You can count on Cloudmark to bring together the latest trends, insights, and conversations about network traffic abuse. Visit often to stay up to speed on email, mobile, web, and DNS security threats.
On March 7th, the Federal Trade Commission (FTC) announced that it was filing a series of complaints regarding abusive use of SMS messaging services to send more than 180 million scam messages. These scam messages falsely promised individuals “free” gift cards or prizes from retailers such as Best Buy, Walmart, and Target. Unfortunately, victims are tricked into providing personal information and signing impossible terms and conditions that void any possibility of winning. In the unlikely event a prize is won, the recipient ends up paying more to receive the prize than the product’s value. These types of scams have dominated the reports to 7726 by a wide margin. Gift card scams constituted 44% of all SMS spam reported in 2012. The eight complaints filed by the FTC seemed to have also had a noticeable affect on the volume of gift card scams sent out in the first quarter of 2013. Figure 1 clearly demonstrates the impact that this move had on spam volumes. Daily rates fell dramatically from near 50% to below 10% of volume during the days leading up to and after the announcement.
Two relative newcomers joined the quarterly top 5: Job Listing Scams and Adult Content Spam. Both are by no means new to the world of email or SMS spam. However, their recent surges in SMS volumes have landed them in the spotlight this quarter. Although both types of spam rarely contributed more than 5% of monthly volumes in 2012, both have more than doubled already this year. As expected, Receive a Gift Card Scam claimed the number one position due entirely to its dominance in January and February. The FTC’s charges came late in the quarter.
Figure 3 illustrates the monthly volumes of the top 5 categories over 2013’s first quarter. Job Listing Scam volumes exploded by 400% over the quarter by increasing its 4% share up to 22%. Meanwhile, gift card volumes plummeted by 78% with a measly 6% share of March’s volume, barely enough to make March’s top 5. Phishing attacks also seemed to be on the rise in February and March with double-digit shares.
Figure 4, below, represents the total number of reports to 7726 normalized by the quarter’s average volume. This figure shows a near 20% drop in the volume of reports from January to March. The likely culprit: gift card scam volumes plunging.
It would be expected to consistently see increases in reported volumes. Other variables may have played a part in this decline. A slight decrease was seen in February, but Gift card scams only saw noticeable decline in March. It is plausible that Payday Loan Spam’s noticeable drop in volume drove February’s dip. Spammers may also be consolidating their efforts into more potent messages to help elevate their return on investment.
SMS phishing attempts are one plausible way for attackers to do this. With phishing, victims run the risk of losing sensitive personal information, bank accounts, and credit/debit cards. Even just a single victim can provide an extremely lucrative return on investment. Attackers are likely looking to capitalize on this in conjunction with the U.S. tax season to swindle victims of the money saved up for the April 15 th deadline along with future tax returns. Figure 5 illustrates the prominent peaks in SMS phishing volumes throughout the quarter. A very similar trend was seen in September and October leading up to the United States’ tax filing extension deadline, October 15th.
In the past year Cloudmark has detected several high profile attacks with links to Panama, including the SpamSoldier Android botnet and the Grum PC botnet. These are the result of two companies that do not attempt to prevent spammers using their services. They are Internet.bs and Panamaserver.com.
Internet.bs is a domain registrar that, according to LegitScript, provides registration services for one third of all rogue online pharmacies. It is also responsible for several of the domains used by the SpamSoldier Android botnet attack. Though .bs is technically a Bahamian domain, both the Chairman (Gregg McNair) and the CEO (Marco Rinaudo) of Internet.bs are Panamanian residents.
The privacy service provided with Internet.bs registration is Fundacion Private Whois, a Panamanian corporation. Yet, their web site, privatewhois.net, is hosted in London by safeukdns.net, which in turn is registered by contactprivacy.com in Canada. Panamaserver.com is a hosting service that accepts anonymous customers paying using Web Money or Liberty Reserve. Along with a Panamanian phone number, they have contact numbers in the US and Brazil, and their web site stresses the “offshore” nature of their operations. Most of the spam seen from their IP addresses is unsolicited bulk marketing email to customers in Brazil. Since neither Panama nor Brazil has any anti-spam laws, this is perfectly legal. Cloudmark currently has more than 80% of their IP address space flagged as poor or suspect as a result of this spam activity.
Panamaserver's hosting is not completely bullet proof. Two of the Command and Control servers for the Grum botnet were traced back to their IP address space last year. Unfortunately, these servers were only taken down in response to international pressure.
The following chart shows countries that have demonstrated a significant change in the volume of IP addresses recommended for blocking by Cloudmark.
Romania appears to have hit a plateau with marginal decline last month. However, we are seeing a corresponding increase in the figures for Belarus. It seems likely that some of the spammers using Romanian hosting services are starting to transfer their activities to Belarus. The US is in second place for absolute number of IP addresses blocked. This represents a far smaller percentage of the total address space for the country than Romania though. India is showing consistent improvement after several reports last year that it was a major source of spam in the world. China and Russia are both showing consistent, long-term increases.
Above is each country's percentage of address space currently blocked. As noted previously, the total number of IP addresses blocked in the US and Romania (Figure 6) are comparable. Yet, such volumes represent only 0.2% of the US address space. Meanwhile, 23.3% of Romanian IP addresses are blocked. Similarly, Cloudmark is currently blocking about twice as many IP addresses in Russia as in China, but this volume is 2.5% of Russia's total address space. China’s blocked addresses only account for 0.2% of the country’s address space.
Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.
With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.
Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.