Summer has come, and SMS spam is here to stay. Recent FTC allegations against gift card scammers and a change of seasons have led to major shifts in the estimated 480 million SMS spam sent monthly to U.S. residents. During the month, two of the top five reported types of SMS spam in the United States were forms of fraudulent scams. Most notably, the bulk of Win Free Stuff Scams have changed from gift card and iPhone 6 hooks to a more seasonal approach: cruises. Starting just prior to the U.S. tax season, SMS phishing attempts have continued a trend of steady increase to take the top spot in May.

Source: Cloudmark / GSMA

Win Free Stuff Scams

As the swimsuits are coming out for summer, so are the vacation scams. Last month 72% of all Win Free Stuff Scams lured American recipients with the false promise of a free cruise. Mass texts are sent out declaring that “YOU!” have won a free cruise to an exotic Caribbean location. The only catch? First, they ask you to fill out a long set of forms or surveys to qualify. Often nestled in these forms are terms and conditions that make actually winning nearly impossible. Should you magically qualify, scammers will extract endless fees until the victim has paid more than face value for their prize. Nothing in life is free after all, not even free cruises.

Bank, Card, and Account Phishing

This past month Bank/Account Phishing was both the most prevalent category and arguably the most dangerous. Messages of this type are sent out masquerading as a bank claiming that the recipient’s account has been locked for fraudulent charges or suspicious behavior. This fear mongering compels the victim to use a provided phone number or link to resolve the issue. Unfortunately, criminals use this bit of social engineering to trick victims into divulging bank accounts, credit cards, debit cards, and other personal information for the sake of “unlocking” the account. With this information in hand, the perpetrators can now commit a myriad of crimes that can have very serious financial repercussions.

Spammers, regrettably, may have seen some traction with phishing attempts in recent months. Since the beginning of 2013, SMS phishing attempts have risen from 2% to 32% of monthly volumes. The following chart illustrates the monthly volumes of Bank/Account Phishing:

Source: Cloudmark / GSMA

Adult Content Spam

Contributing approximately 24% of May’s volume, adult-themed spam came in at number two. These texts entice audiences to follow a supplied link promising adult content or suggestive dating language. Senders use obfuscated, shortened referral links to derive revenue from affiliate marketing campaigns. However, users often find that the promised content was egregiously misrepresented. This form of affiliate fraud has resulted in certain sites aggressively banning known spammers, but the problem is on going. The graph below shows that just last month adult-themed SMS spam spiked above 40% of daily volume on several occasions, reaching as high as 60%.

Source: Cloudmark / GSMA

Junk Car Spam

“WE BUY JUNK CARS” and “COMPRO CARROS” spam continued to flood the phones of many Florida residents last month. Surpisingly, more than 9% of the entire countries reported spam came from this single state in May. This on-going SMS epidemic has plagued the sunshine state for more than a year and half. It’s pushed one Florida resident, Scott Owens, to file a federal class action lawsuit action against the suspected senders. In it, Owens is seeking a staggering one billion dollars in damages for unwilling recipients of the spam. As we’ve seen however, the spam continues to inundate Floridians unabated.

Payday Loans

Trailing behind junk car spam, payday loans also made a small ripple in SMS spam during May. Payday Loan Spam is often made up of unsolicited texts from lead publishers for legitimate businesses over short term cash loans. Ping trees, a sort of sharing network for these leads, can pose as a security risk though. After responding, a user and their information can be passed off to other members in the ping tree. Sometimes you may get passed to a legitimate lender. Sometimes they’re out to steal your information. Worse yet, some entities have been caught demanding fees in advance for loans that may or may not be real.

With the close of 2013’s first quarter, we’ve released our Q1 2013 Global eMessaging Threat Report detailing a myriad of SMS and IP spam statistics, trends and observations from the past three months. Paramount among them is a set of allegations leveled by the Federal Trade Commission (FTC). These filings contended that the defendants were responsible for collectively sending more than 180 million gift card themed scam SMS messages.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

October is National Cyber Security Awareness Month. In recognition of that, the National Cyber Security Alliance teamed up with the Department of Homeland Security and the security industry to sponsor the opening bell ceremony at NASDAQ. Held at 4 Times Square on Monday, October 15, the principal bell ringer was Jane Holl Lute, Deputy Secretary for the Department of Homeland Security. Also participating was Congresswoman Yvette Clarke and Congressman Jerrold Nadler, both of NYC, as well as representatives from dozens of security companies (including Cloudmark).

The event was preceded by a breakfast at NASDAQ which provided a great opportunity to chat about specific threats we’ve been observing at Cloudmark. At the top of that list were the barrage of SMS phishing attacks that continue to plague mobile users. As we’ll discuss in a later blog post, it’s not just the increase in SMS phishing numbers that is so concerning – it’s also the sophistication in the social engineering methods used in the attacks. There was also some chatting about passwords and how to devise better solutions that are truly scalable.

Though October is designated Cyber Security Awareness Month, the National Cyber Security Alliance operates year round to promote better online security practices. Whether you want to protect yourself, protect your business, or help educate others, the NCSA has many opportunities for you to get involved.

One thing any smartphone user can do to further online security – forward any SMS spam you receive to 7726 (7-7-2-6 spells S-P-A-M on old style alpha-numeric keypads). Forwarding SMS spam to 7726 not only helps protect other users, it also helps mobile providers investigate and take action against SMS spammers and scammers.

Overall, the bell ringing ceremony was a fun event with a serious message. It’s great to see the industry come together to fight cybercrime and Cloudmark will certainly continue to be a part of that effort.

During the first week of September, Cloudmark observed a 913% increase in the volume of SMS phishing attempts, making SMS phishing currently the single largest SMS text messaging threat. The surge appears to be the result of a single set of attacks which initially started on September 4th. Thus far, attackers have used over 500 unique pitches in the phishing scams, but the general characteristics are as follows:

Fwd:Good Afternoon .Attention Required Call.(xxx)xxxxxxx

The phone numbers victims are instructed to call include:

2012040735
2055612208
2105278888
2814920248
3124924053
3474105894
4016488505
5612357256
6164993061
6783847527
7145911051
7272162029
7739121434
8164101809
8177863304
8323086322
8645825454
8667368703
8775924747
8888408034
9738818000

Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials. These ploys range from claims of Bank of America account suspensions, Macy’s credit card collections, and even the U.S. Veteran’s Administration health services.

Victims who fall for the phishing scam and divulge their credentials risk being subjected to bank account theft, credit card fraud, and even outright identity theft. Stolen information can even be used in social engineering scams to elicit further information from unrelated accounts.

If you’ve been the recipient of this SMS phishing attempt, forward the text to short code 7726 to notify your carrier and to facilitate resolution. And remember, never divulge sensitive information to any source you have not fully vetted. When in doubt (which you always should be) contact your bank, credit card company, or health provider by known good numbers you have on file – never respond via the contact details provided in an unsolicited SMS text.

Google has been using DKIM to improve trust in mail it sends from several of its properties for some time now. Mail from Google staffers (google.com and googlers.com), from YouTube (youtube.com), from Google Groups (googlegroups.com) and from Gmail users (gmail.com) is always signed by DKIM using those respective domains as the signer. This means we can be suspicious of mail from those sources that isn’t signed by Google. (There’s a protocol called ADSP that would let Google make this statement explicitly, but we can also infer it from what we know from our contacts there.) This sort of tactic has worked to filter out some recent fake YouTube spam that claims to be from YouTube but isn’t signed.

Unfortunately, Google’s infrastructure has grown so big and fast that there are a few Google properties that aren’t signed by DKIM yet. There are also some Google applications whose email components are outsourced to other companies, like SalesForce, who in turn send mail claiming to come from Google that, of course, isn’t signed. And in some cases, mail that goes between two Google services and is then forwarded to other addresses goes out unsigned.

This means it’s impossible to apply these implicit DKIM rules across the board to keep these scams at bay before they can get started: If we turn them on for everything, some legitimate mail will be bounced, or some mail that deserves preferential treatment won’t get it.

We know about these limitations of DKIM already. And we know it’s a challenge for any large organization to ensure that any new email policy (or any kind of policy, really) is applied across its entire infrastructure when parts of it operate independently. In the end, though, it means the full benefits of DKIM can’t be realized when the roll-out is only partial. Google has told us they’re aware of these issues and they’re working to tighten it all up.

This is important to remember for all sites, whether deploying DKIM as a signer or as a verifier. When we wrote the DKIM RFCs, we included a lot of discussion about these topics, and experience since then has shown that this was time well-spent.

The Internet Engineering Task Force met in Taipei in mid-November. Cloudmark was in attendance, working to advance several things through the IETF processes, including

• a new working group that will produce protocols and advice documents relevant to reputation services (see my previous posts about DKIM and domain reputation);
• creation of a working group seeking advancement of SPF to the standards track; and
• a working group to develop and standardize a more useful replacement to the only-somewhat-useful WHOIS service.

There’s already active interest in all three of these areas.

We’re also championing the work of some best practices documents covering things like greylisting and handling of malformed mail, both with input from the Messaging Anti-Abuse Working Group.

And we’re keeping an eye on developments in the web and IPv6 communities within IETF, with an eye towards how those changes will affect messaging security.

For more information, contact us through your representatives, or find us through the various IETF mailing lists dedicated to those purposes.

The next meeting is at the end of March in Paris. We’ll be there!

This week, at the Federal Cybersecurity Conference & Workshop in Baltimore hosted by the Department of Homeland Security, there was a panel on Email Authentication that explained why authenticated email is vital to their interests. Being able to trust email from federal agencies is highly important to them, not merely for communication among agencies but also between the government and its constituents.

It was explained that in the recent past a couple of US senators have had to arrange sudden press conferences to spread the word that, contrary to what’s been said in email, they are not dead. Apparently there had been forged email campaigns making such claims, causing some amount of chaos, and they needed to be dispelled. The FBI, IRS, and the House domains have also been the target of forged email or phishing campaigns.

Cloudmark was invited to present the perspective of industry to the audience of mainly CIO-level representatives from various branches of the federal government. We highlighted not only the importance of deploying email authentication technologies like SPF and DKIM and why they’re great, but also why they’re not enough. Domain reputation, the obvious next step along the path to securing email, became the focus. Some good questions were asked about the viability and vulnerability of such systems when they’re based on user feedback. Fortunately, we have a lot of good experience in that area from our commercial product and open source history, which supported the discussion.

We’re encouraged to see that the federal government has taken such an interest in these issues. We presented some ideas of how they can help with respect to deploying policy and services from their side of the fence, and we’re looking forward to making progress with them.

Take a look at this message and see if you can tell if it came from PayPal or not?

This email is NOT from PayPal.  It’s from a spammer, who wants you to go to your browser and open the “AccountValidation.html” page that he or she has attached.

Why should you immediately be suspicious of this email?

• Be suspicious if the “From” address is not paypal.com.
• Also, be suspicious if they don’t use your real name.  If they say “Dear Valued Member” instead of addressing it to your first and last name, it is very likely to be fraud.
  • Unfortunately, the opposite is not true.  Spammers have ways of getting both your real name and your email address.  For instance, sometimes they hack into an unrelated system, that has less security than PayPal, that also stores your name and email address.   So just because they use your real name, does not mean you should automatically trust them.
• Always be suspicious of downloading attachments.  PayPal, your bank and your other accounts are never going to send you an attachment to download and run.

What should you do when you get an email like this?

If you get an email about your Paypal account and you think there might be a real issue with your account then:

• Do not download any attachments.  The attachments may contain a virus or a redirect to a fraudulent site. Or they may contain a fake account verification page, as this email does.
• Avoid clicking on any links in the email, as the links may take you to a fraudulent site.
• Instead, go to your browser and type in the url: www.paypal.com
  • If you do have a legitimate issue, Paypal will inform you when you login.
• Never reply to an email with your username, password or credit card number.  Legitimate sites will never ask you for your password or credit card number via email.

More details about how to avoid PayPal scams can be found on the PayPal site.  Click on “Security and Protection” and hit the “Explore Topics” button. https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=security/phishing

What will happen if you open AccountValidation.html in your browser?

You should avoid opening attachments that you suspect are from spammers, as they may contain viruses which can infect your computer.

In this particular case, the AccountValidation.html page is a phishing page.  Phishing is when a spammer pretends to be a legitimate institution such as PayPal, in order to trick you into giving away your personal information.

If you were to open this page in your browser, then in this case you would see the page below.

The page is asking for all your personal information including your credit card number.  Remember, this “AccountValidation.html” page is not from PayPal.  The spammer wants it to look like it is from PayPal, so that you’ll be tricked into giving away your personal information.  It even pulls many of the images on the page from PayPal servers.

However it was sent by a spammer.  If you were to fill in the information and push the “Save Profile”, then the page would send all the data that you entered to an IP address of a computer in the Ukraine.

What do legitimate emails from PayPal look like?

Below is another example of a PayPal email.  This one is legitimate (with the name and email address changed to protect the real recipient).  Sometimes it’s challenging to tell that a legitimate email is actually legitimate.  But when you’re in doubt, you can always type the url www.paypal.com into your browser, and login directly.  When you login to www.paypal.com, PayPal will let you know when there is something you need to deal with.

The Internet Engineering Task Force (IETF) will be meeting next week in Quebec City. The IETF, which produces the RFC document series that defines Internet standards, hosts a lot of activity that is of current interest to the messaging security community. Cloudmark is a very active participant in these processes, as a means of staying ahead of the technology curve while also influencing the direction of it.

As I blogged back in April, the industry has been working on an Internet standard called DKIM, or DomainKeys Identified Mail, which is a young but promising email security technology. This past week the IETF approved publication of a revised version of the DKIM specification, with Cloudmark as a co-editor. This is a significant milestone in that DKIM is now recognized as having proven itself and thus has reached a elevated maturity level (“Draft Standard”). We anticipate this will encourage development of new systems that can capitalize on DKIM to improve the email experience as DKIM gains wider acceptance and deployment.

Cloudmark is also spearheading the effort to create a new working group within the IETF to develop new protocols that enable reputation services, not only for reputations about domain names, but anything about which you might want to ask for a rating. The interest in the idea within industry is clearly visible, and the discussion should be lively. We’re already looking at ways to capitalize on the data we collect on an ongoing basis to participate actively in this evolution.

We’re directly involved in a working group that talks about standardizing feedback loops (FBLs). These are automated streams of data from users directly to service providers about messages they receive that are abusive, enabling those service providers to respond more quickly. (When you click “Report Spam”, you’re putting data into an FBL.) Cloudmark uses FBLs to collect spam reports and thus keep our system’s accuracy at the top of its class. This work is also branching out into the mobile world, where we’ve been making quite a splash lately.

We’ve started work on a best practices document that’s intended to get all vendors to converge on how they interpret certain malformations in the mail stream. That some components differ in how they handle these various cases can enable certain attacks, and we’re doing this work to try to close those gaps so that this class of attack is harder or impossible to mount in the future. There’s some interest in branching this work in to a similar document that covers the behaviour of web browsers.

Cloudmark has also been approached by people inside ICANN (the Internet Corporation for Assigned Names and Numbers) to work on a revised specification for WHOIS, the perennial tool for looking up registrants of domain names and network blocks. Very early conversations within the IETF about what such a revised system should look like are already taking place. We’re interested in the success of this because a reliable WHOIS system would go a long way to identifying bad actors long before they ever get near your inbox. We’re already involved at the ground level.

We monitor the people that are doing work on internationalizing email addresses. Not only are email systems going to have to cope with the added complexity of supporting these, but we need to think ahead to how bad actors will try to exploit these changes to try to get into your inbox, and plan accordingly.

And we’re keeping a very close eye on developments within the IPv6 working groups. As you’ve undoubtedly heard by now, IPv6 is being slowly deployed at all major service providers. Since a lot of your perimeter security in messaging is based on IP addresses, it’s important that those systems either transition smoothly into the world of IPv6 or are replaced with something that’s as good or better. There’s considerable debate about the efficacy of one of these rollout tools (“6to4”), and we’re watching to see how it plays out.

Those are just the highlights. There are many more working groups doing interesting things in and around messaging. It’s going to be a busy and exciting week as we get some hints from all of this of what the future of messaging might look like. Come back to the blog in early August to find out!

The latest in a long line of phishing attacks made to look like government communication comes to us courtesy of a fake “Canadian Revenue Agency”. The original email is in French, explaining that the recipient is eligible for a tax reimbursement of “189.82″, and directing them to a web page to enter personal information to claim the refund. The links in the emails redirect to landing pages hosted in many places, which appear to be sitting on compromised web servers.

The landing pages themselves all attempt to look like real Canadian government web pages, including versions of the page in both French and English (see below). Many of the links on the landing pages lead to real Canadian government pages, including “Contact Us” and “Help”, but the “English” and “French” buttons, as well as the script that submits the form, lead back to the compromised, phishy servers. The form itself is quite simple, asking for a name, “Social Insurance” number, date of birth, and “Refund Amount”.

Canadian Revenue Agency Phishing Site (French)

Canadian Revenue Agency Phishing Site (English)

You can protect yourself from scams of this type by paying close attention to the emails you receive and the links on which you click. It’s likely, because of the way this email was encoded, that accented characters are appearing as blank squares or black diamonds with question marks – a legitimate email is more likely to have properly encoded characters. Additionally, hovering your mouse over the link in the “call to action” should (in most mail programs and web browsers) show you the target of the link. If the target differs from what you would expect, take great care in clicking on it. If you’re being asked for personal information, it might be time for an ‘out of band’ contact – call a known phone number, or use a trusted search engine to find a contact number to make sure you should give out that information.