The most common call to action currently used in SMS spam is a URL with a disposable domain name.
This data comes from the Cloudmark Spam Reporting System (SRS) which receives text based mobile spam reports sent by subscribers to the shortcode 7726 (S-P-A-M on a keypad). 62% of SMS spam contains a URL with a disposable domain. The spammer wants the message recipient to open the URL and visit their landing page.
The spammers know that the domain will likely get blacklisted but hope they will get a positive return on investment by delivering enough messages before blacklisting is enforced. The investment for a new domain registration is very low these days. The huge expansion in the Top Level Domain (TLD) namespace in the past few years followed by fierce price competition between registrars means that the first year’s registration for many TLDs costs less than one dollar.
A one-year registration is much more than is needed for the spammer’s purposes. A few hours are plenty to make a profit on a 99 cent domain, and in some cases a few minutes may be enough. One financial services affiliate spammer registers multiple domains every day including the current date in the domain name. Here are some samples from December 5th.
decb5 [dot] club
l-5dec [dot] club
bdec5 [dot] club
p5-dec [dot] club
ddec5 [dot] club
n5-dec [dot] club
dec5n [dot] club
bdec-5 [dot] club
j5-dec [dot] club
k5-dec [dot] club
adec-5 [dot] club
t5dec [dot] club
i5-dec [dot] club
h5-dec [dot] club
ddec-5 [dot] club
a5dec [dot] club
i5dec [dot] club
This particular actor favored the .club TLD in early December but has now switched to the .com and .pw TLDs. The cost of registering a .club domain is currently as low as $0.88, (see https://tld-list.com/tld/club ) while a single payday loan signup can earn the spammer as much as $230 (see https://leadsgate.com/ ).
We see many other TLDs used in SMS spam, but currently the .us TLD is a strong favorite with over 50% of malicious domains. Though it is a little more expensive at $1.88 for the first year, it may have more credibility with the victims than, say, .club or .fun.
This is very subject to change over time, though. A couple of months ago, .fun was nowhere and .info was in second place. We’ve recently seen a drop off in .fun and this week .pw has moved up to second place.
A few spammers will hold onto domains for months or years before using them, or even buy up domains that were registered years ago. However, most disposable domains are used within hours or days of registration. 48% are used on the day they are registered, 77% within two days, and 86% within a week.
NameCheap is by far the most popular registrar for disposable domains with 75% of all registrations.
There are probably three reasons why spammers prefer Namecheap. As the name suggests, they are a low-price provider. Since May 2018 they have provided a free anonymization service, WhoisGuard, for all registrations. Finally, for the spammers who are concerned about legal repercussions and wish to remain anonymous even when the registrar is subpoenaed, they accept payment in Bitcoin.
For legitimate domains seen in SMS, GoDaddy has a dominant market position, so it is possible to be a highly successful registrar without catering to spammers.