Recent mobile data analyzed by Cloudmark reveals mobile cyber criminals are increasing the sophistication of their attacks leveraging multiple techniques to evade detection and target unsuspecting mobile users. Some of these techniques include a combination of large banks of phone numbers, rapidly changing content, and a number of website domains to send fraudulent messages and avoid detection.

Below are some sample messages that are all part of a recent large spam campaign from a single spammer. Cloudmark research shows that the spam below was responsible for over 40% of all spam mobile complaints received from North American mobile subscribers in the month of October.

Data analyzed indicates that the spammer is using thousands of content variations – multiple phrases; multiple word misspellings; changing URLS, etc. These techniques are clearly designed to evade simple spam keyword or hash-based content filtering. In addition, the spammer is using hundreds of mobile phone numbers to send the spam. This allows the spammer to evade simple volume detection by limiting the number of spam messages sent by each mobile number each day. When a series of mobile number have been identified as a spam sources and are shut down by a network operator, the spammer immediately starts using a new series of mobile phone numbers.

The graphic below is a partial list of target “call-to-action” URLs that the spammer is trying to get the unsuspecting subscriber to visit. Cloudmark has detected over 100 spam URLs related to this spam campaign, all of which trace back to a single webserver operated by a single spammer.

The spam attack described above is an example of “affiliate referral spam”, a business model that is very common in email and just now becoming prominent in SMS. The spammers get paid based on referrals for loans, via web redirects that send traffic immediately to an affiliate program or by accepting applications that are forwarded to affiliate programs. Since the spammer may only get paid a few cents for each referral, the spammer must send millions of spam messages to make a profit.

Affiliate spammers also make money by collecting information and reselling subscriber phone numbers, email addresses, and other information to other mass marketing organizations. By visiting the spammer’s website, entering information, and clicking Submit, the unsuspecting mobile subscriber is agreeing to be spammed not only from this same spammer, but also agrees to allow their information to be resold to others. The graphic below is an example loan applications designed to collect information that is then resold as part of a referral program:

When a subscriber clicks on “Submit”, they are agreeing to the terms of the privacy policy published on the website. The privacy policy typically gives the spammer permission to spam via any means, regardless of listing any national do-not-call lists. The policy also typically permits them to resell your information to other marketing affiliates.

Some example terms from common spammer privacy policy include: “By submitting your information at the Website, you agree to receive mobile marketing including, but not limited to, text-message based marketing from us and our third party advertisers and marketers.” “Even though your telephone number may be listed at the Federal Trade Commission’s Do-Not-Call List, we retain the right to contact you via telemarketing.”

It is imperative for mobile subscribers to take the appropriate steps if they receive unsolicited SMS messages to ensure to minimize their exposure to fraud. Some basic tips:

1. If it sounds to be good to be true, it likely is.
2. Users should never click on embedded links in an SMS text, especially from an organization one has never done business with before. If a mobile user believes that a message is legitimate, Cloudmark recommends that they access the information directly from a browser rather than by clicking on any embedded links.
3. And of course, always use the same precaution on your mobile devices that you would exercise on your PC.

Additionally, many US operators now have measures in place that enable users to report suspected fraudulent or spam messages by forwarding spam text messages to 7726 or “SPAM” via their mobile device. Users should check with their operators to learn if the 7726 reporting service is available.

If you have a smart phone with a QR reader, then you can scan the QR code below and it will prepare a text message with the text “HELP” to send to the short code 7726 (S-P-A-M).

If your mobile operator supports reporting text spam to 7726, then you should get back a text that confirms that 7726 is for spam reporting.

If you don’t have a smart phone, or a QR reader, you can still test it out.  Just type the word HELP as text message and send it to 7726.

If you don’t get a message back, it may be that your mobile provider uses a different short code or they may not have implemented spam reporting yet.  In which case, you should refer to their website to find out the recommended way to report spam.

Always remember that spam is unsolicited, unwanted messages from someone you don’t know.  If you signed up for the text messages, then you should be able to unsubscribe by replying “STOP” to any message they send you.

Cloudmark’s drive to equip users with the power to report messages they didn’t sign up for (using the 7726 (S-P-A-M) GSMA service) and protect mobile users from spammy text messages,  means that we spend a lot of time thinking about the negative content that gets sent by spammers.

So it’s nice to be reminded that text messages have a lot of power to be used for good.

I love this story from tatango’s SMS marketing blog.  The Boy Scout National Jamboree allowed parents and scouts to sign up for text message updates.  They then used text messaging to keep in touch and send updates.  They sent the scouts messages like: “As u head back, stay with the group or at least a buddy. Remember to go left at the asphalt road and head back.”

They were also able to let parents know that a tornado that touched down in DC, hadn’t impacted the Jamboree and that everyone was ok, minutes after the tornado passed through.

It’s a really nice example of the positive power of  text messaging.  You can check out the full story here: http://www.tatango.com/blog/tatango-customer-spotlight-boy-scout-troop-831/

A recent article from New Zealand indicates that Vodafone New Zealand also encourages their users to report SMS spam to 7726 (S-P-A-M). (See: http://www.theaucklander.co.nz/news/txt-for-trouble/1080298/)

“Vodafone says if a customer does receive spam they should forward the message to 7726…”

Vodafone also lets you know how to report your complaint to the  New Zealand government’s Department of Internal Affairs, so that they can take action.  It appears that New Zealand takes spam seriously.

Hopefully more and more mobile operators around the world will support reporting spam to a well known short code, so that messaging streams can be protected.  People should be able to get the messages they want and they shouldn’t have to deal with or be charged for, the messages they don’t want.

Cloudmark provides spam and abuse filtering for email, text messaging and social networking traffic.  So in addition to encouraging email senders to follow good email sending guidelines, we also want text message senders to follow good text message sending guidelines.

Over on tatango, which is an SMS Marketing Blog, they have a good write up today on making sure that your text messaging marketing is compliant with the Mobile Marketing Association’s (MMA) Consumer Best Practices. (See: Lessons Learned From Trump Mobile Alerts)

Just like in email, senders need to tell people up front and make it very clear, what they’re going to be sending people and how often they’re going to be sending it.   And senders need to check that the phone number a person signed up with is actually their phone number and not someone else’s phone number.  Just like senders should confirm that the email the person signed up with is their email address and not someone else’s.

Unlike email, some people get charged per message for each text message they receive.  Plus their phone is going to beep or buzz when the message arrives.  So senders better make sure the person wants that SMS.

Spam buttons have been available in email clients for a long time and when people get annoyed by email messages they don’t want, they often mark the email as spam.  Although many people aren’t aware of it, some mobile providers also have a system for reporting unwanted SMS text messages.  The process differs by operators but can be as easy as people forwarding unwanted SMS text messages to “7726” (S-P-A-M).

Of course, if a person legitimately signed up for an SMS message, and they trust the sender, they should be able to unsubscribe by replying STOP to the sender.  If the sender is playing by the rules, no further SMS messages should come from that sender.

Cloudmark is involved in an initiative with the GSMA to collaborate with operators globally on the war against SMS spam. See: http://www.gsmworld.com/our-work/mobile_lifestyle/spam/spam_reporting.htm for more details.

In summary, text messages senders should check to make sure they’re following all the rules and only sending to people who know what they’ve signed up for.  Because 7726 and similar services, are going to let the Mobile providers see which senders are not playing by the rules.

SMS continues to grow at a phenomenal rate and firmly remains the most popular mobile messaging channel.  Cloudmark has released the 2011 Mobile Spam Guide, a definitive toolkit designed to help the wider ecosystem address the growing problem of mobile spam.  Get it here  http://www.cloudmark.com/en/spamguide/.

Spammy text (SMS) messages.

Some of you might get a few of them each day, others perhaps the odd one or two a week. Maybe you’re lucky enough not to receive any. It does sound familiar though, right?

It should do as this is where we were with email around 15-20 years ago.

This week’s MoneySavingExpert newsletter (a popular consumer watchdog site in the UK with many millions of subscribers) had a great guide to stopping unwanted text messages, outlining the different types of unwanted texts that users might receive and what they can do to stop them. The guide does well to explain when you should and shouldn’t text STOP to the sender since in some cases this can have undesired effects. The key message, though, should be that if you are in any doubt as to whether a message is spam or not, do not reply to it.

This guide, along with last month’s research from uSwitch, is yet more evidence that the threat of SMS spam is now real. The GSMA have made it one of their top priorities this year and at Cloudmark we are supporting the GSMA by making detailed analysis tools available to mobile operators to help them quickly, and in some detail, understand the sorts of threats that their customers are receiving. The GSMA Spam Reporting Service provides a clearinghouse of messaging spam reports submitted by mobile consumers from participating mobile networks around the world.

Whilst the MoneySavingExpert guide is aimed at UK users, readers in other countries should check with their own mobile providers to see if they already have a spam reporting service in place. A number of them will also use the 7726 short code (which spells out SPAM on a telephone keypad). Such a reporting service should mimic the ‘Report Spam’ button you might already be familiar with within your email client/service. In the future, we would hope to see a ‘Report Spam’ button built in to all messaging clients on mobile phones.

What’s in it for you as a mobile consumer? Well you shouldn’t have to see the same spammy SMS messages over and over so by reporting them you will be helping to reduce the number of messages you receive, as well as others.

uSwitch calls for government pressure to stop spam

According to new research from uSwitch SMS spam is rising at an alarming rate in the UK with mobile subscribers receiving, on average, 4 million spam messages per day. The research showed that messages are often fraudulent in nature (mostly premium rate call scams) and others are attempts to obtain the personal financial information that can be held in smartphones.

Commenting on the report, uSwitch technology expert, Ernest Doku, called on the UK government to put pressure on the mobile networks to protect subscribers from these attacks. This is not good news for the operators. If the UK government follows France, Poland, India and China mobile networks will find themselves having to implement costly spam control policies that will inevitably result in lost revenues.

The time has come for UK operators to address the mobile spam problem themselves before it gets out of control. As Duko concludes “If spam texts follows the same pattern as email spam, this problem is set to plague us all for some time to come.”

As reported yesterday by Xixhuanet, China’s Supreme People’s Court and the Supreme People’s Procuratorate have announced new measures to tighten up on SMS spam. Anyone found illegally sending more than 5,000 fraudulent text messages will be prosecuted for fraud and suffer much harsher penalties.

In March four men were jailed by Beijiing Xicheng District People’s Court for sending more than 10 million illegal text messages without a licence. Whilst these measures will no doubt have an impact on spammers this is just the tip of the iceberg – China’s 878 million mobile subscribers each receive on average 11.4 messages per week – That’s more than 10 billion spam messages each week.

The problem of SMS spam has now become just another of life’s irritations in China as the authorities and mobile network operators struggle to fight the rising tide of spam. Despite controls the attackers have found ways around the basic protection in place in China and will continue to make substantial profits from their activities.

The Express Tribune reported on Monday that Pakistan mobile subscribers received a deluge of SMS spam on the eve of the Pakistan – India semi-final of the Cricket World Cup. The spam ranged from tickets to match-viewing events to special deals just for the day.

What is perhaps most alarming is that these seemingly legitimate mobile marketers are using illegally sourced lists of mobile numbers to target subscribers by region or socio-economic group. To prevent detection by the mobile networks the messages are sent from a second-hand computers via attached GPRS modems fitted with pre-paid unregistered SIM cards that are kept on rotation – To go to this level of effort suggests that the spammers are making significant amounts of money out of their activities.

The article suggests that the problem of SMS spam in Pakistan is getting worse and is left largely unchecked and unregulated. If nothing is done it won’t be long before the local operators start seeing a decline in mobile advertising revenue as subscribers start questioning the legitimacy of the SMS advertising messages they receive – A salutary lesson for mobile networks operators in countries where SMS spam is just beginning to rear its ugly head.