Recent mobile data analyzed by Cloudmark reveals mobile cyber criminals are increasing the sophistication of their attacks leveraging multiple techniques to evade detection and target unsuspecting mobile users. Some of these techniques include a combination of large banks of phone numbers, rapidly changing content, and a number of website domains to send fraudulent messages and avoid detection.
Below are some sample messages that are all part of a recent large spam campaign from a single spammer. Cloudmark research shows that the spam below was responsible for over 40% of all spam mobile complaints received from North American mobile subscribers in the month of October.
Data analyzed indicates that the spammer is using thousands of content variations – multiple phrases; multiple word misspellings; changing URLS, etc. These techniques are clearly designed to evade simple spam keyword or hash-based content filtering. In addition, the spammer is using hundreds of mobile phone numbers to send the spam. This allows the spammer to evade simple volume detection by limiting the number of spam messages sent by each mobile number each day. When a series of mobile number have been identified as a spam sources and are shut down by a network operator, the spammer immediately starts using a new series of mobile phone numbers.
The graphic below is a partial list of target “call-to-action” URLs that the spammer is trying to get the unsuspecting subscriber to visit. Cloudmark has detected over 100 spam URLs related to this spam campaign, all of which trace back to a single webserver operated by a single spammer.
The spam attack described above is an example of “affiliate referral spam”, a business model that is very common in email and just now becoming prominent in SMS. The spammers get paid based on referrals for loans, via web redirects that send traffic immediately to an affiliate program or by accepting applications that are forwarded to affiliate programs. Since the spammer may only get paid a few cents for each referral, the spammer must send millions of spam messages to make a profit.
Affiliate spammers also make money by collecting information and reselling subscriber phone numbers, email addresses, and other information to other mass marketing organizations. By visiting the spammer’s website, entering information, and clicking Submit, the unsuspecting mobile subscriber is agreeing to be spammed not only from this same spammer, but also agrees to allow their information to be resold to others. The graphic below is an example loan applications designed to collect information that is then resold as part of a referral program:
It is imperative for mobile subscribers to take the appropriate steps if they receive unsolicited SMS messages to ensure to minimize their exposure to fraud. Some basic tips:
- If it sounds to be good to be true, it likely is.
- Users should never click on embedded links in an SMS text, especially from an organization one has never done business with before. If a mobile user believes that a message is legitimate, Cloudmark recommends that they access the information directly from a browser rather than by clicking on any embedded links.
- And of course, always use the same precaution on your mobile devices that you would exercise on your PC.
Additionally, many US operators now have measures in place that enable users to report suspected fraudulent or spam messages by forwarding spam text messages to 7726 or “SPAM” via their mobile device. Users should check with their operators to learn if the 7726 reporting service is available.