Summer has come, and SMS spam is here to stay. Recent FTC allegations against gift card scammers and a change of seasons have led to major shifts in the estimated 480 million SMS spam sent monthly to U.S. residents. During the month, two of the top five reported types of SMS spam in the United States were forms of fraudulent scams. Most notably, the bulk of Win Free Stuff Scams have changed from gift card and iPhone 6 hooks to a more seasonal approach: cruises. Starting just prior to the U.S. tax season, SMS phishing attempts have continued a trend of steady increase to take the top spot in May.

Source: Cloudmark / GSMA

Win Free Stuff Scams

As the swimsuits are coming out for summer, so are the vacation scams. Last month 72% of all Win Free Stuff Scams lured American recipients with the false promise of a free cruise. Mass texts are sent out declaring that “YOU!” have won a free cruise to an exotic Caribbean location. The only catch? First, they ask you to fill out a long set of forms or surveys to qualify. Often nestled in these forms are terms and conditions that make actually winning nearly impossible. Should you magically qualify, scammers will extract endless fees until the victim has paid more than face value for their prize. Nothing in life is free after all, not even free cruises.

Bank, Card, and Account Phishing

This past month Bank/Account Phishing was both the most prevalent category and arguably the most dangerous. Messages of this type are sent out masquerading as a bank claiming that the recipient’s account has been locked for fraudulent charges or suspicious behavior. This fear mongering compels the victim to use a provided phone number or link to resolve the issue. Unfortunately, criminals use this bit of social engineering to trick victims into divulging bank accounts, credit cards, debit cards, and other personal information for the sake of “unlocking” the account. With this information in hand, the perpetrators can now commit a myriad of crimes that can have very serious financial repercussions.

Spammers, regrettably, may have seen some traction with phishing attempts in recent months. Since the beginning of 2013, SMS phishing attempts have risen from 2% to 32% of monthly volumes. The following chart illustrates the monthly volumes of Bank/Account Phishing:

Source: Cloudmark / GSMA

Adult Content Spam

Contributing approximately 24% of May’s volume, adult-themed spam came in at number two. These texts entice audiences to follow a supplied link promising adult content or suggestive dating language. Senders use obfuscated, shortened referral links to derive revenue from affiliate marketing campaigns. However, users often find that the promised content was egregiously misrepresented. This form of affiliate fraud has resulted in certain sites aggressively banning known spammers, but the problem is on going. The graph below shows that just last month adult-themed SMS spam spiked above 40% of daily volume on several occasions, reaching as high as 60%.

Source: Cloudmark / GSMA

Junk Car Spam

“WE BUY JUNK CARS” and “COMPRO CARROS” spam continued to flood the phones of many Florida residents last month. Surpisingly, more than 9% of the entire countries reported spam came from this single state in May. This on-going SMS epidemic has plagued the sunshine state for more than a year and half. It’s pushed one Florida resident, Scott Owens, to file a federal class action lawsuit action against the suspected senders. In it, Owens is seeking a staggering one billion dollars in damages for unwilling recipients of the spam. As we’ve seen however, the spam continues to inundate Floridians unabated.

Payday Loans

Trailing behind junk car spam, payday loans also made a small ripple in SMS spam during May. Payday Loan Spam is often made up of unsolicited texts from lead publishers for legitimate businesses over short term cash loans. Ping trees, a sort of sharing network for these leads, can pose as a security risk though. After responding, a user and their information can be passed off to other members in the ping tree. Sometimes you may get passed to a legitimate lender. Sometimes they’re out to steal your information. Worse yet, some entities have been caught demanding fees in advance for loans that may or may not be real.

One common form of spam that we see across all sorts of platforms is work from home scams. As well as traditional email, this can also be found on most social networks, and more recently in SMS.

The spammers often link to what appears to be a legitimate news web site. This SMS message, which addresses the recipient with the correct first name

takes you to a fake news web site that looks like this

There are three ways that this spam can be monetized. First it can be used for collection of personal details for identity theft. Secondly it can be used as an advanced fee scam – in order to earn money you first have to buy materials from the ‘employer’ that turn out to be worthless. Finally it can be used to recruit money mules for bank fraud.

Money mules are a vital step in a common form of bank robbery. It works like this. The controller of a small business receives an email addressed to them and opens an attachment. This contains a trojan, which takes over their computer. The trojan installs software which collects the credentials used to access the company bank account. This is usually more successful when the company banks with a smaller regional bank that does not have the same sort of fraud prevention in place as a major bank.

Meanwhile, the criminals have recruited a number of money mules who have been doing pointless make work tasks for a month or so, and have provided their bank account details to the hackers to receive payment. On the day of the theft, the hackers access the company bank account and start transferring money out to the money mules. They are limited to under $10,000 or $5,000 per mule, depending on the institution they bank with, so in order to steal $1,000,000 they will need at least a hundred mules. The mules are instructed to withdraw the money in cash, collect a small commission themselves and transfer the rest via Western Union or MoneyGram to an offshore recipient, often in Eastern Europe. In most cases the money mule has no idea they are participating in anything illegal.

As far as the criminals are concerned, money mules are a limited resource, as they are hard to recruit and can only be used for one fraudulent money transfer. Brian Krebs reported on a theft last month where he speculates that the hackers could not take more than a million dollars out of the account because they ran out of mules. Shortly after this theft we saw a spike in the volume of SMS work from home spam. For the two weeks after the attack, we saw 280% more work from home SMS spam than the two weeks before. Was this the criminal gang looking for new mules after they had burned up their entire gang in a particularly profitable heist?

One technique used in spam detection is setting up large numbers of email addresses that have no real user. They are just exposed on the web somewhere, and then anything that is sent to them must be spam. These are called honeypots. Perhaps something similar would work to detect this sort of bank fraud? Set up some fake identities, (let’s call them honey mules) sign them up for work from home schemes, and have a bank account that is flagged with the financial institution so that any transfer into the account is immediately regarded as fraudulent. That way the sending institution can be notified that the sending account has been compromised and can block further transfers and even reverse many of those those that have already taken place before the other money mules can remove the money from the accounts. Of course, this would require close cooperation of the banks, law enforcement, and whoever is operating the fake identities.

Unfortunately, nobody has an economic incentive to do this. Business bank accounts do not have the same legal protection as consumer accounts, and when there are losses due to unauthorized transactions in most cases the business eats the loss, and not the bank. Even when the bank can be proved in court to have provided inadequate security, the losses are usually taken by small regional banks rather than the big institutions that have the resources to investigate cyber threats.

Still, the million dollars heist last month is getting to be serious money. If there is anyone out there who is interested in the honey mule scheme, give us a call and we’ll be happy to provide you with all the latest work from home spam in email and SMS.

More resources:

• FBI Warning on Work From Home Scams [PDF]
• US CERT Warning on Money Mules [PDF]
• Brian Krebs on Small Business Bank Fraud Victims

The Chilean national consumer protection service Sernac has reportedly taken three mobile operators to court over sending SMS spam about contests and sweepstakes.  As a result of the study they carried out between Dec 2012 and Feb 2013 the three networks are potentially facing fines totaling $86 million.

A google translate indicates that the reports state the networks failed to provide an opt-out, failed to indicate costs clearly, or the dates and other terms of the offers advertised.

There is an excellent release from the consumer protection agency, note the box at the bottom with the summary of the legal issues involved: (Google translate) Delivery of Advertising: Sernac justice denounced Claro, Movistar and Entel for not respecting the Rights of Consumers.  [ News, more news ]

This isn’t just a local phenomenon. We estimate SMS spam levels to be hitting 575M/day globally and there are other groups actively taking action already.  In the US the FTC are prosecuting 29 defendants for SMS spam.  In the UK the consumer group Which? are campaigning for action on shady SMS marketing and are calling for a taskforce to address it, meanwhile the ICO have issued substantial fines to SMS spammers touting shady PPI schemes.   

I’m all for a decent dose of vigilante consumerism but I have to say I’m a little sceptical right now. It will be interesting to see in the Chilean case if these show guilt on the part of the operators or find that third party marketing companies were actually at fault, but either way, that’s what I call a LART.

Finally, you can of course do your bit to help prevent SMS spam by forwarding the message to 7726.

With the close of 2013’s first quarter, we’ve released our Q1 2013 Global eMessaging Threat Report detailing a myriad of SMS and IP spam statistics, trends and observations from the past three months. Paramount among them is a set of allegations leveled by the Federal Trade Commission (FTC). These filings contended that the defendants were responsible for collectively sending more than 180 million gift card themed scam SMS messages.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

Today the Federal Trade Commission (FTC) announced that they have charged 29 defendants with collectively sending 180 million unwanted text messages.

The text messages advertised “Free” Gift cards or prizes from major retailers such as Best Buy, Walmart and Target.  However, consumers who clicked on the links contained in the text messages were required to provide personal information and to sign up for other “offers” in order to be eligible and then also had to sign up other people for these offers.

Because the consumers who were receiving these text messages had not signed up to receive these messages, many people reported the messages as spam to the 7726 short code which is offered by the major US mobile carriers through the GSMA Spam Reporting Service, powered by Cloudmark.

7726 data highlights that the FTC has chosen to strategically go after the largest source of SMS spam in the US.  Gift Card spam has consistently been the largest category of SMS spam complaints in the US over the course of 2012.  For five months of the year it was over 50% of the volume being reported to 7726 and for 11 of the 12 months it was higher than any other category.  The only month where it dipped was October when there was a spike in bank phishing text messages.  The graph below shows the monthly percentage of spam reports which were gift card messages.

In contrast during February this year, there was a dramatic drop in Gift Card spam that started around Feb 20th.  We can’t know for sure if the drop off was caused by the FTC’s action, but it is a significant drop from being regularly over 50% of the reports, to under 10% of the reports for the last 3 days.  It will be interesting to watch the numbers going forward to see if they stay down, or whether the spammers will find new ways to send the spam or whether new spammers will take the place of the old ones, in order to keep traffic going to these sites.

To view the data another way, here are the main types of spam attacks reported during 2012.  Receive a Gift Card spam was 44% of all the spam reported in 2012:

In contrast in the first few days of March 2013, Receive a Gift Card spam has only been 7% of all the spam reported:

The agility of the FTC in going after the major source of SMS spam is impressive.

Spam that advertises free gift cards isn’t new. Theses posts from 2011 (Spam or Not Spam) and last year (Olympic gift cards with a shot of Starbucks) highlight gift card spam being sent to email recipients.  Because the spammers can get paid by the operators of the gift card websites, their incentive to send spam and get users to the website is high and they will look for the easiest, cheapest and most effective way to advertise and send traffic to their website, whether that’s via email, SMS or social networking.

One tactic we’ve seen the Gift Card spammers using lately is to use links hosted by URL Shortening websites to redirect through the shortener link to the website that will try to collect the users personal information and  sign them up for the various offers in the hopes of gaining the elusive gift card.

However, targeting mobile consumers is much more intrusive and has additional costs when compared to email spam, because people carry their mobile phones with them throughout the day and many people still have to pay a per message cost for every SMS they receive.  Therefore it’s gratifying to see the FTC going after these spammers.

Fighting spam is a collective effort.  The more ways that the cost of sending the spam can be increased, the less likely the spammer is to send that type of spam.  When the URL Shortening websites take action to make it harder for spammers to use their services this also helps decrease the spam.  And when legal action is taken against a spammer, it can often deter both that spammer and the other spammers who see the legal action being taken as they take the cost of the legal action into account.

A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week.

A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true.   If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.  In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.  You better have an unlimited message plan or your phone bill may come as a bit of a shock.

The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned.

Don’t do it!

Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play.

Don’t do this, either

Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications.

Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.

The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.

We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!

Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com

That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:

Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!

On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft.

This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day.

To date, the following Trojan apps have been identified:

• needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
• needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
• maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
• angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
• grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
• angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
• grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
• needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84

These URLs have been used for malware distribution:

• newestgames.mobi
• gamerpalace.mobi
• trendingoffers.com
• holyoffers.com
• gamehaven.mobi
• game-haven.mobi
• freshoffers.mobi

These URLs have been used by the C&C server

• l0rdzs0ldierz.com
• imperialistic.mobi

Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:

• Only install Android apps from Google Play
• When you receive SMS spam, forward it to 7726

Share this with your friends and family, and together we can prevent Android botnets.

We’re continuing to monitor this attack and will update the blog with any breaking news.

 “You Have 1 unread message from your secret crush…”

“Someone thinks you’re hot!”

“Someone sent you a weird diet tip that works.”

New York state Attorney General Eric T. Schneiderman‘s office were responsible for the settlement in the case against Game Theory LLC that resulted in fines of $500,000 and a prohibition on the deceptive business practice.  Game Theory were found to be tricking recipients into signing up for monthly text messages at a cost of $9.99 a month that were reportedly appearing on bills as “premium content” or “direct-bill charge”.  They sent 150,000 texts to New Yorkers alone.

The news came in this tweet: https://twitter.com/AGSchneiderman/status/246973872342171648

Data from the 7726 SMS spam reporting services show how bad the situation got. The system was relatively new when the campaign kicked off, despite that, the level of complaints over a 3 month period is a clear indication of how it annoyed the recipients.

So that’s it. GAME OVER!  Game Theory’s site is down and the good guys won.

… Or is it?

There are also reports of Game Theory being acquired.  Clearly the reporter didn’t look too hard into this statement.  Linkedin holds a good clue with regard to employee migration to a new employer.

.. and of course, a Facebook post has the full details:

Now, I have to ask one question… Does this list of complaints look a little too familiar? http://www.scambook.com/company/view/51431/Mobile-Plus-Inc

Screenshot

Clicking on some of the stories shows images of customers own bills showing similar charges they are clearly upset about.  In game theory, this is called respawning, right?

Further reading:
www.nypost.com/p/news/local/text_scam_snares_only_the_lonely_CH8Fa0sEBjk3Jid6Mo3kWP

Kudos to Dan for his help with this story.

Undoubtedly, pre-orders for the iPhone 5 are flooding in for Apple today. Will SMS scammers follow suit with a surge in iPhone 5 scams? After all, last February’s iPhone 5 release rumors spawned a pretty massive spike in iPhone 5 scams so it stands to reason the actual release of the device will have an even larger impact. While it’s still too soon to tell, here’s an overview of iPhone 5 SMS scams thus far this year.

The chart below shows the February spike and the March 2012 peak (4851 unique pitches) that occurred as a result of the iPhone 5 rumors. The number of unique pitches is telling because it indicates how much effort is being put into a specific scam (and thus serves as a possible indicator of how successful the particular scam is in netting new victims).

While the number of unique pitches isn’t necessarily indicative of total volume, we find that in most cases the higher the number of unique pitches the scammers employ, then the higher the overall volume of that particular spam run. And that’s certainly the case with the iPhone 5 scams – the volume follows a near identical trajectory.

It’s pretty obvious the scammers are closely tracking iPhone 5 launch developments. In March 2012, over 99% of iPhone 5 related SMS spam were so-called “Test & Keep” scams and only 0.81% tried to convince the recipient they had won an iPhone 5. However, thus far in September only 33% have “Test % Keep” as the hook, whereas 56% claim the recipient has won an iPhone 5.

Most telling, of the September iPhone 5 winner scams, all but 0.4% (zero point 4 percent) occurred on September 12 and 13. Which means the scammers are paying close attention to the launch and tailoring their pitch accordingly. Does that mean there will be a marked increase in iPhone-related SMS scams in the near future? Given the significant impact the February rumors had on overall volume, it’s quite likely – but of course it’s much too soon to tell. We’ll be watching.

During the first week of September, Cloudmark observed a 913% increase in the volume of SMS phishing attempts, making SMS phishing currently the single largest SMS text messaging threat. The surge appears to be the result of a single set of attacks which initially started on September 4th. Thus far, attackers have used over 500 unique pitches in the phishing scams, but the general characteristics are as follows:

Fwd:Good Afternoon .Attention Required Call.(xxx)xxxxxxx

The phone numbers victims are instructed to call include:

2012040735
2055612208
2105278888
2814920248
3124924053
3474105894
4016488505
5612357256
6164993061
6783847527
7145911051
7272162029
7739121434
8164101809
8177863304
8323086322
8645825454
8667368703
8775924747
8888408034
9738818000

Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials. These ploys range from claims of Bank of America account suspensions, Macy’s credit card collections, and even the U.S. Veteran’s Administration health services.

Victims who fall for the phishing scam and divulge their credentials risk being subjected to bank account theft, credit card fraud, and even outright identity theft. Stolen information can even be used in social engineering scams to elicit further information from unrelated accounts.

If you’ve been the recipient of this SMS phishing attempt, forward the text to short code 7726 to notify your carrier and to facilitate resolution. And remember, never divulge sensitive information to any source you have not fully vetted. When in doubt (which you always should be) contact your bank, credit card company, or health provider by known good numbers you have on file – never respond via the contact details provided in an unsolicited SMS text.

The Cloudmark security operations team have been expecting to see the gift card SMS spammers change to an Olympic theme for some time. This weekend it happened when the following campaign was detected.

Go USA! Starbucks is giving away free gift cards as part of our London 2012 Olympics Campaign! Grab one today at our website at www.[redacted].com

It’s been a long wait, unfortunately for the spammer the Cloudmark security platforms have had protection for this particular campaign for some time.

Take a look at the terms an conditions … Is changing your broadband provider and taking out a personal loan really worth the $100 coffee reward?

Impossible to qualify? Expensive at least!

Anyone that signs up for these offers also opt-in to 10 types of additional advertising.