At first glance it might seem that the decision if an email is spam or not is a black and white one – either it’s spam or it isn’t. However, the closer you get to the problem, the more complex it becomes, and many shades of grey start to appear.

For example, last Thanksgiving I was keeping an eye on email related to Black Friday and Cyber Monday, to see how those were being exploited by spammers. The results were interesting. The real spam was caught by our automated filters as always. However, we received a lot of feedback where a recipient had taken a legitimate marketing mail from, say, amazon.com, Petsmart, or Home Depot and manually flagged it as spam. These are legitimate companies who are sending mail that a lot of people want to see, so they are not likely to end up in any spam filters. If you are receiving legitimate marketing emails that you no longer want to receive, click on the Unsubscribe link and not the Report As Spam button.

More troubling than that was the case of a legitimate bulk email company that provides marketing services for a number of national brands. We noticed that they are forging the headers on their emails to make it appear as if they are coming from a single user email client rather than a bulk mailing service. This is a technique used by spammers to try to improve deliverability. However, for a legitimate business it will probably have the opposite effect. Spammers do not forge headers to get more emails delivered than legitimate bulk mailers. Spammers forge headers to try to get as many emails as they can through our filters. That’s never very many. The more a legitimate email source tries to use the spammer’s toolkit, the more likely their emails are to get classified as spam and consigned to the bit bucket.

The road to the Dark Side is insidious. It starts with an opt out check box hidden in the fine print and a six step unsubscribe process. Next a forged header line or two, and then adding a little word salad so every email is slightly different. Before you know it you are renting botnets or buying webmail accounts by the thousand and every step down into the pit you will convince yourself that there are legitimate business reasons.

There is a better road though. If your marketing emails are causing mass unsubscribes or getting flagged as spam, the first thing to do is not to tweak the headers, but to take a long, hard look at the content. If you are sending people information they want to receive in a way that is engaging, then your marketing campaign will work much better than one that goes to five times as many people who have no interest in seeing it. Know your audience, and tailor your message. Before sending out a mass mailing, test five or ten different versions on smaller groups and see what gets the best ROI and the fewest unsubscribes.

Most large mailbox providers will provide feedback loops to large mailers, which will notify them which recipients are marking their messages as spam. Not only does this provide vital statistical feedback, but that feedback can also be treated as unsubscribe requests by the mailer. It’s pretty obvious from our reports which mailers are not taking advantage of this service – and that adds another shade of grey.

Take the path of science and math, and measure response to emails. Give people who do not wish to receive your emails an easy way out – they’re not likely to buy from you anyway. Do not be seduced by the dark side of spam, or one day you may find yourself with vanishing response rates and a negative ROI, ranting about those filthy Nigerian scam artists who are giving bulk emailing a bad name.

Sometimes I love my job. How cool is it to run a Turing Test for real? But first, the back story…

For a while now we’ve been receiving SMS spam reports for a three stage attack. This starts with an SMS text message conversation, moves to Yahoo! Messenger or Skype and ends up on the web. The first contact is a text message using the recipient’s correct first name and saying something like:

The spammer is using the victim’s real first name. We believe that and the phone number were collected by data mining social networks. When the victim responds asking who is sending the message they get a reply which is a variation on:

If the victim tries to continue the conversation it goes like this:

Of course, the Research team at Cloudmark could not wait to find out who this person was who had managed to lose touch with so many thousands of people and incidentally seemed to collect Yahoo! and Skype accounts like other people collect pennies in a jar. We sent Yahoo! Messenger friend requests to a few of the ids in recent messages. Chris got the first response, but I think mine was better. I started by channeling my inner horny college student, but pretty soon the inner computer scientist took over.

Clicking the accept button on the landing page opens two browser windows, one to an adult dating site and one to a web cam site. The web cam site is one of over a thousands URLs owned by a company in Seattle. They all have same content, and their affiliate program pays $40 to the spammer for any person who signs up for the free service, on the assumption that they will be able to extract more money out of them later. The dating site pays the spammer $5 for each visitor, or $75 if the visitor signs up. People who sign up can only hope that the “SEXY SINGLES IN YOUR AREA” on the dating site are more real than the sex crazed robot trying to drum up business, but somehow I doubt it.

At this point Chris decided to have some fun with the bot (everyone has to have a hobby). He found that it doesn’t care about money, but does react to the word “scam”.

If you do get a text message from a sexy spambot, or any other SMS spam, remember to forward it to 7726 (SPAM on most phone keypads) so that we can help your phone company block these messages.

Early last year I wrote about the increasing amount of spam that was using hacked web servers to obfuscate the spammer’s call to action. Back then the volume was creeping up to 1% of all spam. Since we’ve been seeing even more of it lately, I decided to take a look at the figures and see what had been going on in the past six months.

The average for the six month period was 7.7% of all spam, but we have seen much higher peaks,including the recent period from December 30th through January 8th where one relentless porn spammer pushed the ratio up to 37%. The good news is that this particular spammer was sending out millions of messages a day, but only using a group of a few hundred URLs in his messages, so they are easy to block. Billions of electrons where shuffled from botnet to spam folders with almost no real impact.

This particular spammer was only uploading a single file to each hacked domain to do his redirection. Others upload multiple files to allow more URLs to be used, and we have seen some domains in which the 404 page not found response has been hacked to redirect to the spammers landing page, so the spammer can send out each spam email with a different URL. So long as they are not part of the original web site, they will redirect if the recipient clicks on them.

So how are these web sites being hacked? The majority that we see are WordPress sites, and a significant minority are Joomla. Mostly theses are sites belonging to individuals and small businesses who may have set up a site a few years ago and make very few updates, to either content or software. However, older versions of both WordPress and Joomla have some well documented vulnerabilities, so if you don’t keep your site up to date you may well be a target.

Even if you do always have the latest software in place, you can still be hacked if you install the wrong theme or plug in. Just recently in the black hat underworld, malicious code was offered for sale that allows the user to add a trojan to installable WordPress modules…

Once the user installs the innocent looking plug in, the hacker can then upload and execute arbitrary code or even use the built in redirect manager.

That was offered for sale for just $100, but sorry, it’s all sold out now.

To prevent the embarrassment of having your web site redirect to a porn site in Russia, keep your web site software up to date, be careful what themes and plug ins you install, and keep an eye on your server log for any traffic to pages you don’t recognize.

A couple of days ago all the domains used by the Android Spambot went offline and have stayed down. This includes the Command and Control servers, so the army of zombie droids are now headless. However, if you did get tricked into installing this malware it will still be blocking some of your incoming texts, and spamming operations may lurch back to life if the spammer manages to point his domain names at a different host. So, here’s how to uninstall it.

First tap Settings.

Then select Apps

Then find “GameEnabler” and tap that.

Now tap on “Uninstall”

And confirm.

Uninstalling the malware will not stop your pirated copy of Angry Birds from working, but if you like the game go out and buy a legitimate copy from Google Play! It costs less than a cup of coffee, and took a lot more work to make.

Well that about wraps it up for this year. Have a great time at the Holidays everyone and a prosperous and spam free New Year. Sorry, no Mayan Apocalypse today, but we do have a Headless Zombie Droid Army which would be a great name for a rock band…

Yesterday we told you about an Android trojan used to send SMS spam. Currently, the versions of this malware being distributed by the spammer are:

• angrybirds.apk MD5 = a0e7a47c6b3582f9c9a4c5166eb0eace
• gtavicecity.apk MD5 = a8de900d9ff269455f4344b8e8409699
• needforspeed.apk MD5  = c18bc53d74e8a6926453a8c86355501a

The Command and Control server has moved to pinktrash.mobi, though imperialistic.mobi is still functional for the handsets infected with the older versions of the trojan.

Lookout Mobile Security have published an interesting blog post on this attack, which they call SpamSoldier. They discuss the techniques used to escape detection. Firstly the app attempts to remove its icon, so that you will not be aware that it is even there. It also attempts to block incoming messages unless they are from someone on your contacts list. This prevents the people your phone is spamming from complaining to you about the spam they received.

So, if you do get SMS spam, don’t bother replying  STOP to the sender, just forward that message to 7726 (that’s S-P-A-M on your keypad). Replying STOP will only work for commercial contacts from legitimate companies.

We’re continuing to monitor this attack, so watch the blog, or add it to your RSS feed, if you want to keep up to date.

As you can imagine, spammers are not particularly fond of spam filtering services, but one of them decided to make it personal. Look what turned up in our spam filters the other day:

From: “info@spamcop.com” <info@spamcop.com>
Subject: Alert! Your email will be blacklisted soon.

Dear  %email%,

We received complaints about spam coming from your network.  Spam bots are sending bulk emails, for the security reasons your email will be blacklisted. To avoid blacklisting please check your Sent folder for unknown emails and prove that you are human by entering this code 0286 here. Your email will be recorded and spam flag will be removed. No other data will be collected.

Thank you for cooperation.

 

SpamCOP SBL.

No, it’s not really from SpamCop, which is a legitimate spam filtering service owned by Cisco. And yes, it really does say Dear %email%. Apparently the spammer’s macro substitution wasn’t working very well. I’ve disabled the link, because if you followed it you ended up on a malicious page which tried to convince you to that you need to upgrade your Adobe Flash Player in order to complete the blacklist removal. If you went ahead you would download and run a Trojan which would make you part of a botnet.

It looks like all the malicious landing pages have been blocked now, so if you have any sort of security turned on in your browser or an up to date anti-virus program (as I’m sure everyone reading this blog does) you are safe against this threat.

Just for the record, the URL for the original SpamCop service is spamcop.net. Any message apparently from SpamCop that links anywhere else is not to be trusted, especially if it is addressed to Dear %email%.

At the end of last week, seven whole days before the traditional retail Armageddon that we call Black Friday, we blocked the first high volume Black Friday email spam.

As you can see, it was offering unbelievably cheap prices on a variety of goods. The only problem is, these are closing prices from an auction service where there is a sixty cent fee charged every time you bid and the bidding can only increment by a penny each time. The fees are charged even if you don’t win the auction! So, if the auction site sells an iPad for $76.39, but they have collected sixty cents for every penny of that price, they actually receive $4,660 for the iPad!

Suddenly those prices don’t look like such a great deal.

On top of that, the commercially available software for running these penny auction sites includes the option of automated shill bidding, so that if the auction has not raised enough money, a bot will keep the bidding open. If the auction operator turns that feature on, there is no way they can lose money on an auction. As a bonus, if the bot wins the bidding they still collect fees from everyone else, and don’t even have to ship a product.

We’ll probably see more Black Friday spam this week, and will post here if any other interesting scams turns up.

Personally I try to avoid the whole Black Friday shopping experience. I’d rather panic buy presents on the Internet the week before Christmas. (Thank goodness for second day shipping.) Happy Thanksgiving Everyone!

October is National Cyber Security Awareness Month. In recognition of that, the National Cyber Security Alliance teamed up with the Department of Homeland Security and the security industry to sponsor the opening bell ceremony at NASDAQ. Held at 4 Times Square on Monday, October 15, the principal bell ringer was Jane Holl Lute, Deputy Secretary for the Department of Homeland Security. Also participating was Congresswoman Yvette Clarke and Congressman Jerrold Nadler, both of NYC, as well as representatives from dozens of security companies (including Cloudmark).

The event was preceded by a breakfast at NASDAQ which provided a great opportunity to chat about specific threats we’ve been observing at Cloudmark. At the top of that list were the barrage of SMS phishing attacks that continue to plague mobile users. As we’ll discuss in a later blog post, it’s not just the increase in SMS phishing numbers that is so concerning – it’s also the sophistication in the social engineering methods used in the attacks. There was also some chatting about passwords and how to devise better solutions that are truly scalable.

Though October is designated Cyber Security Awareness Month, the National Cyber Security Alliance operates year round to promote better online security practices. Whether you want to protect yourself, protect your business, or help educate others, the NCSA has many opportunities for you to get involved.

One thing any smartphone user can do to further online security – forward any SMS spam you receive to 7726 (7-7-2-6 spells S-P-A-M on old style alpha-numeric keypads). Forwarding SMS spam to 7726 not only helps protect other users, it also helps mobile providers investigate and take action against SMS spammers and scammers.

Overall, the bell ringing ceremony was a fun event with a serious message. It’s great to see the industry come together to fight cybercrime and Cloudmark will certainly continue to be a part of that effort.

Facebook’s billion dollar acquisition of Instagram attracted a lot of attention, and a few raised eyebrows, but it seems to be paying off. A recent study shows that mobile users spend more time with Instagram than they do with Twitter. Of course, as soon as a social network becomes popular, the spammers move in, so it is no surprise to see a set of tools for spamming Instagram turn up for sale in the digital underworld.

The tool spoofs being a genuine mobile user, so that it is not throttled by the limits in the Instagram API. It allows a spammer to manage thousands of dummy accounts, friending and following genuine users in the hope they will reciprocate. The spammer then looks for popular images, and uses the took kit to watermark them with the URL of the web site they are trying to drive traffic to, and post them to the dummy accounts.

A call to action URL which only appears in an image will get less response from the victims than one that is clickable, but on the other hand it is impossible to detect using text based filters. It’s been part of the email spammers arsenal for a long time. Of course, Cloudmark uses a wide range of spam filtering techniques, and image spam does not present any particular difficulties for us.

Chatter on hacker forums suggests that Instagram users are not yet used to seeing spam: “Great Traffic Source. The audience is completely naive to marketing efforts.” “And mostly love instagram people cause they fall for everything you say on your pics!!” Though one spammer complains, “Sent 873 visitors to my iPhone 5 for free landing page yesterday and only 11 submitted.” Is the public finally getting wise to the free iPad/iPhone scam?

Another spammer is starting to worry about the legality of spamming social networks: “Btw is this stuff illegal, and could I get in trouble by doing this? Even though I’m using keywords like ;could’ win an iphone 5. You have a ‘chance’, and stuff like that?”

While I’m not a lawyer, here’s a brief guide to the legality of spam in the USA for the script kiddies and others who may be interested. Email spam is a criminal offense under the CAN-SPAM Act of 2003, and can result in fines and imprisonment, as well as the possibility of civil actions from ISPs. Individual spam victims, however, are prohibited from class action law suits against spammers. Text message spam is governed by the Telephone Consumer Protection Act of 1991. This does allow individual recipients of spam text messages to bring a class action law suit against the spammer, and courts have awarded $100 to $200 to each recipient.

Social network spam is a newer phenomenon, and does not yet have any specific legislation governing it, but it is a violation of the End User License Agreement of the social network, which can result in a civil law suit. Depending on the circumstances and techniques used, it may also be a violation of CAN-SPAM and/or the Computer Fraud and Abuse Act of 1986 which carry criminal as well as civil penalties. Of course, any false claim made over a computer network in order to obtain money, goods or services from someone is wire fraud, which has been a federal crime since 1872.

Facebook has a legal department which has been both aggressive and successful in bringing actions against spammers. They obtained the largest judgement ever under the CAN-SPAM act – $873 million dollars.

So, the simple answer to the script kiddie quoted above is: yes, you can get in trouble for doing this.

 “You Have 1 unread message from your secret crush…”

“Someone thinks you’re hot!”

“Someone sent you a weird diet tip that works.”

New York state Attorney General Eric T. Schneiderman‘s office were responsible for the settlement in the case against Game Theory LLC that resulted in fines of $500,000 and a prohibition on the deceptive business practice.  Game Theory were found to be tricking recipients into signing up for monthly text messages at a cost of $9.99 a month that were reportedly appearing on bills as “premium content” or “direct-bill charge”.  They sent 150,000 texts to New Yorkers alone.

The news came in this tweet: https://twitter.com/AGSchneiderman/status/246973872342171648

Data from the 7726 SMS spam reporting services show how bad the situation got. The system was relatively new when the campaign kicked off, despite that, the level of complaints over a 3 month period is a clear indication of how it annoyed the recipients.

So that’s it. GAME OVER!  Game Theory’s site is down and the good guys won.

… Or is it?

There are also reports of Game Theory being acquired.  Clearly the reporter didn’t look too hard into this statement.  Linkedin holds a good clue with regard to employee migration to a new employer.

.. and of course, a Facebook post has the full details:

Now, I have to ask one question… Does this list of complaints look a little too familiar? http://www.scambook.com/company/view/51431/Mobile-Plus-Inc

Screenshot

Clicking on some of the stories shows images of customers own bills showing similar charges they are clearly upset about.  In game theory, this is called respawning, right?

Further reading:
www.nypost.com/p/news/local/text_scam_snares_only_the_lonely_CH8Fa0sEBjk3Jid6Mo3kWP

Kudos to Dan for his help with this story.