Cloudmark’s 3Q 2014 Security Threat Report

This quarter we investigate knock-off designer goods pitched by way of Apple iMessage's first major spam campaign, examine the curious patterns of sub-domains generated for by DNS resource exhaustion attack, discuss the popular Peter Pan attack, and more trends in Cloudmark's Q3 2014 Security Threat Report. On-going since last quarter, iMessage has been hit with the single largest U.S. mobile spam campaign this year. On certain days, the daily volume was large enough to account for more than 80 percent of all reported mobile messages in the U.S. A bit of investigation into the spammer's methods revealed that, contrary to many scams that look to steal credit card information, actual merchandise was delivered.

Fake Michael Kors bag via iMessage spam Photograher: Dan Conway Shipped from Suzhou, China, a fake Michael Kors bag came with numerous and humorous defects that left it looking more akin to a child's toy purse than a high quality designer bag. The messages themselves also hailed from China with the majority of email domains being popular Chinese webmail services used to sign up for the perpetrating Apple IDs. In recent months, legal teams representing the various brands have taken notice and begun aggressive takedowns on the fake sites in question. The U.S. wasn't the only place hit with a improbable importers. The UK saw a string of emails delivering fake Peter Pan ticket receipts to victims -- an abnormal amount of which were to business addresses. The payload of these emails, masquerading as tickets to a local performance of Peter Pan, contained the Cridex trojan. Other trojans such as Dyre/Dyreza were also seen ramping up attacks this quarter. DNS traffic analysis at a major ISP also led to some interesting insight into the methods attackers used to increase bogus load. The attack used a technique involving unique sub-domains to sidestep name server caching and overburden the on the authoritative name servers at the ISP. An interesting pattern became clear. Only letters belonging to distinct sets were seen in each position within the sub-domain string - one set being the odd letters of the alphabet, the other being the even letters. So, the first character of the sub-domain would only ever be a, c, e, g, etc., while the second character would be b, d, f, h, etc. This continued for third, fourth and all subsequent positions. The resulting character frequency for each position in the sub-domains used by a single IP is shown below: Sub-domain Letter Frequency by Position Source: Cloudmark analysis of a large ISP’s DNS Traffic, May 2014

For more, please see Cloudmark's Q3 2014 Security Threat Report. In it, we take a much closer look at illicitly bloated DNS traffic, dive deeper into the methods and goods used by the iMessage spammers, discuss the spam situation in Russia, and more.