Cloudmark 2Q13Global Messaging Threat ReportApril – June 2013

Compromised Accounts & Waistlines

Island cruise giveaways tempt U.S. mobile users during the hot summer months

As seasons change, so too do the pitches spammers utilize to hook victims. Blistering heat in the northern hemisphere seems to have fueled waves of summer-themed SMS spam. These campaigns have peddled free cruise getaways to the Bahamas. Others have begun to offer dieting tips to help beachgoers fit into that new swimsuit.

Figure 1

Alongside these cruise and diet tip ploys are a number of other spam campaigns tweaked ever so slightly to mention the summer season and its heat. Pictured above in Figure 1, various forms of spam tailored to summer constituted more than 10% of all SMS spam for a majority of days in the second quarter. April, synonymous with the Spring Break holiday in the U.S., saw a large spike in cruise spam specifically. As time passed, the levels of these summertime messages rose steadily to peak above 20% of daily SMS spam volumes.

SMS phishing attempts plagued mobile subscribers in 2Q13. Meanwhile, spammers continue to peddle affiliate-driven ‘Adult Content’ spam

Furnishing 10% of the quarterly volume, Payday Loan spam continued to inundate both the U.K. and U.S. Unfortunately, Bank / Account Phishing, arguably the most malicious category of SMS spam, tops the chart with a 22% share of the volume. Notably absent this quarter are gift cards scams. It seems that the FTC action in March had a lasting effect on this archetype of SMS spam. Also, Summer-themed diet pill campaigns propelled the Pharmacy / Meds spam category into the top 10 with 6% of the quarter’s volume.

Figure 2

The top 5 categories of 2Q13 are plotted in Figure 3 with their associated monthly volumes. SMS phishing attempts held consistently at and above 20% of SMS spam volume each month. Despite falling four points over the quarter, adult oriented spam contributed significantly more than the next largest category. That category, Win Free Stuff Scams, plummeted in May by 60% of its April volume.

Figure 3

June saw a sharp, concurrent rise in both diet spam using hacked domains and phishing attempts aimed at swiping online credentials

The following figure illustrates each month’s percentage of spam that was labeled as diet spam. From May to June, its monthly volume more than tripled to become 12% of all reported SMS spam.

Currently, all messages tailored around this diet theme have a common thread. Each message provides a shortened URL linking to the promised diet tips and suggested pills. Often, these URLs redirect the user to compromised websites. With a plethora of hacked sites at their disposal, spammers are able to keep their URLs fresh. Using these fresh URLs also helps keep spam message bodies fresh to avoid blocking and filtering.

Figure 4

Attackers seem to be supplementing their portfolio with account phishing attempts this quarter. Figure 5 demonstrates that phishing surged in the second half of the quarter. On June 14th, 25% of all reported SMS spam consisted of this type. It then peaked again on the 22nd. Traditionally, spammers have favored bank phishing due to the direct, lucrative reward. Recently however, phishers have diversified their attacks with efforts to steal email, mobile, and social media accounts. These accounts can then be used directly for skimming sensitive personal information and banking info. Indirectly, the accounts stolen credentials can also be used against other, more valuable, online services if the user has a common login.

Figure 5

Hacked Web Hosting Accounts: The New Botnets

60% of hacked domains still under control of spammers one month after compromise

In the second quarter Cloudmark saw a dramatic increase in the number of compromised web hosting accounts used by spammers.

Figure 6

Web hosting accounts are an attractive target for hacking. Though there are fewer of them to exploit than traditional PCs, they are available 24/7, have a high bandwidth connection to the Internet, and are often running outdated software with known vulnerabilities that are trivial to exploit. We are seeing evidence that hacked hosting accounts are now a commodity. The same accounts are being used by different spammers, so we believe that one or more criminals is specializing in compromising these accounts, and is renting them out as a service to a collection of miscreants.

The most common use of compromised web hosting accounts is to provide an endless supply of new URLs in spam emails. This is done by placing HTML or PHP files on the victim’s web site which then redirect to the spammer’s own landing page. Each individual compromised account may have hundreds of different redirector URLs placed on it by several different spammers. Compromised accounts can also be used to send spam via the hosting company’s mail servers using the PHP mail function, and to host the spammer’s landing page directly. We have seen pornographic landing pages hidden on many types of innocent web sites, including law offices, schools and churches.

Spammers do not need root access to the account in order to take advantage of it. All they need is a PHP shell, and they exploit a number of different vulnerabilities in order to obtain this access. By far the most common technique at the moment, accounting for 60% of all compromised accounts, is an SQL injection attack in Joomla 1.5, which allows a reset of the admin password. This bug was patched in 2008, but many web sites have not updated their Joomla version since then.

Once an account is hacked, it typically remains under the control of spammers for a long time. As the chart below shows, only 12% of hacked hosting accounts are detected and fixed within the first week and over 60% are still compromised after the first month has passed.

Figure 7

To assist in remediation, Cloudmark will be happy to provide hosting companies with a current list of compromised domains on their servers. Contact inquiry@cloudmark.com with your ASN(s) or CIDR blocks.

Blocked IP Addresses By Country

At the end of second quarter, Romania still holds first place for the number of IP addresses blocked by Cloudmark at the end of second quarter. Yet, the US is closing the gap, and Belarus has shot into first place in the percentage of IP address space blocked. Our 1Q13 threat report indicated that decreases in the number of blocked IP addresses from Romania were being matched by increases from Belarus and Russia, This trend continued through April and May, but in June we saw a reversal with Romania showing a slight uptick, while Russia and Belarus decreased. Spammers will always follow the path of least resistance. It is possible that hosting companies in Russia and Belarus realized spammers were exploiting them and tightened up their security, forcing the spammers back to less selective hosting companies in Romania.

Figure 8

In percentage terms, Belarus is the leader, with 27.4% of their total IP address space being blocked. Romania is currently at 22.3%. Though the number of blocked IP addresses in the US is approaching that of Romania, the US blocked percentage is only 0.2% as the US has far more IP addresses allocated than Romania.

Figure 9

Country Profile: Brazil

With the seventh largest economy in the world and no anti-spam laws, Brazil is a major target for spammers. However, the vast majority of spam sent to Brazilian customers is simply unsolicited advertising for legitimate products and services. Many Brazilian businesses regard cramming millions of mailboxes with unwanted advertisements for their products as a cheap alternative to print, TV or web based commercials.

Cloudmark’s spam filtering system is based on feedback from spam traps and trusted users. If we get enough reports that a particular email is spam, then emails with the same fingerprints will be flagged as spam. Email marketing companies using well-managed, opt-in mailing lists will get only 5% to 10% of the emails they send flagged as spam by our system. In Brazil, the better email marketers get 30% to 60% of their outbound email flagged as spam by Cloudmark, and the less careful ones hit 90% to 100%. Because of the flood of unsolicited marketing email, Brazilian consumers seem perfectly happy to have newsletters from major brands sent directly to their spam folder. By comparison, in the US the CAN-SPAM legislation forces email marketers to use opt -in mailing lists and to honor unsubscribe requests. So, consumers expect to see the legitimate marketing communications they do receive in their inbox rather than their spam folder.

Though the majority of the spam sent to Brazil is coming from Brazilian email marketing companies working on behalf of Brazilian corporations, most of the emails do not originate there. France sends more spam to Brazil than is sent from Brazil itself, and the US is not far behind. This is simply because it is cheaper to rent the servers and bandwidth in these countries. However, this can backfire on the hosting companies, as some or all of their IP address space may be blocked by spam filtering companies and their legitimate customers will be unable to send email. For example, Hostwinds LLC currently has 75% of their total IP address space blacklisted by Cloudmark as Brazilian spammers are using them heavily.

Brazil receives about ten times as much spam from other countries as it sends to them. Most of the outbound spam from Brazil is typical botnet traffic and the majority ends up going to the US. We don’t see any large-scale illegal spam operations based in Brazil. A Brazilian with the capability of sending bulk email is better off sending legal spam to Brazilians than sending illegal spam to other countries.

Figure 10

Is there any hope for improvement in Brazil’s advertising spam deluge? Brazilian ISPs are beginning to provide feedback-based spam filtering. If this becomes the norm in Brazil, email marketers will be forced to adopt a reasonable code of practice in order to guarantee deliverability.

Cloudmark 2Q13 - Global Messaging Threat Report (1.2MB)

back to top

Cloudmark 2Q13 - Global Messaging Threat Report (1.2MB)

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.

With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.

Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.

Site Map  •  Privacy Policy  •  ©2002–2017 Cloudmark, Inc.