Cloudmark 14Q2

Global Messaging Threat Report April – June 2014

   

 

Clo

udm

ark

Glo

bal M

essa

ging

Thr

eat R

epor

t H

ighl

ight

ing

spam

and

sca

m tr

ends

obs

erve

d in

SM

S an

d em

ail f

rom

Apr

il –

June

201

4

1

Raid  Against  UK  Spammers The Information Commissioners Office (ICO), a UK regulator, took a large stride this quarter towards curbing the problem of mobile spam. Using intelligence from the GSMA Spam Reporting Service (SRS), powered by Cloudmark, ICO officials were able to raid the operations of a SMS spammer in Wolverhampton. On May 22nd, officials searched both offices and a residence connected with the spammer, seizing computer equipment and paperwork. From the hundreds of confiscated SIM cards, the ICO estimated that the SIM farm could have been responsible for 350,000 to over a million spam text messages. These types of SIM farms deploy large-scale devices that can accommodate upwards of 32 SIM cards at once allowing spammers to send hundreds of SMS per second. Below is a graph of the 7-day moving average for reported SMS spam in the UK. There was a slight increase immediately following the raid. We believe this is because the publicity for SRS generated by the raid caused increased participation in the system. However, the 7-day average number of reports then dipped to a minimum of 28 percent below that of the day of the ICO raid. During the four-week period following the raid, SRS received 17 percent fewer spam reports than in the previous month.

Unfortunately, SMS is an attractive medium for both spammers and malicious attackers. When one operation shuts down, others soon replace it, and law enforcement is ill equipped to respond with the same speed with which these operations can spring up. While levels have taken a downturn in the wake of the ICO raid, it appears that levels began to rise at the end of the quarter. If the spammers were hired by an outside group to deliver advertisements on their behalf, perhaps the outside group has found a new provider.

“This shows why reporting messages to us and your mobile network operator is so crucial. Without the reports we got through the 7726 system, we wouldn’t have been able to carry out this raid today.”

-Andy Curry, Enforcement Manager at the ICO

Volume of Reported UK SMS Spam, 14Q2!Source: Cloudmark / GSMA!

 

  3  

Cloudm

ark Global M

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April – June 2014

2

Over the three months, several types of SMS spam in the UK saw peaks in volume. Most apparent among the changes was the significant – over 50 percent – drop in May for Accident Compensation offers peddled via text messages. However, it doesn’t appear to have been caused by the ICO’s action as volumes for this category plummeted two weeks prior. One category, insurance quote offers, seems to have disappeared entirely while several other types saw subtle dips in average volumes. The US also saw major swings in SMS spam this quarter but in the other direction. Advertising for counterfeit designer goods nearly tripled its share of the US reports each month, while phishing attempts, last quarter’s most common, fell to third.

0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

40%!

45%!

50%!

Payday Loan Spam! Accident Compensation Spam!

Debt Relief Scam! PPI Compensation Scam!

Online Gambling Spam!

Monthly Percentage of the Top 5 UK Attack Types, 14Q2!Source: Cloudmark / GSMA!

Apr! May! Jun!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

40%!

45%!

Auction / Sale Site Spam!

Win Free Stuff Scam! Bank / Account Phishing!

Product Promotion Spam!

Payday Loan Spam!

Monthly Percentage of the Top 5 US Attack Types, 14Q2!Source: Cloudmark / GSMA!

Apr! May! Jun!

 

Clo

udm

ark

Glo

bal M

essa

ging

Thr

eat R

epor

t H

ighl

ight

ing

spam

and

sca

m tr

ends

obs

erve

d in

SM

S an

d em

ail f

rom

Apr

il –

June

201

4

3

Florida’s  Junk  Problem:  Cruise  Spam For years, texts yelling “WE BUY JUNK CARS!” slammed mobile devices in parts of southern Florida in the US. Sent from within the area, these messages alone were enough to make the region on the most prolific sources of spam in North America. Then, following legal action against the spammer, this Florida-based spam went quiet last November. Coincidentally, a perennial springtime spam favorite reemerged hitting phones all across the country in record numbers – from south Florida. The new flood is actually an old and well-known form of spam, “free” cruise offers. This spring however, the sheer volume of these free cruise ploys propelled the category to the number two spot overall in the US. This cruise spam campaign is about 70% of the Win Free Stuff Spam category and contributed just over 18% of all US SMS reports during the second quarter.

Like the junk car spam before it, these unwanted texts came almost entirely from within Florida. Over 88 percent of all free cruise SMS messages were from various area codes in Florida with most concentrated in the Miami area. Caribbean Cruise Line can be credited with purveying these offers. However, a very similarly named Celebration Cruise Line operates the actual cruise ship responsible for sailing to Grand Bahama, the destination for this cruise spam. Nothing in life is free, though. Victims are required to sit through hours of timeshare offers, from which Caribbean Cruise Line profits handsomely, prior to qualifying for the “Free” cruise. After this gauntlet of timeshare pitches, it’s revealed that the cruise isn’t all that free. Many victims report being charged a myriad of hidden fees for various reasons. The unclear terms and questionable tactics have netted the company hundreds of complaints with the Better Business Bureau.

0%! 5%! 10%! 15%! 20%! 25%! 30%! 35%!

Auction / Sale Site Win Free Stuff Bank / Account

Product Promotion Payday Loan Spam!

Top US Attack Types, 14Q2!Source: Cloudmark / GSMA!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

40%!

45%!

7-Day Moving Average of Cruise Spam, 14Q2!Source: Cloudmark / GSMA!

 

  5  

Cloudm

ark Global M

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April – June 2014

4

This is not surprising since the cruise ship actually departs from south Florida. Many of these messages prompted recipients to call varying numbers, but each number used was almost always the same as that of the sender who was also using, again, a number from south Florida. It was interesting to watch as the spammer’s methods devolved. Initially, 75-95 percent of all cruise spam reported each day used one common call-to-action (CTA) phone number. The frequency with which the spammer cycled these numbers and message began to increase dramatically throughout the quarter as filters and aggressive number blocking by the carriers took a toll on the spammer’s deliverability. In the face of further-increasing deliverability challenges, the sender began masking the CTA phone number in more colorful (and less readable) ways: first by spelling out numbers, and later by inserting random punctuation and misspellings, and even using Roman numerals.

   Country  Profile:  Mexico   Unlike many of the countries we have featured in our quarterly country report, there appear to be no large-scale spam operations sending from Mexico. The spam that we do see coming out of Mexico is mostly from computers infected by Cutwail and other botnets. In fact, Mexico has a smaller percentage of its IP address space blacklisted by Cloudmark (0.16 percent) than the US (0.22 percent). However, Mexican ISPs are not doing enough to control botnet-infected machines, so Mexico is still a significant source of international spam. It is interesting to compare Mexico with the cybercriminal syndicates operating out of Eastern Europe. Since the collapse of the USSR, an excellent educational system combined with a depressed economy has left many talented programmers looking for work, and the less principled have turned to crime just to make ends meet. In Mexico, talented young programmers have more access to US companies ready to sponsor them for H-1B visas, and the few Mexicans predisposed to a life of crime are likely to find drug smuggling far more profitable than credit card fraud. The largest international recipient of spam from Mexico is the US, but this is actually only 44 percent of the total email traffic that Mexico sends to the United States. This compares with 90 percent of the traffic from Russia, 80 percent of the traffic from Argentina and 64 percent of the traffic from Brazil. There is also a large volume of legitimate email as well. Brazil and Australia also receives significant amounts of spam from Mexico, but with even lower total percentages. Japan and Western Europe do not do so well, with 89 percent of the email from Mexico to Japan being spam, and 96 percent of the email from Mexico to Ireland.

 

Clo

udm

ark

Glo

bal M

essa

ging

Thr

eat R

epor

t H

ighl

ight

ing

spam

and

sca

m tr

ends

obs

erve

d in

SM

S an

d em

ail f

rom

Apr

il –

June

201

4

5

Mexican ISPs have significantly different levels of outbound spam detected by the Cloudmark Global Threat Network, ranging from around 30 percent to 80 percent.

There are some fairly simple things that could be done to improve matters. Blocking the outbound ports 25 and 587 that are used by SMTP is one way. Alternatively, ISPs could pass those ports through a transparent SMTP proxy that applies policy- and content-based spam filtering. We hope that in future Mexican ISPs will be more aggressive in reducing spam traffic from compromised computers on their networks.

Uninet S.A. de C.V.!

Mega Cable, S.A. de C.V.!

Axtel, S.A.B. de C.V.!

Cablevisión, S.A. de C.V.!

Gestión de direccionamiento

Alestra, S. de R.L. de C.V.!

Iusacell PCS de Mexico, S.A. de

Brasil Telecom Comunicação

Cablemas Telecomunicaciones SA

Iusacell!

Maxcom Telecomunicaciones,

Television Internacional, S.A. de

Mexico Red de

Operbes, S.A. de C.V.!

Marcatel Com, S.A. de C.V.!

Axtel - Recursos WiMAX!

International Spam and Legitimate Email Volume from Mexican Organizations!Source: Cloudmark Global Threat Network!

Spam! Legitimate!

44%!

32%!

89%!

63%!

26%!

78%!75%!

79%!

96%!

0%!

10%!

20%!

30%!

40%!

50%!

60%!

70%!

80%!

90%!

100%!

US! Australia! Japan! UK! Brazil! Italy! Germany! Spain! Ireland!

Relative Volumes and Percentage Spam from Mexico to Other Countries!Source: Cloudmark Global Threat Network, 30-Day Sample!

Spam! Spam %!

 

  7  

Cloudm

ark Global M

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April – June 2014

6

Blocked  IP  Addresses  By  Country   At the end of this quarter, the US still remains the country with the most IP addresses blacklisted by Cloudmark, while Romania remains in second place. However, a dramatic increase in the blocked IP addresses in China may have them challenging Romania for the number two spot soon. We have seen a 70 percent growth in the number of blocked IP addresses in China over the past three months.

Russia continues to improve, and Germany continues to deteriorate. Currently, Germany has more than twice as many blocked IP addresses as Russia, when just four months ago they had the same number. As is often the case, just a few bad actors are responsible for most of the problems. Most German ISPs are well managed and have safeguards against spammers and botnet infections, so they have very few IP addresses we have to block. However, there are three hosting companies that have no safeguards against spamming and are responsible for 65 percent of all the blacklisted IP addresses in Germany.

0!

0.5!

1!

1.5!

2!

2.5!

3!

3.5!

4!

Jan-14! Feb-14! Mar-14! Apr-14! May-14! Jun-14!

Mill

ions!

Volume of Blocked IP Address by Country!Source: Cloudmark Global Threat Network!

USA! Romania! China! Germany!Russia! Belarus! Ukraine! Panama!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

Jan-14! Feb-14! Mar-14! Apr-14! May-14! Jun-14!

Percentage of IP Address Space Blocked by Cloudmark!Source: Cloudmark Global Threat Network!

USA! Romania! China! Germany!Russia! Belarus! Ukraine! Panama!

 

Clo

udm

ark

Glo

bal M

essa

ging

Thr

eat R

epor

t H

ighl

ight

ing

spam

and

sca

m tr

ends

obs

erve

d in

SM

S an

d em

ail f

rom

Apr

il –

June

201

4

7

In terms of the percentage of IP address space blocked, Romania continues to hover around 20 percent, ahead of Panama, which dropped to less than 10 percent. The improving trend in Belarus has continued, and they are now down to less than 5 percent. Iran is also continuing to trend downwards and may well be replaced in fourth place by Vietnam or the Ukraine before long. We should note that there are some other countries with a high percentage of blocked IP addresses, such as Belize with 13.8 percent, but we don’t include them in our reports as they lack enough IP addresses in total to have a significant impact on world spam.

 Heartbleed  and  eBay  Breach  in  Spam  Heartbleed and eBay data breach publicity used as hooks by spammers When computer security is in the news, spammers are not far behind, exploiting the publicity surrounding newly discovered bugs and data breaches to try to make computer security even worse. In Q2, there were several spam attacks that referred to the widely reported Heartbleed bug. However, instead of protecting themselves against the bug, victims who were taken in by these emails were likely to find they had installed a Trojan or had their login credentials stolen. Likewise, a spam attack referring to the eBay data breach had nothing to do with eBay and was simply an attempt to sell a questionable background check service. One message, with the unlikely subject, Looking for Investment Opportunities from Syria, purports to be from a popular password management service. We also saw the same message with the more reasonable subject, Reminder: Change your passwords. It asks the user to run the attachment to provide further protection against Heartbleed. In fact, it installs a Trojan allowing the hackers to take control of the victim’s computer. Apart from the subject, there are several warning signs that this email is not genuine including Yahoo! Mail being used for the Reply-To address along with errors in grammar and capitalization. References to Heartbleed were also used in phishing attacks (http://tech.firstpost.com/news-analysis/new-phishing-scam-exploits-heartbleed-fear-to-con-users-222657.html) and attempts to lure the user to a malicious web site (http://www.allspammedup.com/2014/04/heartbleed-spam/).

0%! 5%! 10%! 15%! 20%! 25%!

Romania!Panama!Belarus!Ukraine!Russia!

Germany!China!USA!

Percentage of IP Address Space Blocked by Cloudmark, end of 14Q2!Source: Cloudmark Global Threat Network!

 

  9  

Cloudm

ark Global M

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April – June 2014

8

The eBay data breach was also used in at least one spam attack. The messages implied that the recipient might be the victim of identity theft resulting in false arrest records. The call to action URL redirected to a background check service called Instant Checkmate. This business had been around since 2012 but had generated numerous consumer complaints. They are said to imply that they have an arrest record for an individual when all they have is a postal address, tricking consumers into signing up for their paid service. There are also complaints that customers who believe they were paying a one-time fee found a recurring monthly charge on their credit card. As a general rule, email users should be particularly careful after any well-publicized computer security problem, not just because of the problem itself, but also because of the spammers who will try to take advantage of it.

 

 

About  Cloudmark  

Cloudmark builds messaging security software that protects communications service provider networks and their subscribers against the widest range of messaging threats. Only Cloudmark Security Platform™ delivers instant security and control across diverse messaging environments, enabling communications service providers to create a safe user experience, protect revenue and safeguard their brand, while streamlining infrastructure and reducing operational costs. Cloudmark's patented solutions protect more than 120 tier-one customers worldwide, including AT&T, Verizon, Swisscom, Comcast, Cox and NTT.

Cloudmark Headquarters 128  King  Street  Second  Floor  San  Francisco,  CA  94107    Telephone:  +1-­‐415-­‐946-­‐3800  Fax:  +1-­‐415-­‐543-­‐1233  Email:  sales@cloudmark.com  

Cloudmark Europe, Ltd Davidson  House  Forbury  Square  Reading,  RG1  3EU  United  Kingdom    Email:  emea@cloudmark.com  

Cloudmark Labs 41  Boulevard  des  Capucines  75002  Paris  France    Telephone:  +33  (1)  80  48  08  20  Fax:  +33  (1)  45  26  18  10  Email:  paris@cloudmark.com  

Cloudmark Singapore 3  Temasek  Avenue  Centennial  Tower,  #21-­‐07  Singapore  039190    Telephone:  +65  6549  7845  Email:  apac@cloudmark.com        

Cloudmark Japan Hibiya  Central  Bldg.  14F  1-­‐2-­‐9  Nishi-­‐Shinbashi,  Minato-­‐ku  Tokyo  105-­‐0003  Japan    Telephone:  +81  (0)3  5532  7636  Fax:  +81  (0)3  5532  7373  Email:  japan@cloudmark.com