Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

Spammers Tap Regional Operators to Send SMS Spam from U.S. To Malaysia and Mexico

Cloudmark has observed that in some cases different categories of SMS spammers target different types of US Regional Mobile Operators, also known as tier 2 or tier 3 operators.

Mobile operators are divided into different tiers depending on whether they fully own the network that they use to deliver voice and data services (tier 1), or whether they own part of the network they use and peer with other operators for the rest of the network (tier 2), or whether they get 100% of their network from the first 2 types (tier 3).

Tier 2 and tier 3 operators tend to be smaller, often regionally based, and with different pricing plans that the tier 1 operators.

For tier 1 operators, the biggest categories of SMS spam are Bank Phishing and Receive a Gift Card messages. With the Bank Phishing, the spammers use the names of regional banks and send messages to recipients based on the area code of their phone number.

In contrast, Cloudmark has observed SMS spammers using a tier 2 carrier to send messages out of the US to other countries. The lower tier carriers may be more appealing for spammers sending spam internationally if they have low cost international plans, particularly pre-pay plans that do not require a contract.

Text message spam is not confined by a single carrier or even a single country. The GSMA’s SRS is a unified international system for reporting and monitoring SMS spam. From its initial launch in the US and UK, it is expanding to cover an increasing number of countries and provides a vital tool in shutting down international attacks.

In our first example on international SMS spam from a lower tier carrier, we detected a high volume of messages from three Washington DC phone numbers, to a large number of phones in Malaysia:

Q95965845 Happy bestday! Taip ON TUE hantar ke no39665 skrg dan terima hadiah percuma! Pelan SMS mobile content yg terbaru utk SIM anda. Enjoy

The above roughly translates to:

Q95965845 Happy Hobby! Type ON TUE no39665 skrg send to and receive a free gift! SMS plans new fashion mobile content for your SIM. Enjoy

The messages were advertising Malaysian premium rate numbers. In order to evade detection, they used a unique number at the beginning of each message. Each phone number sent an average 3,000 messages per day.

In another example, we detected messages referencing mesajilos.com destined to numbers in Mexico. The site offered what appeared to be a free web service to send SMS messages to Mexican phone numbers.

Mesajillos Screenshot

Upon further investigation, we found that a tier 2 operator was, unknowingly, being used to peddle all of the site’s messages through a single phone. On average, 500 messages a day were routed through the phone number to Mexico via this method.

The second part of this scheme is the owners of mesajillos.com would harvest the numbers entered into the site and send SMS ads:

INFOTEL INFORMA;EN NAYARIT NARANJO REPUNTA EN LAS ENCUESTAS! MARTHA ELENA CANDIDATA DEL PAN SE NIEGA A DECLINAR. PUMAS CAMPEON CLAUSURA 2011

The above roughly translates to:
INFORMS INFOTEL; NAYARIT NARANJO EN Rallies on SURVEYS! CANDIDATE MARTHA ELENA BREAD REFUSES TO DECLINE. PUMAS CLOSING CHAMPION 2011

Domingo 22 de Mayo 4:30pm. Recinto Ferial TEPIC; Julio Preciado, El Mexicano, R15, Juvenil de Rosamorada Gana Com doras. Naranjo SI PUEDE

Roughly translates to:
Domingo 22 de Mayo 4:30 pm. Recinto Ferial TEPIC; Julio Preciado, El Mexicano, R15, Youth of Ghana Rosamorada With Doras. Naranjo SI PUEDE

These type of messages accounted for 21,000 messages a day, and were sent by the one phone number.

In our last and most recent example, we’ve detected phishers sending messages saying that a family member is at the border and to call included number for more information. They have been sent from tier 2 Carrier phones to Mexican phone numbers.

Comuniquese ya cruso el familiar la frontera alos estados unidos comuniquese urgente Al numero [redacted]

Roughly translates to:
Communicate and cruso family usa border alos Al urgent, contact number

URGE COMUNICARSE CON EL SR VICTOR GONZALEZ SU FAMILIAR YA CRUZO LA FRONTERA DE LOS ESTADOS UNIDOS  [redacted]

Roughly translates to:
URGE TO COMMUNICATE WITH YOUR FAMILY SR VICTOR GONZALEZ AND CROSSED THE BORDER OF THE UNITED STATES

YA CRUSO TU FAMILIA R LA FRONTERA  ACA EN LOS ESTADOS UNIDOS COMUNICATE URGENTE AL [redacted]

Roughly translates to:
Cruso AND YOUR FAMILY R ACA BORDER IN THE UNITED STATES TO COMMUNICATE URGENT

These phishers are agile, using 1-3 different phone numbers a week. Once their phone numbers are disconnected, new numbers appear typically within a week or two. They average around 100 messages per day.


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2019 Cloudmark, Inc.