Undoubtedly, pre-orders for the iPhone 5 are flooding in for Apple today. Will SMS scammers follow suit with a surge in iPhone 5 scams? After all, last February’s iPhone 5 release rumors spawned a pretty massive spike in iPhone 5 scams so it stands to reason the actual release of the device will have an even larger impact. While it’s still too soon to tell, here’s an overview of iPhone 5 SMS scams thus far this year.

The chart below shows the February spike and the March 2012 peak (4851 unique pitches) that occurred as a result of the iPhone 5 rumors. The number of unique pitches is telling because it indicates how much effort is being put into a specific scam (and thus serves as a possible indicator of how successful the particular scam is in netting new victims).

While the number of unique pitches isn’t necessarily indicative of total volume, we find that in most cases the higher the number of unique pitches the scammers employ, then the higher the overall volume of that particular spam run. And that’s certainly the case with the iPhone 5 scams – the volume follows a near identical trajectory.

It’s pretty obvious the scammers are closely tracking iPhone 5 launch developments. In March 2012, over 99% of iPhone 5 related SMS spam were so-called “Test & Keep” scams and only 0.81% tried to convince the recipient they had won an iPhone 5. However, thus far in September only 33% have “Test % Keep” as the hook, whereas 56% claim the recipient has won an iPhone 5.

Most telling, of the September iPhone 5 winner scams, all but 0.4% (zero point 4 percent) occurred on September 12 and 13. Which means the scammers are paying close attention to the launch and tailoring their pitch accordingly. Does that mean there will be a marked increase in iPhone-related SMS scams in the near future? Given the significant impact the February rumors had on overall volume, it’s quite likely – but of course it’s much too soon to tell. We’ll be watching.

During the first week of September, Cloudmark observed a 913% increase in the volume of SMS phishing attempts, making SMS phishing currently the single largest SMS text messaging threat. The surge appears to be the result of a single set of attacks which initially started on September 4th. Thus far, attackers have used over 500 unique pitches in the phishing scams, but the general characteristics are as follows:

Fwd:Good Afternoon .Attention Required Call.(xxx)xxxxxxx

The phone numbers victims are instructed to call include:

2012040735
2055612208
2105278888
2814920248
3124924053
3474105894
4016488505
5612357256
6164993061
6783847527
7145911051
7272162029
7739121434
8164101809
8177863304
8323086322
8645825454
8667368703
8775924747
8888408034
9738818000

Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials. These ploys range from claims of Bank of America account suspensions, Macy’s credit card collections, and even the U.S. Veteran’s Administration health services.

Victims who fall for the phishing scam and divulge their credentials risk being subjected to bank account theft, credit card fraud, and even outright identity theft. Stolen information can even be used in social engineering scams to elicit further information from unrelated accounts.

If you’ve been the recipient of this SMS phishing attempt, forward the text to short code 7726 to notify your carrier and to facilitate resolution. And remember, never divulge sensitive information to any source you have not fully vetted. When in doubt (which you always should be) contact your bank, credit card company, or health provider by known good numbers you have on file – never respond via the contact details provided in an unsolicited SMS text.

Not all spam is about Viagra, Nigerian gold, or naked coeds. We see a lot of spam, both in email and SMS, which is aimed at getting victims to sign up for surveys, product trials, mailing lists, credit reports and so on. The spammer may tell you there is a free iPad at the end of the rainbow, but in fact they just want to collect a few cents on you from various affiliate programs run by legitimate businesses. This is not good for the companies running these affiliate programs. Not only is their brand being associated with spam, but the quality of the sales leads they get from people who are tricked into filling out web forms is not going to be very high.

We also see spam for legitimate brands that does lead to the real site, but was sent to a huge email list where the spammer did not have permission of the recipients to send the email. While these may result in real leads for which the spammer will be paid through affiliate accounts, the cost to the brand is that the overwhelming majority of people to whom the email was sent did not want the email and did not sign up for it. This causes the recipients to have a more negative view of the brand. In order to try and bypass spam filters the message often contain strange elements and the email messages usually lack the professional image that many brands would like to maintain.

Clearly it is in the interests of affiliate programs not to fund spammers. But how to prevent that? Here’s some advice for affiliate programs to make them a harder target for spammers to exploit.

1. Be aware that what you pay for is what the cyber criminals will fake for you. If you pay for clicks, you will get click fraud. If you pay for names and addresses you will get names and addresses (though probably entered to ship that elusive free iPad to), and if you pay for sales, then the spammers will be spamming review sites and forums dealing with your product, so they are sending you contact information for people who were going to buy your product anyway.
2. It is not enough to cancel accounts when you catch them spamming. Just as the spammer may use thousands of email addresses and web sites to make spam less obvious, so they may have set up hundreds or even thousands of affiliate accounts on your network so that their profits don’t stand out.
3. To prevent this you have to make sure that each affiliate is a real person or business with working contact information. A good way to do this is to make the first affiliate payment for any account using a paper check sent through the postal service, and marked for deposit to the payee’s account only. That way you are confirming the postal address and they they own a bank account. Of course, this can be circumvented by the spammer using confederates (“mules”) to open accounts for them, but that adds to the cost and difficulty.
4. Obtain a phone number and Social Security Number or Employer ID from all your affiliates. Call the phone number and make sure the right person answers, and validate the SSN or EIN with the IRS.
5. Make sure that all the email addresses, phone numbers, SSNs and postal addresses in your affiliate are unique. (Run postal addresses through a CASS Certified mailing program to normalize them.) If you ever cancel an account, put that information on a black list, so if anyone ever tries to sign up again with any of the blacklisted fields, refuse to accept them.
6. Monitor the quality of the traffic you are getting from each affiliate. If it is in the bottom ten or twenty percent, close those accounts. Even if it is not coming from spam, there is no point in paying for low quality traffic.
7. Check your server logs carefully and make sure you look at high volume referring pages to be sure they are genuine. If the affiliate is blocking referring pages in the traffic they send you that is a big red flag. Plot a graph of traffic against time of day for each affiliate. Natural traffic will have a smooth twenty four hour cycle to it, but synthetic traffic often comes in bursts when a large spam mailing goes out.

And remember, if the traffic you are getting from a new affiliate seems too good to be true, then it isn’t!

A couple of weeks ago the Grum botnet was taken down. There were some extravagant claims made about the impact this would have, but in practice there was nothing that would be noticed by end users. Although Grum had about a hundred thousand zombies sending spam, all of those zombies quickly found themselves on IP address blacklists like  Cloudmark Sender Intelligence, or blocked by local policy thresholds for sending emails too frequently. This would block them at connection time, so in many cases their pernicious outpourings did not even make it through to a spam folder.

IP filtering is fast and cheap, and as such it makes a good first line of defense against spam.  But if it is the only defense you have then you will soon be inundated by snowshoe spam, and spam from free webmail services whose IPs you cannot block without risking false positives (legitimate messages which are incorrectly identified as spam).

IP addresses are just one of the many identifying characteristics that Cloudmark targets in detecting and filtering spam. What’s more, IP filtering is going to get a lot harder in the next few years, as the five hundred pound gorilla that is IPv6 knuckle-walks onto the Internet landscape.

“The IPv6 address space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it’s a long way down the road to the chemist’s, but that’s just peanuts to IPv6.“^[1]

There are 4,294,967,296 IPv4 addresses (though some are reserved for special purposes), and 340,282,366,920,938,463,463,374,607,431,768,211,456 IPv6 addresses (ditto). An IPv6 address is split into two parts, 64 bits for the network and 64 bits for the individual computers, but since an individual computer can use as many different ephemeral addresses as it wants within the network, that still leaves potentially 18,446,744,073,709,551,616 addresses for each machine. If spam stays at its current daily volumes that’s enough addresses available to a single machine to give each piece of spam it’s own address… for the next half a million years. Multiply that by the number of different networks that Grum zombies were on at the height of the infection and you will see that the IP address filtering that was so effective against Grum will simply not be feasible in an IPv6 world.

My colleagues at Cloudmark have already written about the challenges of IPv6 and published a white paper of recommendations but the bottom line is that traditional IP address filtering will no longer be effective in the IPv6 world, and the broader based filtering and validation techniques used by Cloudmark will become even more important against spammers and rogue ISPs.

[1] From The Hitchhikers Guide to IPv6

The Cloudmark security operations team have been expecting to see the gift card SMS spammers change to an Olympic theme for some time. This weekend it happened when the following campaign was detected.

Go USA! Starbucks is giving away free gift cards as part of our London 2012 Olympics Campaign! Grab one today at our website at www.[redacted].com

It’s been a long wait, unfortunately for the spammer the Cloudmark security platforms have had protection for this particular campaign for some time.

Take a look at the terms an conditions … Is changing your broadband provider and taking out a personal loan really worth the $100 coffee reward?

Impossible to qualify? Expensive at least!

Anyone that signs up for these offers also opt-in to 10 types of additional advertising.

My alma mater, Cambridge University, has made significant contributions to military intelligence over the years. Cambridge graduate Alan Turing helped to break the Enigma code, and during and after WWII a group of Cambridge graduates acting as sleeper agents performed one of the must successful infiltrations of an intelligence agency ever. Unfortunately they infiltrated British Intelligence on behalf of the KGB… Which just goes to show that the people you think are the brightest and most trustworthy may in fact be trapped into working for the dark side because of one bad decision made in their college years.

A panel of security experts at Black Hat discussed, among other things, the idea of “exploit farming.” The military and commercial value of being the only party to know about an exploit is potentially immense, enough that it would be worth planting bright young engineers as sleeper agents in major operating system and networking companies. Then in a few years when they are in a position to do so, get them to introduce a few lines of code to deliberately introduce a vulnerability. “Hey, kid, I’ll pay off your student loan debt, and all you have to do is go to work for Microsoft and in a few years add a couple of lines of code for me.”

This raises the possibility of state sponsored exploit farming. An unscrupulous foreign power could take their best Computer Science graduates and send them to the US with a scholarship to get an advanced degree, and instructions to stay on and find a job with Cisco, Microsoft, RSA, Google, Apple, Adobe or any other major infrastructure company. As they work their way up to greater responsibilities, greater demands would be made of them. First, copies of critical source code, then perhaps introducing spyware into the corporate network, and finally corrupting the code itself by introducing vulnerabilities for the foreign power to exploit.

Of course, the country best positioned to play that game is the country where all the major operating systems are developed. There’s no need to plant agents, you can go straight to the top. I don’t think it’s likely that the US Government would pressure Microsoft to deliberately introduce vulnerabilities into Windows to be used against foreign competitors, but I do think that they might ask for advance notification the moment MS is aware of a bug, before the fix is pushed out. What happens to that information within the hands of Uncle Sam is anybody’s guess, but if I’m smart enough to think of using it for espionage, I’m pretty sure that someone in the government is as well.

It’s worth noting that the governments of China, Russia, North Korea and Cuba are concerned enough about this possibility (or maybe just about paying license fees to Redmond) that they are all developing their own national operating systems based on… wait for it… Linux! That’s an operating system put together by an international group of hackers with the kernel in the hands of a man with a cavalier attitude towards security. A few years back Linus Torvalds said, “I refuse to bother with the whole security circus.” Linus, do you realize that by not prioritizing security vulnerabilities in Linux you are putting the national information security policies of China, Russia, North Korea and Cuba at risk?

A couple of years after Mr Torvalds made this statement he was granted US Citizenship. Wait a minute… you don’t think? No, it couldn’t be.

When I go to a convention like Black Hat and tell people I work for Cloudmark, the usual response is, “So you do cloud computing?” Well, sort of. The company was founded back in 2001 when cloud computing was less well defined – it originally meant any set of resources you could draw a cloud shaped bubble around on a white board. Now it seems to mean any computing tasks that used to happen on a local workstation, but now you don’t know where they are happening, so it might as well be up in the clouds. By that definition, spam filtering was one of the first services to move into the cloud, freeing email administrators from setting up their own filters and users from deleting spam by hand. This makes spam filtering one of cloud computing’s greatest success stories. (Thanks, Bruce, I’m going to keep using that line.)

Back in the day I used to run DNS, SMTP, POP, FTP and Web servers for one of my personal domains on a top of the line 386 computer attached to a DSL line in my basement. The server regularly got hacked one way or another, and I eventually gave up and moved the domain to a hosting service. I used to host heavily compressed postage stamp sized quick time movies (optimized for 2400 baud dial up) on the web site. Now I just embed YouTube videos. My domain has moved into the cloud, I outsourced the design to a WordPress template and I can focus on content without having to worry about my mail server being taken over by spammers.

This is fine for a hobby web site, but there was a trade off. When you move your data or services to the cloud, you are giving up control over security and backup. If the cloud service provider screws up and your data is hacked or lost, you have no recourse. (Seriously, read the fine print in the terms of service for your cloud provider. You have no recourse.) Now I certainly trust Hostgator or YouTube to do a better job of looking after my data than that long departed 386 in my basement did, but none of my data is mission critical. Before you move your unpublished novel, intimate photographs, or stock portfolio password into the cloud, maybe you should ask a few questions about the security of your cloud service provider.

Good luck with that. The answer you get may well boil down to, “Our security is so good that we don’t talk about our security.” OK, so then maybe if you are a real security guru you run some tests against the cloud provider to see if they are vulnerable to any of the common exploits. Fail! You have just violated those terms of service and your data will have to find somewhere else to live.

So if a cloud service provider won’t tell you about their security and you can’t test it yourself, what can you do? For those providers who allow outgoing mail from their cloud resources, you can see how much they are abused by spammers. It’s possible that they might have great backups and intrusion control and lousy spam filtering or vice versa, but in my experience companies that are good at security are good at all aspects of security.

I checked one of the leading cloud computing service providers to see how they were doing at preventing their clients from using their services to originate spam. The answer is that they are not in our top hundred spam sources by ISP, but often in the top two hundred. There is some spam being output, but as a percentage of total email it is comparable with large ISPs. For spam prevention, I would give them a B. It’s up to you to decide if that is good enough for your data. You’re certainly less likely to lose your data in the cloud than if you leave it on a hard disk without a back up.

A different cloud service provider has found another way to contribute to the spam problem. As Dropbox explained in a blog post yesterday, an employee had their login password stolen, and this resulted in a spammer obtaining a list of Dropbox users’ email addresses. However, this is not Dropbox’s worst security snafu. Last year they accidentally turned off password authentication for a period of four hours, allowing anyone to log in to any account with a random password.

Aside from the risk that a cloud provider may accidentally publish your private data, there is also the risk that you may make a mistake and accidentally publish it yourself. Click the wrong box on that app that uploads all the photos from your phone to the cloud, and you may find them turning up in Google Image Search. Hire a careless developer to work on your application and he or she may include the keys to your cloud account in source code in a publicly searchable repository. One wrong click when you share your bank account password with your spouse, and it is visible to the entire world.

If this happens, you can’t trust in security by obscurity. One of the presentations at Def Con featured a set of free tools for finding sensitive data that had accidentally been published in the cloud. Francis Brown and Rob Ragan of Stach & Liu demonstrated tools to scan for Amazon EC2 keys from public code repositories, and passwords and SSNs from Dropbox and Google Drive. Since the tools are based on Google and Bing searches they are extremely fast, as the search engines have already done all the web crawling.

The bottom line is that cloud computing makes life a lot easier, but if you are going to put sensitive data out there it is a good idea to encrypt it first, and when you hand out EC2 keys or passwords to anyone, make sure they are as limited in scope as possible.

“Spam is one of our greatest success stories.” That’s a quote from security guru Bruce Schneier, surveying the current state of cyber security in a panel at the Black Hat computer security convention. Thanks, Bruce, we spam fighters appreciate the kind words.

The Black Hat briefings started with a keynote address from Shawn Henry, a former FBI Executive Assistant Director of the FBI, now working for a private security company. Security experts will always tell you of the huge threat posed by whatever they are selling the solution to. For Cloudmark the pitch is easy, you just have to look in your spam folder to see our great success story. (Yes, I like saying that.) Mr Henry on the other hand could only tell us that cyber espionage is having a huge impact, but most of what he knew was classified. I guess we’ll have to wait a generation or so till that stuff is declassified to get the straight dope.

His best proposal for what you can do when you discover that a foreign government or company has penetrated your network and are listening in to your meetings and downloading your long range plans was that you feed them false and misleading information. Based on the accuracy of most corporate long range plans I’ve seen, we are already doing that.

The members of the discussion panel of Black Hat veterans that followed his presentation felt that government should take a bigger role in protecting American interests against foreign industrial espionage. Personally I think that automatic trade sanctions against any government or company found hacking American corporate systems would not go amiss, but Congress seems to have different priorities for computer security.

Later in the week, Def Con hosted a panel of representatives from various US intelligence agencies: NRO, CIA, NSA, DIA, US Military… One of them was brave enough to point out that the large number of different agencies, represented on the panel, was an indication that the US did not have a sufficiently well-coordinated strategy of cyber warfare. However, the panel moderator, who simply identified himself as “Priest”, made it clear that the US does have an aggressive policy of cyber offense, but we would only hear about it if things went wrong.

Let’s hope that in thirty years or so when all this is declassified and the histories of US cyber intelligence in the early twenty first century are written, it turns out to have been as big a success story as, say, spam filtering.

I’ve just got back from the largest annual gatherings of computer security experts and hackers in the world. Running one after the other in Las Vegas are the Black Hat and Def Con conventions. Black Hat is a corporate event, with a vendor room featuring all the big names in computer security. Def Con is far more for hackers. In the vendor hall there you can pick up surplus hardware, a set of lock picks for fifty bucks, or about fifty different designs of black T-shirts. Personally I’ve reached the time in my life when I have enough black T-shirts, but I was tempted by the lock picks.

Actually, the coolest thing in the Def Con vendor room was the Enigma machine that the NSA brought along to let people play with.

The successful British attempts in World War II to break the Enigma code led to Alan Turing and others constructing one of the electronic computing machines. Most of the remaining Enigmas are in glass cases in museums, so it was a great thrill to have one sitting out on the counter and to be a able to press the keys and see the rotors turn and the letters light up. The NSA were there to recruit, and while I was prodding the Enigma (and wondering what would happen if I took a screwdriver out and started taking it to bits) a young man came over and said that he was really interested in joining the NSA but he didn’t think he would pass a security check because of some computer hacking history. “You never know,” said the guy behind the desk with a grin. “Send us an application, you never know.” I don’t think the NSA would be recruiting across the aisle from the lock picking booth unless they were flexible about background.

I’ll post more about the conventions and my thoughts on them in future posts, but I’d like to finish this post with a word to those (thankfully few) vendors at Black Hat who saw fit to employ booth babes… Really? If your product is good enough it does not need scantily clad women to promote it, especially in Las Vegas, where scantily clad women lurk by every craps table.

It would appear that some Dropbox users accounts were suddenly spammed yesterday.  Users with tagged email addresses unique to their account on the service have been reporting the issue on the Dropbox forum all day. Dropbox have been understandably tight lipped on the topic, but there is some speculation amongst their community that the spammer has used this MO before or that it’s linked to their mobile apps.   Twitter is also rife with complaints. The guys at Dropbox have made the following statement:

“We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”

We won’t speculate how some email addresses have fallen into the spammers hands, as that’s of no help to those working hard investigating the data leakage.  We can however share some insight into the campaign itself and what we did about it.

When we dug into our archives to investigate and examine copies of the messages, the term we’d use would be “unsophisticated”.  The offending messages were hitting a handful of spammy fingerprints at once. If this were an exam, the spammer would receive an “ungraded” mark for lack of message complexity or originality.

Recent data from our Global Threat Network showed 364 different domains in use by this spammer.  Some of the domains point to an IP address shared with domains that have been seen by our system in prior spam campaigns as far back as 2008. So this is a long way from a new campaign.  Our relentless automated detection systems consumed the campaign, as they would any other campaign, and started marking the messages as spam, with no manual intervention required by any of our staff.

The spam sample itself was for an online casino.  Many of the messages were in German.  Here is a quick Google translate :

Click the image to enlarge

There were English and Dutch versions reported too, but I’m sure you get the idea.  Here are some of the domains they used recently:

I have a Dropbox account, and have had for a number of years now, (since the beginning IIRC) and my mailserver has not received a spam and my colleague Vincent also commented likewise.  When the root cause of the issue is revealed it’ll certainly be an interesting read.