Cloudmark sees two main types of pump and dump spam, that I call the drive-by and the targeted. The drive-by stuff is traditional spam: many millions of emails sent from a botnet to a random list of addresses, with no indication who is promoting the stock. There are usually mistakes in grammar or even complete nonsense in the text. Here’s an example:

This stuff is easy for us to filter, and the tiny fraction of that is read by humans is unlikely to be persuasive. These attacks tend to feature one stock at a time, so it seems like there is a single operator responsible for them.

Much more pernicious are the targeted emails. These go out to mailing lists for “hot stock tips” that people have actually signed up for, and are often backed by paid blog posts and comments on stock discussion forums promoting the stock. The Motley Fool web site had a great recent blog post on how this process works.

On the right is one of the emails promoting the stock that Motley Fool discussed. It looks really exciting and it’s full of numbers about other companies, but the company it is promoting has no revenue, less than $10,000 cash in hand and a negative book value. Also, I’m not showing you the whole email. Down at the bottom there is a disclaimer in fine print, in an attempt to stay legal. It’s actually included in the email as an image, so even if you increase the font size it’s still hard to read, and if you have external images turned off in you email you won’t see it at all. Here it is

Notice that when the print is the same size the disclaimer is much longer than the ad copy. To reduce it to one sentence, what it says is, “We are being paid to say this and don’t really mean it.”

Generally, the people paying for the stock promotions are insiders who control the company and own most or all of the stock – they can create more if they want to. The point of the promotion is not to increase the price, but to increase the volume of stock traded, so they have a market for their worthless paper. In some cases following a pump and dump promotion the stock value goes straight down as insiders compete with one another to dump their stock fastest. In others it may go up for a while but it will always go down in the long run. Note that insiders can manipulate the listed price with wash trades, that is selling stock to themselves at artificially inflated prices. In the long term the prices of stocks that are promoted like this almost always end up going down.

You might think that you could make money by shorting these stocks (that is, betting they will go down) but in practice it is hard to short in any volume in such illiquid markets. There are some experts who claim that you can make money by second guessing stock manipulators, and it may be possible for some. You can also make a living playing poker; that too takes study, dedication, nerves of steel and the willingness to lose a large sum of money and go on playing.

So who is sending out these stock promotion newsletters? The PumpsAndDumps.com web site, which monitors stock promotions, has a handy list of stock touts. Though all of the operators have multiple web sites, Pumps & Dumps had them neatly listed by owner. I took the volumes of email we have seen referencing each web site and grouped in this way. Here’s the result.

Click for high resolution image

It looks as if last year the promoters experimented with occasionally sending to a much larger mailing list, but for the most part this year have been restricting their mailings to people who have signed up on one of their web sites. This is a smart move on their part as it means that spam filtering services such as Cloudmark’s are much less likely to blacklist their mailings.

Almost sixty percent of the stock promotion emails over the period I listed come from just two corporations, Awesome Penny Stocks and Victory Mark. Not so coincidentally, these two were recently sued for spamming by anti-pump and dump campaigner George Sharp. While I can’t comment on lawsuits in progress, you rock George.

Finally, let’s return to 1720 and the South-Sea company. Robert Walpole, speaking in parliament, warned against stock speculation. It would, he said, “divert the genius of the nation from trade and industry. It would hold out a dangerous lure to decoy the unwary to their ruin, by making them part with the earnings of their labour for a prospect of imaginary wealth. The great principle of the project was an evil of first-rate magnitude; it was to raise artificially the value of the stock, by exciting and keeping up a general infatuation, and by promising dividends out of funds which could never be adequate to the purpose.” Nobody listened to him back then, either.

More resources

• Anatomy of a Pump and Dump, from PumpsAndDumps.com
• The South-Sea Bubble, from Memoirs of Extraordinary Popular Delusions and the Madness of Crowds by George Mackay
• German Kid Buys SWVI-Swingplane Ventures, YouTube video from StockRealist
• Deconstruction of a Pump and Dump Disclaimer, from Motley Fool

The spammers often link to what appears to be a legitimate news web site. This SMS message, which addresses the recipient with the correct first name

takes you to a fake news web site that looks like this

There are three ways that this spam can be monetized. First it can be used for collection of personal details for identity theft. Secondly it can be used as an advanced fee scam – in order to earn money you first have to buy materials from the ‘employer’ that turn out to be worthless. Finally it can be used to recruit money mules for bank fraud.

Money mules are a vital step in a common form of bank robbery. It works like this. The controller of a small business receives an email addressed to them and opens an attachment. This contains a trojan, which takes over their computer. The trojan installs software which collects the credentials used to access the company bank account. This is usually more successful when the company banks with a smaller regional bank that does not have the same sort of fraud prevention in place as a major bank.

Meanwhile, the criminals have recruited a number of money mules who have been doing pointless make work tasks for a month or so, and have provided their bank account details to the hackers to receive payment. On the day of the theft, the hackers access the company bank account and start transferring money out to the money mules. They are limited to under $10,000 or $5,000 per mule, depending on the institution they bank with, so in order to steal $1,000,000 they will need at least a hundred mules. The mules are instructed to withdraw the money in cash, collect a small commission themselves and transfer the rest via Western Union or MoneyGram to an offshore recipient, often in Eastern Europe. In most cases the money mule has no idea they are participating in anything illegal.

As far as the criminals are concerned, money mules are a limited resource, as they are hard to recruit and can only be used for one fraudulent money transfer. Brian Krebs reported on a theft last month where he speculates that the hackers could not take more than a million dollars out of the account because they ran out of mules. Shortly after this theft we saw a spike in the volume of SMS work from home spam. For the two weeks after the attack, we saw 280% more work from home SMS spam than the two weeks before. Was this the criminal gang looking for new mules after they had burned up their entire gang in a particularly profitable heist?

One technique used in spam detection is setting up large numbers of email addresses that have no real user. They are just exposed on the web somewhere, and then anything that is sent to them must be spam. These are called honeypots. Perhaps something similar would work to detect this sort of bank fraud? Set up some fake identities, (let’s call them honey mules) sign them up for work from home schemes, and have a bank account that is flagged with the financial institution so that any transfer into the account is immediately regarded as fraudulent. That way the sending institution can be notified that the sending account has been compromised and can block further transfers and even reverse many of those those that have already taken place before the other money mules can remove the money from the accounts. Of course, this would require close cooperation of the banks, law enforcement, and whoever is operating the fake identities.

Unfortunately, nobody has an economic incentive to do this. Business bank accounts do not have the same legal protection as consumer accounts, and when there are losses due to unauthorized transactions in most cases the business eats the loss, and not the bank. Even when the bank can be proved in court to have provided inadequate security, the losses are usually taken by small regional banks rather than the big institutions that have the resources to investigate cyber threats.

Still, the million dollars heist last month is getting to be serious money. If there is anyone out there who is interested in the honey mule scheme, give us a call and we’ll be happy to provide you with all the latest work from home spam in email and SMS.

More resources:

• FBI Warning on Work From Home Scams [PDF]
• US CERT Warning on Money Mules [PDF]
• Brian Krebs on Small Business Bank Fraud Victims

A google translate indicates that the reports state the networks failed to provide an opt-out, failed to indicate costs clearly, or the dates and other terms of the offers advertised.

There is an excellent release from the consumer protection agency, note the box at the bottom with the summary of the legal issues involved: (Google translate) Delivery of Advertising: Sernac justice denounced Claro, Movistar and Entel for not respecting the Rights of Consumers.  [ News, more news ]

This isn’t just a local phenomenon. We estimate SMS spam levels to be hitting 575M/day globally and there are other groups actively taking action already.  In the US the FTC are prosecuting 29 defendants for SMS spam.  In the UK the consumer group Which? are campaigning for action on shady SMS marketing and are calling for a taskforce to address it, meanwhile the ICO have issued substantial fines to SMS spammers touting shady PPI schemes.   

I’m all for a decent dose of vigilante consumerism but I have to say I’m a little sceptical right now. It will be interesting to see in the Chilean case if these show guilt on the part of the operators or find that third party marketing companies were actually at fault, but either way, that’s what I call a LART.

Finally, you can of course do your bit to help prevent SMS spam by forwarding the message to 7726.

Sound familiar?

Surprised?

I’m not.   I didn’t say the list contained recent customers who love you enough to entrust your employer with their name, postal address, email address, date of birth, credit card number, inside leg measurement and gave your company their explicit permission did I?  I’d also go as far as to suggest that permission in one form or another is actually the root cause of most deliverability issues.

Since spam reports or complaints are a hugely important part of the reputation equation for every mailbox provider these days, I’ve some advice about some of the most common issues we’ve seen and learned from over the years.  These are the sort of problems  that are guaranteed to upset your email recipients and trip you at the first hurdle.

Before we start, I would like you to keep in mind, that for many email recipients, a “spam report” is a psychological pacifier, used when they want to resolve a situation in their inbox, a situation they genuinely believe the sender is contributing to.

Permission:

The key to creating the very cleanest mailing list is only ever using genuine self sourced, confirmed permission recipients.   Even the big senders get this wrong and it really is the simplest thing to get right. Why? Well it’s generally <Insert some excuse about 3rd parties here> reasons, so let’s set the record straight right now:  Editing your privacy policy is not an opt-in, no matter how legal it is. It’s a spirit vs letter of legality issue and is tantamount to tricking permission.  The same goes for co-registration, opt-in list leasing, marketing data partnerships and appending. So;

What sort of permission does your company really have?

How accurate is your data?

How current is your data?

How does the recipient actually know you?

My acid-test of permission is ” Did I give permission to this Company ” and  if the answer is anything but a simple “Yes” then I can’t say I blame anyone for hitting the report spam button and casting an email to the spam folder.  Your job is to ensure your customers make that familiarity connection when they read every single email.   If you chose make your opt-in blatantly clear and actually an obvious conscious decision during the customer sign-up experience your recipients are more likely to remember opting in.  To this end your recipient data should include data on exactly how the recipient opted in, be it a purchase option, website subscription request, an affiliate referral or entering a competition. If you’re not doing this then you’ll have problems back-tracking issues and segregating channel segments that cause an abnormal volume of complaints.

Mailing old lists:

Your recipients are likely to be a little forgetful, so despite your amazing data to the contrary, recipients will often just forgot they subscribed if you haven’t been mailing them recently. If your brand has slipped over their familiarity event-horizon they will reach for the “Report Spam” button. I’m surprised more legitimate marketers don’t remind users how and when they subscribed if they have a direct relationship.

Speaking of old lists…

List Sourcing:

The Ultimate E-Mail List!

↖ This is how you shouldn’t do it ↗

If you care about your companies virtual  ”sleaze rating”,  Never ever buy,  rent, borrow, swap, steal, scrape or otherwise acquire lists to supplement your marketing.  There are lots of brokers about offering permission granted lists and the recipients are besieged with spam, so is it any surprise they are probably a little more belligerent than most and complain a lot?  This is all because the lists are simply sold to anyone and everyone.

Don’t think this won’t happen to you either.  Part of the inspiration of this post is that I recently spoke to some great guys from an absolute powerhouse in the email space about an over-enthusiastic sender of theirs.  The reason readers should not to be complacent is that this victim weren’t an ESP, they were a retail giant who happen to send a modicum of marketing on behalf of others and somehow a bad list found it’s way onto their platform, and, well, a “WHAM!” happened.  My team had them back on the path of goodness by return, but it took non-trivial auditing time to investigate.

Personalise:

You can use some basic psychology to avoid some complaints by always addressing a recipient directly and properly. Addressing in this context is more than gender or name.  Here are some pretty poor examples:

• Dear shopper or Hi Subscriber, - You may as well say “Please report this as spam.”.
• YOUR EMAIL ID.HAS WON – Again, very generic greetings, but this time with a “too good to be true” hook.
• To: “jdoe@example.com” <jdoe@example.com> –  You don’t have a real name? How can you personalise?
• Sir, Will you / <Politician surname> Supporters!  We need … – Nothing says “report me” if you get the recipients gender or facts like political allegiance incorrect.

Just take a look how the “big guns” address their mail.  ”Hi Dave,”, “David”, “Mr Smith,”.  Using personalization appropriately is much more appealing to the recipient and endears the sender to them somewhat.  Here endeth today’s psychology lesson.

The emergency exits are…                           [Report Spam]

The cognitive aspect of a spam complaint is an interesting beast.  When a recipient makes the decision to report spam they are trying to alleviate a situation in their inbox that they completely believe is being caused by your mail. It doesn’t matter if they bought from you last week, or if they opened a mail from you and rendered the images 59 days ago, they genuinely want you to stop.  So please, for the love of the inbox, process every reply, every feedback loop and always put an unsubscribe button above the fold.  You don’t want unhappy subscribers on your list so by helping them to help themselves you will reduce complaints. So ask yourself before you send again, where is your emergency exit sign?

Another quick true story:  I spoke to an ”ESP” this morning that was re-selling a “technology partners” services (those of another ESP) to a 3rd party organization and had a pretty poor feedback situation going on with some recipients complaining very frequently over a continued period and their persistent sending to spam traps was borderline harassment.   After a lengthy discussion this “ESP” (and I use the term only because they did)  blamed their lack of feedback loop data on their technology provider.  They are clearly demonstrating neglectful list husbandry and this was obviously reflected in the feedback we see from the Cloudmark community.   Who’s to blame for the reputation of a poor sender in this scenario? Well it certainly isn’t us.  Where did their explicit permission come from?

Pick your ESP with care:

There are 3 rules of thumb with ESPs :

1. ESP’s vary in quality.
2. ESP’s are great at self marketing.  
3. Goto 1.

ESP’s are run by the successful marketeers, so choose one that’s going to work hard to help you the most no matter how much it hurts is the key.  Yes, they should audit your best practices thoroughly, if they don’t you probably chose the wrong ESP.  Yes, if you have sufficient data on your clientele they will probably advise you as part of their stewardship process to remove 20%, 30% or even 50+% of your list before you send.  Is that so bad? If you think about it they are trying to save your money and reputation.  One final thing to remember is that the term “blast” has never in my experience been a good sign.

Quality not Quantity:

Everybody knows (hopefully by now) that over-mailing a list is hugely damaging and that the key to engagement is quality not quantity.  The overall mantra to this tale is that high quality mail in general does not generate anywhere near the amount of poor feedback.  I’m not just talking about quality content, I’m talking about recipients and senders too.  If you can create a little desire or passion in your creative and your permission is in good order, you’re almost certainly on the right path.

TL;DR; Cheating on permission is “campaign suicide”.

Attacking hosting software is so valuable to spammers as it allows them to piggyback on the positive reputation earned by a legitimate website, in contrast to the neutral or even possibly negative reputation that they would have with a newly registered domain. It’s usually a lot easier for a spammer to steal and ruin someone’s hard-earned positive reputation than to earn a positive reputation on their own.

Earlier this year we discussed how wordpress-powered websites were being increasingly targeted by spammers. We’re all familiar with techniques such as exploiting software vulnerabilities, attempting to guess/crack/reset passwords, etc. The Slashdot article points out that even if you do your best to keep software up to date and manage your passwords, the software itself might be an attack vector. In horror movie cliche terms, sometimes the phone call really is coming from inside the house!

In the past we have seen spammers exploiting vulnerabilities in WordPress and Joomla to allow web sites to be attacked. At the moment there are reports of a large scale attack against WordPress sites using a brute force method of trying different passwords in an attempt to find one that works. However, the compromised web sites in this attack are running various different kinds of software, or none at all. It is not WordPress accounts that are being compromised, but the hosting accounts themselves.

 I found one account which was used for file sharing only and had the directory contents exposed, so we can see the various files placed there by spammers.

Only the file names that are fuzzed were placed there by the owner of the domain. All the ones you can see were placed there by one or more spammers. In October 2012 through January 2013 a number of .php files were created or modified. Some of these redirect to landing pages elsewhere, some were intended for sending spam, and none of them worked because PHP was not active on this server. In November 2012 and again in April this year, the same approach was tried with .html files. These do indeed redirect to spam landing pages. (n2.html and r1.html redirect to pages selling fake pharmaceuticals, and the other redirect to porn.) Finally, on April 9th, 2013, the directory cookiezgm3 was created. This contains a copy of the pornographic landing page discussed above, along with all the thumbnails, images, CSS files, and scripts.

In fact these attacks date back further than that. A snapshot from the Wayback Machine taken in June of last year shows the site had been compromised back then. Note that the atf86.html and btf86.html files were present back then, but the files have been updated as the file size and date are different.

I talked to the owner of this domain to see if I could find out how it was compromised. Since PHP was not available the intruders clearly did not get in via a server side bug. My next thought was perhaps that the personal computer used to update the web page had been compromised, but it is running an up to date copy of Norton Anti-Virus. Then the owner of the domain admitted to choosing a weak password… so it looks as if the brute force attack is not limited to WordPress, but is being directed against hosting accounts as well.

So far we have seen this spammer use over 30,000 different compromised domains for call to action URLs and 528 of those to also host his pornographic landing pages. It’s likely many of those compromised hosting accounts are also being used to send spam. Over 20% of the emails from this spammer contain a X-PHP-Originating-Script: header indication that the email was created by a PHP script. This is generated by PHP 5.3 and above if you have the correct configuration variables set in your php.ini file. I recommend

mail.add_x_header = On
mail.log = /var/log/phpmail.log

This will log outgoing emails sent from PHP on your server and the Originating-Script header will tell you where they are coming from.

There is one more chapter to this story. We are seeing a disproportionate number of these hacked domains on two hosting services, one in the US, and one in Germany. Do these hosting services allow an unlimited number of login attempts? Or did a spammer get hold of their /etc/passwd/ file containing encrypted passwords and run a dictionary attack against that? Either way, simply using a strong password would have protected those accounts. Remember, folks, unless your spell checker underlines it, it’s not a password, and hackers sp33k 1337 as well.

If you are a hosting provider, here are a few things you can do to prevent account compromise:

• Make sure your clients use strong passwords both on their hosting account and WordPress accounts – especially make sure they don’t use passwords in the dictionary or on this list.
• Salt password hashes before you store them.
• Prevent unlimited login attempts, and use extra authentication if the login is from an IP address not previously seen for that account.
• Use the php.ini parameters listed above, and monitor the PHP mail log for sudden increases in volume.
• Encourage your clients to run the latest release of WordPress and Joomla.
• Hosting providers can request a free outbound spam analysis from Cloudmark. Contact Blair Bolden.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

When you get a spam SMS message you should forward it to 7726 (that’s S-P-A-M on your phone keypad).

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carriers for the best way to send in spam reports.

If you check out the blog posts from Monday (iPhone) and Tuesday (Android), you can see that forward a spam to a short code requires several steps.

So in addition to using 7726, Verizon Wireless customers in the US, who have Android phones, have another, slightly easier spam reporting option.  Verizon offers a Messaging App called Verizon Messages  that contains a Report Spam button.  Here’s how it works.

1. When you receive a spam message, tap on the Menu button

2. To report the message as spam, tap on Report Spam

3. Verizon Messages will check that you’re sure you want to report the message as spam, just so you don’t accidentally report your friends as spam.  If it it’s a real spam message then tap on Report Spam to confirm.

That’s it.  All done!

You can see that reporting spam using Verizon Messages is much easier than the multiple steps required to report spam using forwarding on your iPhone or Android.  Hopefully in the future other mobile carriers will do something similar to Verizon Wireless and offer similar easy ways to report text message spam.

Verizon Messages is available on the Google Play: https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs 

]]> http://blog.cloudmark.com/2013/03/20/how-to-report-spam-using-verizon-messages/feed/ 0 http://blog.cloudmark.com/2013/03/19/how-to-report-text-message-spam-on-an-android-phone/ http://blog.cloudmark.com/2013/03/19/how-to-report-text-message-spam-on-an-android-phone/#comments Tue, 19 Mar 2013 22:25:20 +0000 Andrew Conway http://blog.cloudmark.com/?p=2700

When you get a spam SMS message you should forward it to 7726 (that’s S-P-A-M on your phone keypad).  This reports the spam message to your mobile carrier so that they can take action against the spammer.

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carrier for the best way to send in spam reports.

Today we’ll show you how to forward the spam to 7726 on an Android mobile phone.  On Monday, we showed you how to report spam on an iPhone and tomorrow we’ll show you how to do it using Verizon Messages (Verizon’s Messaging app) which has a convenient ”Report Spam” button.

How to Report Spam on an Android Phone

1. First make a note of the phone number the spam text came from. You’ll need it later.

2. To Forward the spam message, tap on the Menu button of your Android and then tap Forward

3. Then select the spam message you want to forward by tapping on it.

4. Now enter 7726 as the number you want to forward the message to, and tap Send. 

5. In a few seconds you should get a reply from your carrier asking for the sending number of the spam.  Below you can see a message from Sprint:

6. Now enter the number of the spammer (that you made a note of earlier in step 1) and tap Send.  This will let the carrier know who sent the spam to you so that they can take action against the spammer.

Also checkout how to report spam on an iPhone, and look out for tomorrow’s post on  how to report spam using Verizon Messages which is available for Android on the Google Play Store ( https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs )

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carrier for the best way to send in spam reports.

Today we’ll show you how to forward the spam to 7726 on an iPhone.  Over the next few days we’ll show you how to do it on an Android phone and also how to do it using Verizon Messages (Verizon’s Messaging app) which has a convenient ”Report Spam” button.

How to Report Spam on an iPhone

1. First make a note of the phone number the spam text came from. You’ll need it later.

2. Now open the message and tap on the Edit button

3. Select the spam message by tapping on the radio button next to the message.

4. Forward the selected message by tapping the Forward button.

5. Then Enter 7726 in the To: field and tap Send to report the spam message. 

6. In a few seconds you should get a reply from your carrier asking for the sending number of the spam.  The one below is from T-Mobile:

7. Now enter the spammer’s number (that you made a note of in step 1 above) in the Text Message section, and then tap Send.  This will let the carrier know who sent the spam to you so that they can take action against the spammer.

And look out for our upcoming posts on how to report a text spam from your Android and how to report spam using Verizon Messages which is available for Android on the Google Play Store ( https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs )