter as the highest volume type of SMS attack.
Offering these potentially predatory loans via SMS has been a mainstay of UK SMS spammers for quite some time. However, the UK payday loan market has been put under a microscope this year due to questions regarding their unscrupulous terms.
Early this year, the Office of Fair Trading (OFT) began an audit of the top 50 payday lenders. These lenders, comprising roughly 90 percent of the market, were given twelve weeks to correct various issues of compliance or potentially lose their credit license. Following this move, 19 of the 50 lenders are no longer working with payday loans. The majority simply left the payday market while continuing to lend in other areas and were still subject to the OFT’s audit. Four of the lenders, however, have suspiciously chosen to forfeit their licenses altogether, perhaps because they wanted to avoid any kind of audit.
As so many lenders exit the market, it wouldn’t be inappropriate to surmise an approaching drop in payday loan spam. Yet, this is not what we’ve seen over the past quarter nor over the course of 2013. Marked above in Figure 2 is the percent volume of payday loan spam in the UK with relevant OFT oversight landmarks highlighted. Spam’s erratic nature led to some sharp dips, but each is quickly met with a prompt recovery. In fact, the category saw a sizeable increase in volume share beginning in mid-May, leading to a sustained increase overall.
Some hope remains for annoyed recipients. After its audit of the lending market, the OFT has chosen to refer the market to the Financial Conduct Authority (FCA). The FCA oversight will begin in the spring of 2014 with, hopefully, implications for payday loan SMS spammers. With news of the FCA oversight came the head of the FCA explicitly mentioning that a leading concern for the Authority is advertising practices that target young adults and students. It is plausible that the FCA may see the SMS medium as a method for targeting these demographics and subsequently take action against these spammers in the spring.
In the third quarter, nearly 65% of all reported SMS spam employed financially charged messages to either entice or fearmonger
Spam and scam messages attempting to seduce (or scare) with the explicit mention of money seem to currently hold a great deal of traction with SMS spammers. Along with payday loan’s dominant 35% share of all reported SMS spam, each of the top three most prolific categories was financially themed. Similarly, half of the categories from the top ten targeted recipients with monetary schemes. Below in Figure 3, each of the categories highlighted in green use money as the prime motivator.
While Figure 4 seems to denote a steady rise in payday loan SMS spam, this is not the case. Actually, this illusion is created by a subtle variation in the total volume of spam reports as other campaigns have lessened or otherwise retired. One area of particular interest is that of the expanding product promotion messages. The past quarter has seen significant growth (almost doubling) in legal SMS marketing campaigns offering a variety of goods and services.
Country Profile: Japan
The anti-spam laws in Japan have been strengthened several times over the past decade, but Japan still has a significant spam problem. This is due in part to the underlying laws relating to email in Japan. These state that an ISP cannot scan the email to determine if it is spam unless the recipient has opted in to this service. Blocking the originating IP address can still filter spam, but that leaves users vulnerable to attacks from botnets or “snowshoe” spammers renting a large range of new IP addresses. In addition, Japanese ISPs have traditionally seen spam filtering as a profit opportunity, and many charge extra to provide this service. With as many as 80% of users declining to pay additional fees for a clean inbox, that makes things easy for spammers.
The fact that the Japanese language is not widely spoken outside Japan gives the Japanese some protection from foreign spammers. However, over 70% of spam sent to Japan comes from other countries. It is clearly a target for spammers in nearby China and South Korea. 25% of all international email leaving China is spam to Japan, as is 21% of all international email leaving South Korea. (Figures from Cloudmark Network Feedback System.) The ready availability of IP addresses in the USA also makes that country a major source of Japanese spam.
Japan is not a significant source of spam sent to other countries. Of the spam originating in Japan, 55% stays there. However, some marketing graymail and spam is sent to Brazil (see Cloudmark’s 2013 Q2 Threat Report). A relatively small quantity of spam is also sent to the US. Many Japanese ISPs block port 25 outbound, which prevents zombie machines from sending spam directly. As a result, most spam originating in Japan is coming from machines that are legitimately under the control of the spammer.
While some Japanese hosting companies could clearly benefit from better outbound spam filtering from their customers, the real spam problems in Japan will not be solved until the necessary legal and commercial changes are made to provide free, universal inbound and outbound spam filtering for every email account.
Blocked IP Addresses By Country
At the end of the third quarter, Romania still holds first place for the number of IP addresses blocked by Cloudmark. As seen in Figure 6, however, a rapid increase in the US has them in contention for first place. Between them, Romania and the US now account for 45% of all blocked IP addresses, as seen in Figure 7. We are seeing an upward trend from Germany and China, while there is some evidence that Belarus is beginning to get their outbound spam problem under control.
After Cloudmark noted in our last quarterly threat report that we were blocking 27% of the total IP address space for Belarus, we responded to an inquiry from CERT in Belarus requesting more details. Since then we have seen a steady improvement in that country. We are still blocking 20% of the Belarus IP address space, but at least the trend is in the right direction.
Of particular note is an upward trend in Iran. The number of Iranian IP addresses that Cloudmark is blocking has more than doubled since the end of the second quarter, reaching 3.9% of Iran’s IP address space. The spam we see originating from Iran is coming from compromised machines rather than from spammers operating out of Iran. It is aimed mostly at English speaking countries, but significant amounts are also going to Spain, Japan, Italy, and Uruguay. The upturn in spam from Iran coincided with the lifting of sanctions on the sale of laptops and routers to that country on July 1st. It’s possible that this has resulted in large numbers of new computer users who are falling prey to malware infections.
In percentage of IP address space blocked, Romania, at 24%, has taken the top place back from Belarus, at 20%. Panama (see 2013 Q1 Threat Report) is gaining fast, up to 13% from 10% at the end of last quarter. Spam from Panama is largely from servers rented by spammers on bulletproof hosting services such as panamaserver.com. The main targets are Brazil and the US.
The fact that botnets managed in Eastern Europe are using computers in Iran to send spam to Japan advertising pornography is an excellent example of the international nature of cybercrime, and the fact that it calls for international solutions. Iran’s problems will likely diminish as more of their computer users install anti-virus software. However, it may take substantial international pressure to force the authorities in countries such as Romania and Panama to take action against rogue hosting companies used by spammers.