Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Cloudmark Security Threat Report3Q 2014

From China: Designer Fakes and iMessage Spam

Last quarter, Apple iMessage fell prey to a China-based group of spammers responsible for flooding iMessage with the single largest U.S. mobile spam campaign seen in the past six months — peaking some days this quarter at nearly eighty percent of all reported mobile spam in the U.S. for that day. The goal of these messages was to peddle knock-offs of several designer brands of sunglasses and handbags with Oakley, Ray Ban, and Michael Kors being the most popular.

Earlier this quarter, Cloudmark began an investigation into the spammer’s method for monetizing these spam iMessages by ordering from one of the websites in a spam message using a limited value credit card. It was a plausible assumption that this might be some type of credit card phishing or hard scam. However, a package was shipped from China, and actual goods similar to those ordered were delivered. Though, on inspection it was clear that the goods were not legitimate versions of the purported merchandise.

Fake Michael Kors bag ordered from a website advertised in an iMessage spam
Fake Michael Kors bag ordered from a website advertised in an iMessage spam
Photograher: Dan Conway

This fake version was made of cheap imitation leather with cheaply plated buckles and clasps throughout and several items including a label and several metal buttons were inscribed with Chinese instead of English. A poorly cut foam rectangle lined the bottom of the bag.

Cheap plated clasps including a Chinese-inscribed button
Cheap plated clasps including a Chinese-inscribed button
Photograher: Dan Conway

The quality of the goods was unsurprising given that, the domains advertising the fakes are generally as fake looking as the merchandise although certain banners and art assets on the site appear to be stolen copies of the actual designer branding.

One of many fake Michael Kors sites
One of many fake Michael Kors sites

The registrants of these imposter domains were all of Chinese origin with IP addresses and names from China, with one exception. Analysis of the various email domains associated with the Apple IDs reported blasting out this iSpam also revealed that many were from popular Chinese webmail sites. During its peak, 59 percent of senders were Chinese email addresses. Although, it is easy for anyone in the world to sign up for both a Chinese email and Apple ID. Tracking information for these the packages revealed that the packages were shipped from somewhere within roughly three hours of Suzhou, China.

Owners of these designer brands have taken notice and during the course of this extended spam run, many of the most used domains have been taken down for copyright infringement. Notices from what appears to be the legal teams representing the brands have replaced the taken down sites with disclaimers warning visitors about the illegal goods and suggestions on ways victims can attempt to recover their money. Takedowns by Greer Burns & Crain Intellectual Property Law also became noticeably faster over the course of this campaign. Sites that would originally survive for weeks began coming down almost immediately in the latter part of the quarter, likely leading to the spam’s disappearance seen in final month.

Figure 1

Prior to these waves of messages, iMessage, being used as the sole or even just primary vector for dolling out spam, was rare.

A very similar campaign offering extreme discounts on Gucci, Prada, and other designer items had previously hit iPhones nationwide during Black Friday last Thanksgiving holiday. However, this was likely just a test run and quickly abated. The campaign returned this past May, subsisting this time for months rather than days and in far higher volumes of messages and resulting complaints reported to 7726.

Reports indicate that as much as forty percent of all unwanted text messages received by U.S. mobile subscribers in May were from this single campaign attempting to sell fake goods. Across the entire third quarter roughly one out of every five spam texts were these iMessages, filling up users’ iPhone, iPad, and Mac desktop inboxes. Unwilling recipients of these messages took notice as well and complaints began to hit Twitter throughout the quarter as users started receiving the iSpam:

Tweet complaining about iMessage spam

This one campaign spam is contributed to almost the entirety of “Auction / Sale Site Spam” seen during the third quarter. Other entire types of SMS spam, such as bank and account phishing, were a larger portion of the SMS complaints but are an aggregate of many separate campaigns, targeting different types of accounts, and run by seeming unrelated entities, where the iMessage spam seemed to be all part of one campaign.

Figure 2

Area code-targeted bank phishing attacks plagued many parts of the U.S. earlier this year, but saw a decline from the number one spot as spring began. September broke this lull with record numbers of phishing attempts. Half of all reported texts in the country during September attempted to steal personal and/or financial information from the victim.

Figure 3

This round of bank phishing, in contrast to earlier this year, casts a broad net, simply stating that the recipient’s debit card has been blocked or that they have an urgent message from one of several nation-wide financial institutions. For example, Wells Fargo, Bank of America, and Chase are among the banks impersonated. Another difference with this round is that the phishers have begun using fake versions of the bank’s website, hosted on both disposable domains and hacked webservers, to trick users into divulging their details. Among the interesting twists is a set of Bank of America phishing sites that attempt to steal common answers to your account recovery questions.

Phishing site screenshot

The Peter Pan Attack and Other Trojans

Starting on September 8, a widely publicized email spam attack purported to be a receipt for tickets to a production of Peter Pan in Bournemouth, UK. Though the majority of the attack was directed at users in the UK, the Cloudmark Global Threat Network did detect this being sent to users in a number of other countries, including Ireland, the US, Japan, Australia and Hong Kong. This attack was notable in that it hit a large number of business email addresses that were not usually subject to spam. It’s possible that the spammers used an existing botnet to collect contact information from compromised machines in order to build their mailing list.

Phishing site screenshot

The payload of the Peter Pan attack was the Cridex malware, also known as Bugat or Feodo.1 This Trojan is similar to the GameOver/Zeus attack in that it uses HTML injection to collect harvest information from the victim. This allows the malware to intercept the traffic between a user and their bank’s website and insert additional fields in forms. In this way they can prompt the user for additional personal information such as social security number, answers to challenge questions and even dual factor authentication credentials.

Cridex is not the only form of Trojan that we see being distributed by email. The Dyre or Dyreza malware is ramping up its attacks. This also attempts to steal banking credentials. The payload is a downloader that then loads the full malware package. The emails promoting it are not as visually appealing as the Peter Pan spam, and usually take the form of some sort of business communication such as an invoice or shipping notice.

Malware email

Though Cryptowall ransomware is being distributed by malvertizing,2 we also see it as a spam payload. A recent attack was a fake fax notice.

Malware email

These and other current Trojans use a number of different techniques to evade detection by antivirus packages, including digitally signed executables, polymorphism, and the use of a variety of compression techniques including the obsolete .arj format. To deal with these rapidly changing attacks, it’s important to have good spam filtering in place to interdict the delivery mechanisms used, as well as a current AV package.3

Blocked IP Addresses By Country

Romania drops to third place, dramatic long term improvement in Belarus

The United States still tops the ratings for the most IP addresses blacklisted by Cloudmark, with China taking over second place from Romania. We have seen an upward trend for the past two years in both the US and China, while the other member of the top three, Romania, has been roughly stable with a slight downward trend for the past year.

Figure 4

This is somewhat understandable, as there is a limited supply of IPv4 addresses, and most of them have already been allocated. Renting a dedicated IP address is cheaper in the countries with larger allocations of IP addresses, and the countries with the largest IP address space allocated are the US and China. In fact, the US and China between them have 44 percent of all IPv4 addresses.

On a smaller scale we can report a significant success story out of Eastern Europe. In our 2013 Q2 Threat Report, we noted that we were filtering between 27 percent of all the IPv4 addresses allocated to Belarus. Shortly after publication we were contacted by the Belarus CERT and shared details of the problem with them. Since then we have seen a long-term steady decline in the number of blacklisted addresses in Belarus.

Figure 5

It is now down to 2.6 percent, less than a tenth of the peak value.

In terms of percentage of IPv4 addressed blocked, Belarus is now tied for third place with Iran, behind Romania and Panama. Vietnam and Ukraine are fourth and fifth.

Figure 6

Note that there are other countries with high percentages of blocked IPv4 addresses that are omitted from this report as the total number of addresses allocated to them is too small to be significant.

Country Report: Russia

As one would expect from such a huge and diverse country, Russia is a significant source of spam. The Cloudmark Global Threat Network currently places it at number three in the world, after the US and Brazil. We see spam originating from the big telecommunications providers who supply home and mobile Internet services, and also from various hosting companies, some of which seem to cater almost exclusively to spammers. For example, the traffic coming via the telecom companies is probably from botnets. Further, a much higher percentage of PC users in Russia are still running Windows XP than in the US,4 and this obsolete operating system is likely to be more vulnerable to attack than more recent software.

Almost 60 percent of the outbound spam from Russia comes to the United States. Much of the rest goes to Australia, Japan, the UK, Italy and Brazil.

Figure 7

Russian consumers are not immune from spam, though. Almost 30 percent of all the spam received in Russia comes from Russia itself, and another 10 percent from neighboring Ukraine. In fact, almost all of the traffic from the Ukraine to Russia is spam.

Figure 8

There are no anti-spam laws in Russia, so a lot of Russian spam is just marketing pitches. However, there are more pernicious forms of spam there. For example, we see quite a lot of emails linking to fake Russian blogs promoting binary options trading scams.5

An excellent educational system coupled with a lack of high tech jobs has made Russia a center for more serious cyber criminals, many of whom use spam as part of their attacks. The FBI currently has a warrant outstanding for Russian citizen Evgeniy Mikhailovich Bogachev,6 alleged author of the Zeus Trojan that attempts to steal banking credentials, and is associated with the Cryptolocker ransomware. Some security researchers suggest that the Russian cyber criminals are given a free ride by the local authorities provided they only prey on victims in other countries, and they help out with cyber warfare attacks such as the 2007 attack against Estonia and the 2008 attack against Georgia. However, last year Russian authorities did arrest Dmitry Fedotov,7 alleged author of the Blackhole exploit kit, so they are not entirely blasé about malicious hacking. Part of the problem may be that until the police reforms of 2011, the Russian police system was highly decentralized, and the authorities in Moscow had procedural difficulties to overcome before investigating and prosecuting cyber criminals in other regions. One of the other goals of the police reforms was to remove all police officials with links to organized crime! Let’s hope that the Russians will follow up the arrest of Fedotov by action against Bogachev and other criminals based there.

Character Frequency of a DNS DDoS

When navigating the Internet, the Domain Name System (DNS) provides translation between domain names (such as and their associated IP addresses, allowing browsers and other software programs to find the computers, services or network connected resources that they’re looking for. Domain name servers act as repositories for these DNS records and respond to requests for information about those domain names. These domain name servers are typically recursive and will pass requests to authoritative name servers for records that are not stored locally.

DNS servers often cache the results of requests for a short period of time as a way to more efficiently answer a high volume of subsequent requests. The name server’s ability to cache previous requests for a short amount of time alleviates the need for intermediate name servers to waste resources repeatedly looking up the same domain with its authoritative name server. However, attackers can circumvent this caching to launch denial of service attacks against authoritative name servers.

Using Cloudmark Security Platform for DNS, Cloudmark engineers were able to identify a high-volume DNS-based attack within TCP traffic captures that were collected from a large ISP who had noticed periods of heavy load on their DNS infrastructure. Cloudmark Security Platform for DNS was run in offline mode on TCP traffic captures for this analysis, but it can also be run in passive mode on a tap of real time DNS traffic or in active mode directly on the DNS traffic. This particular attack was characterized by an inordinately high number of requests being sent to a relatively small number of unique domains. These requests were using a pattern of requesting fully qualified domain names (FQDNs) with an apparently random sub-domain. The format for the FQDN was:

[random sub-domain] . [generic sub-domain] . [SLD] . [TLD]
For example:

One hypothesis was that the random sub-domains were being used for the purpose of passing data via DNS tunneling. However, the pattern observed in the sub-domain made tunneling unlikely. Only alphabetic characters a-z were used in the sub-domain, thus limiting the case-insensitive sub-domain to base 26. Encoding data in the sub-domain this way versus the standard range of characters allowed by DNS would reduce efficiency for DNS tunneling as a base 26 system would require two characters simply to transmit a single byte of information.

Analysis of the alphabetic characters being used showed that the frequency distribution of characters was completely flat. That is, each character was used almost exactly the same number of times in the millions of sub-domain requests. The use of each letter only varied by less than a half of a single percent from the least used to most used character. In the graph below, you can see just how uniform the character description was.

Frequency of Letters Used in Sub-Domains Source: Cloudmark analysis of a large ISP’s DNS Traffic, May 2014
Figure 9

Sub-domains’ lengths were also strictly patterned. The length of each was almost always even-valued. One second-level domain (SLD) had sub-domains that broke this pattern; however, its sub-domains were all constrained to odd integer lengths.

Figure 10

Focusing on just a single requesting IP address for uncovered a pattern in the position of characters within the sub-domains. Only letters belonging to distinct sets were seen in each position within the sub-domain string — one set being the odd letters of the alphabet, the other being the even letters. So, the first character of the sub-domain would only ever be a, c, e, g, etc., while the second character would be b, d, f, h, etc. This continued for third, fourth and all subsequent positions. An example of the first character used in the sub-domain of requests from a single IP to

Figure 11

This alternating scheme further restricts the sub-domain to base 13 since each position can only be one of half the alphabet’s letters. If tunneling were being used, three characters would now be needed to encode a single byte — even less efficient. The following shows character frequencies for all positions of the requests to

Sub-domain Letter Frequency by Position
Figure 12

This helps to more clearly illustrate the alternating pattern of letters used per position. With these limitations on the characters used along with a plethora of both single-character and double-character sub-domains that are unable transmit a full byte; it is clear this was not used for DNS tunneling. Also, this level of similarity in requests across many different IP addresses suggests that something is coordinating them.

It was then found that the list of domains used matched those seen in another Cloudmark investigation. This set of domains was being used in an attack on authoritative name servers. A coordinated group of computers were circumventing name server caching with the unique sub-domains to enable a more effective resource exhaustion attack against the authoritative name servers.

By algorithmically cycling through so many unique sub-domains quickly, this botnet subverted the caching of DNS responses so that each request would require a lookup from the authoritative name server. This malicious overburdening of the DNS infrastructure would then begin to degrade the name server’s performance. Lookups to the authoritative server would then become unresponsive thus hindering general Internet service.

Cloudmark 14Q3 - Security Threat Report (5.6MB)

back to top

Cloudmark 14Q3 - Security Threat Report (5.6MB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2018 Cloudmark, Inc.