Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

A Short Term SMS Spam Attack

Some SMS spam attacks are long term – the “Free Gift Card” attack was high volume for about a year before the FTC stepped in with restraining orders, the “We Buy Junk Cars” spammer has been relentlessly texting the inhabitants of South Florida for over two years now, and there is no sign of the bank phishing attacks ending any time soon. However, other attacks come and go over a much shorter time period. We saw one that ran from mid June through late July and then stopped. Perhaps the spammer found that this from of promotion was not cost effective, or perhaps they decided that the best way to avoid legal penalties was to run a short term campaign. It might even be a case of a ‘rogue affiliate’ that sent the spam unbeknownst to the owners of the eventual landing page, and when they found out the affiliate account was canceled.

This attack was highly focused geographically. One third of the reports came from the top five area codes, one half from the top ten, and three quarters from the top twenty.

Screen Shot 2013-09-18 at 11.56.40 AM

While most of the top ten are major metropolitan areas (Dallas, Las Vegas, Seattle, San Francisco, Miami, Boston) for some reason the smaller and more conservative Oklahoma City made it into the number two spot. Perhaps the spammer was test-marketing in different metropolitan areas to see where their attack would be most effective?

The spam messages appeared to come from an individual who wished to get in touch with the victim. This is a standard technique for adult dating spam.

this is still your number right? [redacted].com thats where im on

.howdy! its me Gina. youre friend gave me ur # we met awhile back . i m me at [redacted].com .

Each area code had its own set of domains used in the messages, so that the spammer could track marketing by area code and by pitch. Most of the domains used in this attack are no longer functioning, but one or two that are redirect to landing pages that look like this.

datingscam

Sign up is free and easy, and the day after joining, you receive an email looking like this. (Parts of this message have been blurred to protect the guilty.)

datingscam2

Is that from a real person? I rather doubt it. The photos are stolen from real people, however. For example the photo on this profile which claimed to be of a woman in Sydney, Australia was actually taken from the Facebook profile of a Nicaraguan woman.

StolenPhoto3 StolenPhoto1

Just as you would expect, when you go to view the “unlocked” private video you have to buy a membership. Even if you opt for the $1.95 three day trial, there is no escape. Here’s the fine print enlarged for your amusement.

Screen Shot 2013-09-18 at 12.34.46 PM

Since they don’t even want to tell you who your transaction will be with, any guesses as to how hard it will be to cancel the subscription? Let’s hope that this spammer’s test marketing was a failure and they will not be back, as there are a lot more area codes they haven’t tried yet.


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2019 Cloudmark, Inc.