The Chilean national consumer protection service Sernac has reportedly taken three mobile operators to court over sending SMS spam about contests and sweepstakes.  As a result of the study they carried out between Dec 2012 and Feb 2013 the three networks are potentially facing fines totaling $86 million.

A google translate indicates that the reports state the networks failed to provide an opt-out, failed to indicate costs clearly, or the dates and other terms of the offers advertised.

There is an excellent release from the consumer protection agency, note the box at the bottom with the summary of the legal issues involved: (Google translate) Delivery of Advertising: Sernac justice denounced Claro, Movistar and Entel for not respecting the Rights of Consumers.  [ News, more news ]

This isn’t just a local phenomenon. We estimate SMS spam levels to be hitting 575M/day globally and there are other groups actively taking action already.  In the US the FTC are prosecuting 29 defendants for SMS spam.  In the UK the consumer group Which? are campaigning for action on shady SMS marketing and are calling for a taskforce to address it, meanwhile the ICO have issued substantial fines to SMS spammers touting shady PPI schemes.   

I’m all for a decent dose of vigilante consumerism but I have to say I’m a little sceptical right now. It will be interesting to see in the Chilean case if these show guilt on the part of the operators or find that third party marketing companies were actually at fault, but either way, that’s what I call a LART.

Finally, you can of course do your bit to help prevent SMS spam by forwarding the message to 7726.

With the close of 2013’s first quarter, we’ve released our Q1 2013 Global eMessaging Threat Report detailing a myriad of SMS and IP spam statistics, trends and observations from the past three months. Paramount among them is a set of allegations leveled by the Federal Trade Commission (FTC). These filings contended that the defendants were responsible for collectively sending more than 180 million gift card themed scam SMS messages.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

Today the Federal Trade Commission (FTC) announced that they have charged 29 defendants with collectively sending 180 million unwanted text messages.

The text messages advertised “Free” Gift cards or prizes from major retailers such as Best Buy, Walmart and Target.  However, consumers who clicked on the links contained in the text messages were required to provide personal information and to sign up for other “offers” in order to be eligible and then also had to sign up other people for these offers.

Because the consumers who were receiving these text messages had not signed up to receive these messages, many people reported the messages as spam to the 7726 short code which is offered by the major US mobile carriers through the GSMA Spam Reporting Service, powered by Cloudmark.

7726 data highlights that the FTC has chosen to strategically go after the largest source of SMS spam in the US.  Gift Card spam has consistently been the largest category of SMS spam complaints in the US over the course of 2012.  For five months of the year it was over 50% of the volume being reported to 7726 and for 11 of the 12 months it was higher than any other category.  The only month where it dipped was October when there was a spike in bank phishing text messages.  The graph below shows the monthly percentage of spam reports which were gift card messages.

In contrast during February this year, there was a dramatic drop in Gift Card spam that started around Feb 20th.  We can’t know for sure if the drop off was caused by the FTC’s action, but it is a significant drop from being regularly over 50% of the reports, to under 10% of the reports for the last 3 days.  It will be interesting to watch the numbers going forward to see if they stay down, or whether the spammers will find new ways to send the spam or whether new spammers will take the place of the old ones, in order to keep traffic going to these sites.

To view the data another way, here are the main types of spam attacks reported during 2012.  Receive a Gift Card spam was 44% of all the spam reported in 2012:

In contrast in the first few days of March 2013, Receive a Gift Card spam has only been 7% of all the spam reported:

The agility of the FTC in going after the major source of SMS spam is impressive.

Spam that advertises free gift cards isn’t new. Theses posts from 2011 (Spam or Not Spam) and last year (Olympic gift cards with a shot of Starbucks) highlight gift card spam being sent to email recipients.  Because the spammers can get paid by the operators of the gift card websites, their incentive to send spam and get users to the website is high and they will look for the easiest, cheapest and most effective way to advertise and send traffic to their website, whether that’s via email, SMS or social networking.

One tactic we’ve seen the Gift Card spammers using lately is to use links hosted by URL Shortening websites to redirect through the shortener link to the website that will try to collect the users personal information and  sign them up for the various offers in the hopes of gaining the elusive gift card.

However, targeting mobile consumers is much more intrusive and has additional costs when compared to email spam, because people carry their mobile phones with them throughout the day and many people still have to pay a per message cost for every SMS they receive.  Therefore it’s gratifying to see the FTC going after these spammers.

Fighting spam is a collective effort.  The more ways that the cost of sending the spam can be increased, the less likely the spammer is to send that type of spam.  When the URL Shortening websites take action to make it harder for spammers to use their services this also helps decrease the spam.  And when legal action is taken against a spammer, it can often deter both that spammer and the other spammers who see the legal action being taken as they take the cost of the legal action into account.

One of the most common sorts of SMS spam in the UK relates to Payment Protection Insurance or PPI. Because of unethical selling practices by the loan industry, many UK consumers can claim thousands of pounds in compensation, and private companies who assist them in claiming that compensation (for a fee) are willing to pay well for sales leads, and are not too scrupulous about how they are gathered. Here’s a couple of examples from today’s reports.

At the end of November 2012 the Information Commissioner’s Office (the body responsible for taking action against SMS spam in the UK) fined the two owners of Tetrus Telecoms a total of £440,000 (US$690,000) for sending PPI spam. The two men in question, Christopher Niebel and Gary McNeish, are currently resident in Thailand, so the ICO may not have the easiest job collecting the fine. Of course, the spammers had long known that they were under investigation. Their office in Stockport was raided by law enforcement in August 2011 and Niebel’s Manchester home was raided in February 2012.

I decide to take a look and see if the publicity surrounding the fine had any impact on the volume of PPI spam in the UK. The answer is some, but not as much as you might hope.

December and January levels for PPI SMS spam were significantly down from the big spike in October and November, but were about at the levels we saw in August and September, and higher than we saw for most of last year.

This shows that regulation and legal action are not in themselves enough to prevent SMS spam. So long as spammers can make enough in the year or two it takes to investigate and prosecute them to retire to another country, fines, however substantial, are not a sufficient deterrent. Only by effective policy based management and content based filtering can we reduce the success rate for spammers and remove the economic incentive to spam.

If you receive SMS spam you can report it by forwarding to 7726 (that S-P-A-M on you phone keypad) in the US and on some UK carriers. (Use 87726 for Vodafone and 37726 for customers of Three UK).

Sometimes I love my job. How cool is it to run a Turing Test for real? But first, the back story…

For a while now we’ve been receiving SMS spam reports for a three stage attack. This starts with an SMS text message conversation, moves to Yahoo! Messenger or Skype and ends up on the web. The first contact is a text message using the recipient’s correct first name and saying something like:

The spammer is using the victim’s real first name. We believe that and the phone number were collected by data mining social networks. When the victim responds asking who is sending the message they get a reply which is a variation on:

If the victim tries to continue the conversation it goes like this:

Of course, the Research team at Cloudmark could not wait to find out who this person was who had managed to lose touch with so many thousands of people and incidentally seemed to collect Yahoo! and Skype accounts like other people collect pennies in a jar. We sent Yahoo! Messenger friend requests to a few of the ids in recent messages. Chris got the first response, but I think mine was better. I started by channeling my inner horny college student, but pretty soon the inner computer scientist took over.

Clicking the accept button on the landing page opens two browser windows, one to an adult dating site and one to a web cam site. The web cam site is one of over a thousands URLs owned by a company in Seattle. They all have same content, and their affiliate program pays $40 to the spammer for any person who signs up for the free service, on the assumption that they will be able to extract more money out of them later. The dating site pays the spammer $5 for each visitor, or $75 if the visitor signs up. People who sign up can only hope that the “SEXY SINGLES IN YOUR AREA” on the dating site are more real than the sex crazed robot trying to drum up business, but somehow I doubt it.

At this point Chris decided to have some fun with the bot (everyone has to have a hobby). He found that it doesn’t care about money, but does react to the word “scam”.

If you do get a text message from a sexy spambot, or any other SMS spam, remember to forward it to 7726 (SPAM on most phone keypads) so that we can help your phone company block these messages.

Yesterday we told you about an Android trojan used to send SMS spam. Currently, the versions of this malware being distributed by the spammer are:

• angrybirds.apk MD5 = a0e7a47c6b3582f9c9a4c5166eb0eace
• gtavicecity.apk MD5 = a8de900d9ff269455f4344b8e8409699
• needforspeed.apk MD5  = c18bc53d74e8a6926453a8c86355501a

The Command and Control server has moved to pinktrash.mobi, though imperialistic.mobi is still functional for the handsets infected with the older versions of the trojan.

Lookout Mobile Security have published an interesting blog post on this attack, which they call SpamSoldier. They discuss the techniques used to escape detection. Firstly the app attempts to remove its icon, so that you will not be aware that it is even there. It also attempts to block incoming messages unless they are from someone on your contacts list. This prevents the people your phone is spamming from complaining to you about the spam they received.

So, if you do get SMS spam, don’t bother replying  STOP to the sender, just forward that message to 7726 (that’s S-P-A-M on your keypad). Replying STOP will only work for commercial contacts from legitimate companies.

We’re continuing to monitor this attack, so watch the blog, or add it to your RSS feed, if you want to keep up to date.

A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week.

A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true.   If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.  In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.  You better have an unlimited message plan or your phone bill may come as a bit of a shock.

The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned.

Don’t do it!

Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play.

Don’t do this, either

Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications.

Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.

The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.

We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!

Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com

That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:

Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!

On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft.

This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day.

To date, the following Trojan apps have been identified:

• needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
• needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
• maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
• angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
• grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
• angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
• grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
• needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84

These URLs have been used for malware distribution:

• newestgames.mobi
• gamerpalace.mobi
• trendingoffers.com
• holyoffers.com
• gamehaven.mobi
• game-haven.mobi
• freshoffers.mobi

These URLs have been used by the C&C server

• l0rdzs0ldierz.com
• imperialistic.mobi

Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:

• Only install Android apps from Google Play
• When you receive SMS spam, forward it to 7726

Share this with your friends and family, and together we can prevent Android botnets.

We’re continuing to monitor this attack and will update the blog with any breaking news.

October is National Cyber Security Awareness Month. In recognition of that, the National Cyber Security Alliance teamed up with the Department of Homeland Security and the security industry to sponsor the opening bell ceremony at NASDAQ. Held at 4 Times Square on Monday, October 15, the principal bell ringer was Jane Holl Lute, Deputy Secretary for the Department of Homeland Security. Also participating was Congresswoman Yvette Clarke and Congressman Jerrold Nadler, both of NYC, as well as representatives from dozens of security companies (including Cloudmark).

The event was preceded by a breakfast at NASDAQ which provided a great opportunity to chat about specific threats we’ve been observing at Cloudmark. At the top of that list were the barrage of SMS phishing attacks that continue to plague mobile users. As we’ll discuss in a later blog post, it’s not just the increase in SMS phishing numbers that is so concerning – it’s also the sophistication in the social engineering methods used in the attacks. There was also some chatting about passwords and how to devise better solutions that are truly scalable.

Though October is designated Cyber Security Awareness Month, the National Cyber Security Alliance operates year round to promote better online security practices. Whether you want to protect yourself, protect your business, or help educate others, the NCSA has many opportunities for you to get involved.

One thing any smartphone user can do to further online security – forward any SMS spam you receive to 7726 (7-7-2-6 spells S-P-A-M on old style alpha-numeric keypads). Forwarding SMS spam to 7726 not only helps protect other users, it also helps mobile providers investigate and take action against SMS spammers and scammers.

Overall, the bell ringing ceremony was a fun event with a serious message. It’s great to see the industry come together to fight cybercrime and Cloudmark will certainly continue to be a part of that effort.

 “You Have 1 unread message from your secret crush…”

“Someone thinks you’re hot!”

“Someone sent you a weird diet tip that works.”

New York state Attorney General Eric T. Schneiderman‘s office were responsible for the settlement in the case against Game Theory LLC that resulted in fines of $500,000 and a prohibition on the deceptive business practice.  Game Theory were found to be tricking recipients into signing up for monthly text messages at a cost of $9.99 a month that were reportedly appearing on bills as “premium content” or “direct-bill charge”.  They sent 150,000 texts to New Yorkers alone.

The news came in this tweet: https://twitter.com/AGSchneiderman/status/246973872342171648

Data from the 7726 SMS spam reporting services show how bad the situation got. The system was relatively new when the campaign kicked off, despite that, the level of complaints over a 3 month period is a clear indication of how it annoyed the recipients.

So that’s it. GAME OVER!  Game Theory’s site is down and the good guys won.

… Or is it?

There are also reports of Game Theory being acquired.  Clearly the reporter didn’t look too hard into this statement.  Linkedin holds a good clue with regard to employee migration to a new employer.

.. and of course, a Facebook post has the full details:

Now, I have to ask one question… Does this list of complaints look a little too familiar? http://www.scambook.com/company/view/51431/Mobile-Plus-Inc

Screenshot

Clicking on some of the stories shows images of customers own bills showing similar charges they are clearly upset about.  In game theory, this is called respawning, right?

Further reading:
www.nypost.com/p/news/local/text_scam_snares_only_the_lonely_CH8Fa0sEBjk3Jid6Mo3kWP

Kudos to Dan for his help with this story.

On Saturday, Mitt Romney, the Republican nominee for President, announced that his running mate was to be Paul Ryan, a congressman from Wisconsin. What has this to do with spam, you ask? Well, early Tuesday morning our SMS spam reporting service started getting reports of a new attack. It was low volume compared with the gift card or free iPad spams, and only lasted a few hours, but the contact was something new. Here’s a typical example:

Voter #37175 Paul Ryan is secretly an atheist, Don’t vote for Godlessness! Do your research Tell your friends!

The sender used typical spammer techniques to try to avoid being blocked. The voter number varied, there were variations in the wording in different messages, and each one came from a different phone number with area codes scattered all over the country.

Personally I see nothing wrong with being an atheist, but apparently it was intended as an insult. In any event it is an absurd and easily refuted attack, as Mr Ryan is a Roman Catholic. Is this a loner trying to stir things up, a left winger trying to discredit Ryan with the religious right, or a right winger trying to change the subject of the election from Medicare and taxes, and discredit the left into the bargain?

Whoever it is should remember that the penalties for SMS spam are quite severe. Heartland Automotive Services (the largest Jiffy Lube franchisee in the US) and their SMS Marketing company just agreed to a $47 million settlement for sending out 2.3 million unwanted SMS messages last year. That’s over $20 a message, which is pretty expensive advertising, but the penalty under the Telephone Consumer Protection Act could be as high as $500 per message.

Let’s hope that this was a one off event, and not a trend. Your right to political free speech does not extend to my SMS plan, thank you very much! Please help us to monitor and block all SMS spam, commercial and political, by forwarding spam messages to 7726 (that’s SPAM spelled out on your keypad).