Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Cloudmark 14Q1Global eMessaging Threat ReportJanuary – March 2014

Table of Contents

Mobile Spam in the UK

Mobile subscribers in the UK have met with a growing amount of accident compensation solicitations via SMS. Meanwhile, Casinos, sports books, and trackside hosts are pushing rounds of football and horseracing focused SMS campaigns.

Mobile Legislation in India

In India, telecomm regulator TRAI has seen noticeable success in its legislative actions against spam sent within the country.

Country Profile: Ukraine

The Ukraine is one of several Eastern European countries with a significant outbound spam problem. Here Cloudmark takes a closer look at the sources and destinations of Ukrainian spam.

Blocked IP Address by Country

The United States retains the top spot for blocked IP address spaces, but other countries in Eastern Europe are trending higher this quarter.

Emotional Appeals Peddling Malicious Software

Spammers know that sometimes an emotional shock can dull the critical faculties, and cause a user to engage in risky behavior that they would not ordinarily perform. Recently in the US and the UK we have seen spam telling the recipient that a friend has died, or that they have been diagnosed with cancer, in order to trick them into installing trojans on their computers.

Mobile Spam in the UK

From January to March of first quarter, mobile subscribers in the UK reported 11% more unsolicited messages per month. Shady accident compensation claim assistance offers were the primary driver of this increase. Nearly tripling in monthly volume from January to March, these texts were the UK’s second most prolific form of SMS spam as is seen in Figure 1.

Figure 1

Below in Figure 2, Cloudmark saw that this increase in volume drove up the category’s share of all spam texts reported in the UK from 14% to 26%. In March, this was almost enough to displace payday lending spam from the top spot for the first time since 2012.

Figure 2

Several other smaller categories saw similar volume growth. What many think of as traditional spam, promotional messages endorsing various consumer products, doubled in popularity over the three months. The result barely moved the category into the top five most popular spam types with three percent of the quarter’s UK volume.

Sports, Gambling, and SMS in the UK

Gambling texts more than double over the quarter

While the increase only led to betting offers contributing only two percent of UK SMS spam in the first quarter of 2014, it highlights the exceptionally pragmatic approach to marketing messages taken by these groups. The various casinos and sports books leveraging SMS for their campaigns have chosen to use singular event-centered blasts to pull in customers. So, while they may produce only two percent of reported messages for the quarter, Cloudmark saw these messages spike in excess of 16 percent of all UK texts reported in a single day for particularly popular sporting events.

On off days, the bulk of these gambling offers are relegated to casino promotions with differing free bets and table game enticements – offers unbiased to sporting events. Free bets and trackside pools flooded UK phones on those days leading up to the region’s largest sporting events.

Figure 3

The most visible example of this was one of the biggest fixtures of the Premiership, Chelsea vs. Manchester United. The 19th of January match, producing record viewership even across the pond in the United States, was likely a big haul for the books. Over 16 percent of all unsolicited SMS reported in the entire UK that Sunday were from bookies.

Over the four-day meet at Cheltenham racecourse in mid-March, both online sports books and trackside bettors put out 5 to 8 percent of all UK SMS reported each day. Thursdays are also repeatedly hot days for trackside betting tips hitting UK phones, reaching more than nine percent of all UK reports on the 27th of February.

From highly anticipated Premiere League matches to the year’s second largest National Hunt purse, various sports books around Great Britain demonstrate a knack for SMS marketing efficiency. However, it’s little surprise that such a numbers-driven sector, where ROI is essentially the core business, is so acutely aware of how to precisely target a campaign with minimal amount wasted effort.

Mobile Legislation in India

With subscribers in India previously receiving as many as 20 spam texts a day per subscriber, SMS spam has been a major issue for mobile subscribers over the last 5 years. The Telecom Regulatory Authority of India (TRAI), which regulates Indian mobile operators, had sought to put in various measures to deter the tide of SMS spam, but these previous attempts were not completely successful.

India had already passed strict policies around commercial messages sent as Application Originated messages. Any violators caught sending to Do-Not-Disturb customers faced severe penalties. Also, due to an extremely competitive atmosphere, various mobile operators offered unlimited messaging packages with their service. This combination made P2P SMS a desirable environment for spammers looking to engage Indian audiences.

In response to growing concerns, the TRAI implemented a spam reporting service to which users could report unsolicited text messages or calls. Most recently, a resolution from the end of 2012 asked all MNOs to block spam messages originating from within their network using intelligent, signature-based content filters.

For one of the top four carriers, the culmination of these changes and anti-spam solutions has resulted in a 99.3% drop in spam complaints reported via the TRAI 1909 reporting service. Currently, SMS spam messages in India are primarily advertising messages. Typically these messages are the kind one would expect to see in newspaper classifieds. This is in contrast to countries with more malicious forms of SMS spam like the US and U.K. Analysis of message samples taken from this quarter yielded the following breakdown of current SMS spam types in India:

Figure 4

Changes in Industry Dynamics

The deployment of these anti-spam systems and modifications to several business strategies have had marked effects on the SMS spam problem in India. One tangible result was the rerouting of messages containing stock alerts, commodity prices, and transactional messages from grey (or uncompensated) routes to those for which the operator is paid appropriately. Similarly, many valid businesses who were using illegitimate routes, either unknowingly or for cost purposes, have changed their practices. Commercial messaging services previously known to use peer-to-peer SMS channels for sending messages in bulk have also switched, choosing to register as telemarketers with legitimate sending channels. Mobile operators have also helped combat the spam problem with decreased availability of free and extremely inexpensive SMS packages to combat the problem.

However, some spam generating holdouts remain. Cloudmark has seen spammers snow shoe the same messages across multiple MNOs simultaneously, likely to avoid detection. Those spammers still using SMS have also taken a noticeable cut in profitability from being forced onto normal messaging plans and fees. Of the spammers left using the P2P channel, most are using significantly more complicated obfuscation techniques such as rapidly changing text at the beginning of the messages and common obfuscation alphabets to thwart traditional content filters. The following are examples of such messages caught by Cloudmark:

“New Group Presents *Commer. Project *Extension's Rodh,Gudgaon. *Three Hundreds Square Feet $hops Aunwords. *Star'ts at 35Lakhs 0n-ly *PH [REDACTED]”
ed78- LPCA-REGISTRATION OPEN FOR CA CPT(JUNE ATTEMPT)& FOR XI-XII.BATCHES BEG 3 APRIL FOR CPT & 4TH FOR XI.FOR DETAILS: CA RAJESH KHANNA cnt# [REDACTED]
Dear_Sir_Mam_Dream_H0me_in_Gurga0n_0n_ S0hna_R0ad_near_GD_G0enka_University _in_0nly_26_lacs_15_mints_drive _fr0m_Rajiv_Ch0k_Book _PH_O[REDACTED]

Country Profile: Ukraine

In spite of civil unrest, the Ukraine continues to produce spam

The Ukraine is one of the top twenty spam exporting countries in the world, and is in the top ten for the number of blacklisted IP addresses by Cloudmark. Unlike countries such as Romania, Belarus and Panama, where one or two hosting companies are responsible for most of the outbound spam, in the Ukraine spam originates from a number of different networks. There is a large amount of spam coming from botnet-infected machines, rather than resources owned by spammers.

Figure 5

Though some Ukrainian email sources are sending nothing but spam, most have a proportion of legitimate email. However, for international email leaving the Ukraine legitimate messages are rarely above 25% of the total output for any ISP.

The main target for spam from the Ukraine is the US, with the ubiquitous “Canadian Pharmacy” ads being common, but there is currently a significant amount going to Japan, mostly advertising adult services and horse racing tips.

Figure 6

Much of the inbound spam hitting the Ukraine is from China and the Ukraine itself, but there is also some volume from Russia, Belarus and Germany.

The recent civil unrest, change of government, and Russian military action has had little impact on the Ukraine’s spam output. There were some sharp spikes just before and during the early stages of the protests, but we are not seeing any long-term impact, either positive or negative.

Blocked IP Addresses By Country

At the end of this quarter, the US still remains the country with the most IP addresses blacklisted by Cloudmark, while a downward trend in Romania for the past six months is taking that country out of contention for the number one spot. Eastern Europe generally is trending in the right direction, with significant declines in Russia, the Ukraine, and Belarus over the past few months. Russia has now dropped into the fifth place in our ratings, and Germany takes over the number four spot, behind the US, Romania and China.

Figure 7

In Iran, we noticed a sharp increase in the number of blacklisted IP addresses after the US relaxed sanctions on the sale of laptops, smartphones, and other computer equipment to that country. This is starting to abate as Iranian computer users learn the importance of anti-virus software, though it is still not down to the levels before the sanctions were relaxed.

Figure 8

In terms of the percentage of IP address space blocked, Romania is still the clear winner with 20.8%, ahead of Panama (11.3%), Belarus (8.2%), Iran (2.5%), and Russia and the Ukraine tied on 1.3%. Happily all of those are trending downwards except for Panama.

We should note that there are some other countries with a high blocked IP address percentage, such as Belize with 13.7%, but we don’t include them in our reports as they don’t have enough IP addresses in total to have a significant impact on world spam.

Figure 9

Emotional Appeals

Spammers using emotional appeals to trick users into installing malware

Following the arrest last fall of Dmitry Fedotov, alleged author of the Blackhole exploit kit, cybercriminals have reverted to a more old fashioned way of distributing malware: email spam that tricks the user into installing a trojan program on their computer. However, the new hooks are being used that have a large emotional impact, which the spammers hope may cause the victims to temporarily suspend their critical faculties.

In the US, we have seen large volumes of spam purporting to be a message from a funeral home announcing a memorial service for a friend.

The current version of this message uses the name and address of a real funeral home in Florida. Their phone has been ringing continuously with queries and complaints.

If you click on the link you will download a zip file. However the name of the file, and the name of the executable payload it contains, change based on the city that your IP address is located in. If you are in Chicago, for instance, you will get a file called FuneralCeremony_Chicago.zip. If you are foolish enough to download, unzip, and run this file, your computer will be part of an Asprox botnet, and your personal and financial credentials may be stolen.

Meanwhile in the UK, a spam email notified victims that a recent blood test showed that they might have cancer.

They are instructed to print the results and take them to their doctor. Of course, the attachment contains malware, rather than blood test results. Once again, the National Institute for Health and Care Excellence is a real organization, but they are not responsible for screening blood tests.

Finally, we are seeing another somewhat less emotive, but still pernicious, spam based malware attack. The victim receives an invitation to join an online casino, with a welcome bonus worth hundreds of euros.

However, when the victim goes to the casino web site, they are asked to download and run an executable file (containing malware) in order to access the casino’s games.

Cloudmark 14Q1 - Global Messaging Threat Report (879KB)

back to top

Cloudmark 14Q1 - Global Messaging Threat Report (879KB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2018 Cloudmark, Inc.