As the end of the year draws near, we wanted to highlight some of the spam methodology and attacks Cloudmark observed over the past year.

Snowshoe/hailstorm attacks:

Snowshoe spam is a campaign which is distributed across multiple IP addresses within a /24 netblock (256 IP addresses) and migrates through large portions of a /16 (65,536 IP addresses). These campaigns commonly feature hashbuster text within the body of the messages, rotating domains in the call to action, and/or random word combinations in rDNS.

A hailstorm attack is a snowshoe campaign across smaller netblocks (/25 and /27 observed, not always contiguous), mailing over a shorter duration (under one minute, usually within seconds) with simultaneous connections. Typically, spammers engage in snowshoe and hailstorm attacks to evade DNSbls and other IP address and volume based spam filters.

Over the past 30 days, over 60% of the IP addresses sending new snowshoe spam campaigns to the Cloudmark Global Threat Network were located in Romania. IP addresses in the United States were responsible for almost 27% of snowshoe campaigns.

Botnet driven spam:

We have observed a significant amount of spam originating from the Cutwail botnet leading to installers for Zeus/Zbot. Recently, messages telling recipients to register in the CDC’s H1N1 program have been observed.

URL obfuscation:

Although URL obfuscation is nothing new, we continue to see it used by spammers to evade spam filters and trick the recipient. Some of the obfuscation methods we observed included the use of hex, octal, and HTML numeric and character entity encoding in URLs, the use of extra characters in href tags, and the use of style tags within the domain of the call to action.

Example of HTML numeric entity encoding:

<a href=”http://ffq&#8211;bz.d107ptsn&#178;01.com/ “>Click here</a>

&#8211; is an en dash:  –

&#178; is a superscript two:  ²

HTML numeric and character entity encoding are decoded and successfully rendered by many mail clients and browsers. In the example above, the domain is ffq–bz.d107ptsn²01.com.

Example of the use of style tags within the domain:

• http://<STYLE>Uqbysa for varykuto Qzufyce jzy</STYLE>fairsha<STYLE>Aziw for suilto Yhaxjnary lygavun</STYLE>pe.com

In a mail client (such as Outlook) or a webmail client, the recipient would only see http://fairshape.com. However, it would be a non-clickable link, so the recipient would need to copy and paste the URL into the web browser.

We have also observed spam containing Google properties (e.g., groups.google.com, docs.google.com, writely.google.com), spaces.live.com, and many other places hosting user-generated content as the call-to-action URL ultimately serving up landing pages advertising online pharmacies. These online pharmacy landing pages are hosted off of the same IP addresses as domains advertised in wavy image spam.

Perfectly innocent websites are being compromised as well and are being used to host spam content (usually redirectors leading to online pharmacy landing sites). These web pages are appearing as the call to action in spam, and unfortunately, due to the high number of insecure websites, the spammers have a dynamic set of hosting resources to burn through.

We also observed an increase in economy related spam. The content varied from debt consolidation services to work at home scams.

One of the most egregious work at home scams advertised through email, Facebook, and Twitter spam was the Google work at home scam. The messages promoted a free kit for recipients to make money through Google. Unfortunately, recipients were required to provide their credit card information to pay for a small shipping and handling fee. Subsequently, the recipients were charged a substantial recurring monthly fee, and most were unable to reverse or stop the charges. This scam has no legitimate ties to Google. In fact, Google recently filed suit in US District Court in Utah against Pacific Webworks, Inc. and John Does for violations of trademark, cyberpiracy, and consumer sales practices laws.

Affiliate marketing, where a company provides compensation for affiliates driving traffic (and potentially sales) to their sites, may have adverse ramifications if not properly managed. Over the past week, affiliate-driven spam has once again migrated to the top of our radar. It is unclear whether legitimate brands have decided not to police their rogue affiliates, or they do not fully understand the negative effects of an unmanaged affiliate program.

In one example this week, messages advertising the products and services of a major brand were sent out containing rotating, disposable domains and hashbuster text from multiple netblocks of IP addresses, a practice commonly known as “snowshoe.” The affiliate is sending unsolicited bulk email and engaging in practices to evade spam filters and IP reputation services.

Ultimately, turning a blind eye to the action of affiliates can lead to a decrease in engagement and an increase in spam reports from recipients due to increased frequency, damage to a brand’s reputation, and possibly, litigation.  CAN-SPAM requires companies to be responsible for their affiliate programs. According to the Institute for Social Internet Public Policy, “if the affiliate is dishonest, and hides their true identity, then the affiliate program for the product featured in the email (which will be the product being sold under the affiliate program) becomes responsible. In other words, if you are advertised in the affiliate’s email, and the affiliate cloaks who they are, you become responsible.”

Before CAN-SPAM, AOL successfully sued Cyber Entertainment Network “based on the principle of negligent enablement and negligent hiring and retention. The lawsuit said that they had retained affiliates they either knew or should have known were engaged in spam to advertise their Web sites.”

Hopefully, these brands will realize the potential long-term fallout outweighs the short-term gains and make changes to prevent further misuse of their affiliate programs.

Following on from our press release on the new MobileAuthority solution for mobile networks, we thought we’d give a quick roundup of some of the more common mobile spam and abuse attacks, and how to recognise them. One common theme in mobile abuse is that much of it is fraudulent, i.e. they are trying to scam you to get money, so it’s really important to be aware of the tricks they use.

Premium-Rate Number Scams

This is one of the most common type of spam, and it can be quite pernicious. The idea is to send you a message that tricks you into calling back or replying via SMS. The number you call or send a message to is actually registered as “Premium-Rate” number, and you get charged much higher fees for that call/message on your bill. Even worse are the unscrupulous folks who sign you up for ongoing subscription services that charge you each time they send you messages. Most countries have a code of practice regulating these services, and most providers of these services are legitimate, however you do have watch out for messages (always unsolicited) like the following:

Hi, it’s me! Call me back on this number

Sorry I missed your call, can you get back to me on this number?

You’ve won a cash prize! Reply to 27361 to claim your winnings!

The most important thing, as with all spam, is to look out for (and be suspicious of )  messages from unknown numbers, and also be aware of the premium rate number prefixes in your country. Here are a few examples:

France – 0899

UK – 09

USA – 900

For a fairly comprehensive list of premium rate numbers, there is an article on Wikipedia.

Some of these will be trying to get you to reply to a premium-rate shortcode; the lesson here is that practically all shortcodes that are not provided by your operator will cost you money to send to them. So be very careful when replying to SMS messages, especially those that come from shortcodes (these are typically 4-6 digit phone numbers, but unfortunately they don’t normally conform to a standard prefix, unlike premium-rate phone numbers).

Phishing

Phishing is a term that is used to describe malicious senders impersonating a company or institution (usually ones you might have a financial or billing relationship with) in the hope of getting you to give them information which might help them defraud you of money. This usually takes the form of them luring you to a website which looks just like your bank for example, and then stealing your authentication (login) information. It can also lead to identity theft, or using your details to add premium services to your bill, etc. Even worse are the phishers who setup automated voice response systems that sound just like your bank – many people just don’t expect to be scammed in this manner.

Phishing can be quite hard to detect on a mobile, because many of us don’t question the trustworthyness of the SMS messages we receive on our mobile phone that claim to be from our bank, mobile phone operator, credit card company etc. We would encourage everyone to be suspicious of these types of messages, particularly if you aren’t expecting them. Some example SMS phishing messages we’ve seen in the past:

BANK OF THE XXXXXXXX urgent account notification, verify unusual activity, call 1800-###

Dear Customer we are sorry to inform you that we had to lock your XXXXXX Credit Union access. To reactivate it call ###-###-####.

Viral Hoaxes

Viral hoax messages are often sent around – these can be very annoying, but are not typically considered harmful. They attempt to get you to forward a message to all your friends, in return for some reward for yourself (financial or even as tenuous as “good luck”). Here’s an example:

Text Message Holiday Special: Forward to 10 friends for $25 credit!

The message normally comes from your friends, and so appears trustworthy, and this alone is often enough to encourage people to follow the instructions in the message. As usual, our advice is – distrust any message that seems too good to be true, as it almost certainly is!

Mobile Viruses

Viruses do exist in the mobile world, and although it’s true that today they are not as prevalent as they are on PCs, they are growing in sophistication and penetration, particularly with the rise of smartphones. Transmitting a virus in an SMS message is actually pretty difficult, but we’ve recently seen the first example of a virus that uses SMS messages to propagate itself (the SexyView worm).

Without going into the specifics of SexyView, which are covered extensively elsewhere, it’s worth being aware that an unsolicited SMS message containing a web URL that looks really enticing (e.g. “Britney’s bare-faced cheek!“, “Ronaldo and Paris – the video“, “Video of WWII bomber found on moon!“), may actually take you to a website that downloads a virus to your mobile phone. In the case of this particular worm, the message appears to come from your friends, so you do have to be particularly vigilant. This kind of threat is only going to grow in the future, and could even be used to turn your mobile phone into a spam-sending bot, of the type commonly found on PCs, which would have serious implications for your next phone bill.

We’ll almost certainly revisit this topic in future blogs, as sadly mobile abuse is only going to increase in the future – all too obvious when you think that mobile is by far the world’s largest addressable communication medium, and thus the most attractive target for the bad guys out there.

Neil

This week is SPAM™ Appreciation Week in the UK. Of course, they’re celebrating the canned meat that helped win World War II, but I thought I’d take the opportunity to come up with reasons to appreciate the other kind of spam.

1) Spam makes you feel wanted
Everyone hates the empty feeling in their gut when they get home from a long day at the office, open their postal mail box and discover… nothing. No mail. There’s that tiny little ‘nobody loves me’ pang. Spam makes sure you never have that feeling when opening your email inbox, because there’s always something. Today, a sales pitch for fake luxury watches; yesterday, a notice that the long-lost great-aunt you didn’t know you had in Nigeria has passed away and left you millions; tomorrow… who knows?

2) Spam is making the Internet better
Spam is, by many estimates, as much as 90% of the email on the Internet today. That much extra mail requires lots of extra network bandwidth (between ISPs and from ISPs to customers) to make sure every packet gets delivered in a timely fashion. More spam? Spend more money upgrading your network and servers yet again, find new ways to optimize connections in equipment you already have, or look for ways to improve the protocols used to talk between networks. Everybody wins when we can find ways to push more data around. Speaking of buying new equipment, that leads me to…

3) Spam helps the economy
Even in these troubled times, network operators and ISPs are going to continue to need to upgrade servers and network equipment to handle the extra load from increasing spam, thus releasing precious capital back into the economy. Add to that the money being spent on those fake watches, and the fortunes to be recovered from those long-lost Nigerian aunts… we might almost be able to solve the financial crisis right there!

4) Spam makes people smarter
Not immediately, of course, and I’m not talking about “Make your brain larger” spam. Recipients of large amounts of spam are getting smarter regarding where and how they give out their email addresses as well as what to do with the mail they do get. Sure, there are still plenty of people who open every attachment they receive, but many more people are wary about opening things from people they don’t know, about keeping their anti-virus and security software up-to-date, and about how to report spam to their ISP. They’re also less likely to give out their email addresses without checking privacy policies, or perhaps to have one email address for private mail and separate, disposable addresses for online signups.

Given all this, I can see why folks in the UK could be celebrating spam. It certainly does have a bright side or two when you look at it the right way, doesn’t it?

AT&T Wireless is coming under fire for sending a message to their subscribers reminding them to watch the season premiere of American Idol. AT&T’s spokesman has defended the campaign, pointing out that the messages were free, only sent to AT&T subscribers (with whom AT&T has an ongoing business relationship), and gave recipients a way to opt out.

Recently, Optus was fined $110,000 AU (about $72,000 US) for sending text messages to about 20,000 of their subscribers promoting their new Zoo service. Optus’s message did not clearly identify Optus as the sender, in violation of Australia’s Spam Act of 2003.

Separate events, but they do highlight three common issues:

1) Make sure your customers know what to expect from you. Suddenly changing the overall content of what you’re sending is likely to cause spam complaints to skyrocket.

2) Be clear about who you are. Choose an identity and stick with it. In email terms, sending as different entities or using a large number of domain names in your messages makes it harder for recipients to identify that you’re the company they’re expecting to hear from.

3) Understand your local laws, and the laws of your receivers. Optus ran afoul of the Spam Act requirement that “the message clearly and accurately identifies the individual or organisation who authorised the sending of the message”. In Optus’s case, they used the sender identification ‘966′ (‘ZOO’). AT&T Wireless, however, clearly identified themselves as the sender.