Cloudmark 2Q13

Global Messaging Threat Report April – June 2013

Island cruise giveaways tempt U.S. mobile users during the hot summer months Compromised Accounts & Waistlines As seasons change, so too do the pitches spammers utilize to hook victims. Blistering heat in the northern hemisphere seems to have fueled waves of summer-themed SMS spam. These campaigns have peddled free cruise getaways to the Bahamas. Others have begun to offer dieting tips to help beachgoers fit into that new swimsuit.

Alongside these cruise and diet tip ploys are a number of other spam campaigns tweaked ever so slightly to mention the summer season and its heat. Pictured above in Figure 1, various forms of spam tailored to summer constituted more than 10% of all SMS spam for a majority of days in the second quarter. April, synonymous with the Spring Break holiday in the U.S., saw a large spike in cruise spam specifically. As time passed, the levels of these summertime messages rose steadily to peak above 20% of daily SMS spam volumes.

0%!

5%!

10%!

15%!

20%!

25%!

Figure 1. 7-Day Moving Average of Summer-Themed SMS Spam, 2Q13!Source: Cloudmark / GSMA!

Clo

udm

ark

Glo

bal e

Mes

sagi

ng T

hrea

t Rep

ort

Hig

hlig

htin

g sp

am a

nd s

cam

tren

ds o

bser

ved

in S

MS

and

emai

l fro

m A

pril

1, 2

013

– Ju

ne 3

0, 2

013

The top 5 categories of 2Q13 are plotted in Figure 3 with their associated monthly volumes. SMS phishing attempts held consistently at and above 20% of SMS spam volume each month. Despite falling four points over the quarter, adult oriented spam contributed significantly more than the next largest category. That category, Win Free Stuff Scams, plummeted in May by 60% of its April volume.

SMS phishing attempts plagued mobile subscribers in 2Q13. Meanwhile, spammers continue to peddle affiliate-driven ‘Adult Content’ spam Furnishing 10% of the quarterly volume, Payday Loan spam continued to inundate both the U.K. and U.S. Unfortunately, Bank / Account Phishing, arguably the most malicious category of SMS spam, tops the chart with a 22% share of the volume. Notably absent this quarter are gift cards scams. It seems that the FTC action in March had a lasting effect on this archetype of SMS spam. Also, Summer-themed diet pill campaigns propelled the Pharmacy / Meds spam category into the top 10 with 6% of the quarter’s volume.

0%! 5%! 10%! 15%! 20%! 25%!

Bank / Account Phishing!

Adult Content Spam!

Win Free Stuff Scam!

Payday Loan Spam!

We Buy Junk Cars Spam!

Pharmacy / Meds Spam!

Job Listing Scam!

Debt Relief Scam!

Automobile Listing Spam!

PPI Compensation Scam!

Figure 2. Top SMS Attack Types, 2Q13!Source: Cloudmark / GSMA!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

Bank / Account Phishing!

Adult Content Spam! Win Free Stuff Scam! Payday Loan Spam! We Buy Junk Cars Spam!

Figure 3. Monthly Volumes of the Quarter's Top 5 SMS Attack Types, 2Q13!Source: Cloudmark / GSMA !

April! May! June!

3

Cloudm

ark Global eM

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April 1, 2013 – June 30, 2013

Currently, all messages tailored around this diet theme have a common thread. Each message provides a shortened URL linking to the promised diet tips and suggested pills. Often, these URLs redirect the user to compromised websites. With a plethora of hacked sites at their disposal, spammers are able to keep their URLs fresh. Using these fresh URLs also helps keep spam message bodies fresh to avoid blocking and filtering.

June saw a sharp, concurrent rise in both diet spam using hacked domains and phishing attempts aimed at swiping online credentials The following figure illustrates each month’s percentage of spam that was labeled as diet spam. From May to June, its monthly volume more than tripled to become 12% of all reported SMS spam.

Attackers seem to be supplementing their portfolio with account phishing attempts this quarter. Figure 5 demonstrates that phishing surged in the second half of the quarter. On June 14th, 25% of all reported SMS spam consisted of this type. It then peaked again on the 22nd. Traditionally, spammers have favored bank phishing due to the direct, lucrative reward. Recently however, phishers have diversified their attacks with efforts to steal email, mobile, and social media accounts. These accounts can then be used directly for skimming sensitive personal information and banking info. Indirectly, the accounts stolen credentials can also be used against other, more valuable, online services if the user has a common login.

0%!

2%!

4%!

6%!

8%!

10%!

12%!

14%!

April! May! June!

Figure 4. Diet Themed SMS Spam, 2Q13!Source: Cloudmark / GSMA!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

Figure 5. SMS Account Phishing, 2Q13!Source: Cloudmark / GSMA!

Clo

udm

ark

Glo

bal e

Mes

sagi

ng T

hrea

t Rep

ort

Hig

hlig

htin

g sp

am a

nd s

cam

tren

ds o

bser

ved

in S

MS

and

emai

l fro

m A

pril

1, 2

013

– Ju

ne 3

0, 2

013

Hacked Web Hosting Accounts: The New Botnets

In the second quarter Cloudmark saw a dramatic increase in the number of compromised web hosting accounts used by spammers.

Web hosting accounts are an attractive target for hacking. Though there are fewer of them to exploit than traditional PCs, they are available 7/24, have a high bandwidth connection to the Internet, and are often running outdated software with known vulnerabilities that are trivial to exploit. We are seeing evidence that hacked hosting accounts are now a commodity. The same accounts are being used by different spammers, so we believe that one or more criminals is specializing in compromising these accounts, and is renting them out as a service to a collection of miscreants. The most common use of compromised web hosting accounts is to provide an endless supply of new URLs in spam emails. This is done by placing HTML or PHP files on the victim’s web site which then redirect to the spammer’s own landing page. Each individual compromised account may have hundreds of different redirector URLs placed on it by several different spammers. Compromised accounts can also be used to send spam via the hosting company’s mail servers using the PHP mail function, and to host the spammer’s landing page directly. We have seen pornographic landing pages hidden on many types of innocent web sites, including law offices, schools and churches.

0!

200!

400!

600!

800!

1000!

1200!

1400!

1600!

1800!

2000!

Figure 6. Daily New Compromised Domains, 1H13!7-Day Moving Average!Source: Cloudmark!

60% of hacked domains still under control of spammers one month after compromise

5

Cloudm

ark Global eM

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April 1, 2013 – June 30, 2013

Spammers do not need root access to the account in order to take advantage of it. All they need is a PHP shell, and they exploit a number of different vulnerabilities in order to obtain this access. By far the most common technique at the moment, accounting for 60% of all compromised accounts, is an SQL injection attack in Joomla 1.5, which allows a reset of the admin password. This bug was patched in 2008, but many web sites have not updated their Joomla version since then. Once an account is hacked, it typically remains under the control of spammers for a long time. As the chart below shows, only 12% of hacked hosting accounts are detected and fixed within the first week and over 60% are still compromised after the first month has passed.

To assist in remediation, Cloudmark will be happy to provide hosting companies with a current list of compromised domains on their servers. Contact inquiry@cloudmark.com with your ASN(s) or CIDR blocks.

0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

40%!

45%!

Less than a week! 1-2 Weeks! 2-3 Weeks! 3-4 Weeks! 4-5 Weeks!

Figure 7. Remediation Rate for Compromised Domains!Percentage Fixed vs Time Since First Detected in Spam!Source: Cloudmark!

After a month of use, more than 60% of compromised domains

are still controlled by spammers.!

Clo

udm

ark

Glo

bal e

Mes

sagi

ng T

hrea

t Rep

ort

Hig

hlig

htin

g sp

am a

nd s

cam

tren

ds o

bser

ved

in S

MS

and

emai

l fro

m A

pril

1, 2

013

– Ju

ne 3

0, 2

013

At the end of second quarter, Romania still holds first place for the number of IP addresses blocked by Cloudmark at the end of second quarter. Yet, the US is closing the gap, and Belarus has shot into first place in the percentage of IP address space blocked. Our 1Q13 threat report indicated that decreases in the number of blocked IP addresses from Romania were being matched by increases from Belarus and Russia, This trend continued through April and May, but in June we saw a reversal with Romania showing a slight uptick, while Russia and Belarus decreased. Spammers will always follow the path of least resistance. It is possible that hosting companies in Russia and Belarus realized spammers were exploiting them and tightened up their security, forcing the spammers back to less selective hosting companies in Romania.

In percentage terms, Belarus is the leader, with 27.4% of their total IP address space being blocked. Romania is currently at 22.3%. Though the number of blocked IP addresses in the US is approaching that of Romania, the US blocked percentage is only 0.2% as the US has far more IP addresses allocated than Romania.

Blocked IP Addresses By Country

0!

0.5!

1!

1.5!

2!

2.5!

3!

3.5!

4!

Jan 2013! Feb 2013! Mar 2013! Apr 2013! May 2013! June 2013!

Mill

ions!

Figure 8. Volume of Blocked IP Addresses by Country!Source: Cloudmark!

Romania! United States! Russia! China! India! Belarus!

0%!

5%!

10%!

15%!

20%!

25%!

30%!

35%!

Jan 2013! Feb 2013! Mar 2013! Apr 2013! May 2013! June 2013!

Figure 9. Percentage of IP Address Space Blocked by Cloudmark!Source: Cloudmark!

Romania! United States! Russia! China! India! Belarus!

7

Cloudm

ark Global eM

essaging Threat Report H

ighlighting spam and scam

trends observed in SMS and em

ail from April 1, 2013 – June 30, 2013

Country Profile: Brazil

With the seventh largest economy in the world and no anti-spam laws, Brazil is a major target for spammers. However, the vast majority of spam sent to Brazilian customers is simply unsolicited advertising for legitimate products and services. Many Brazilian businesses regard cramming millions of mailboxes with unwanted advertisements for their products as a cheap alternative to print, TV or web based commercials. Cloudmark’s spam filtering system is based on feedback from spam traps and trusted users. If we get enough reports that a particular email is spam, then emails with the same fingerprints will be flagged as spam. Email marketing companies using well-managed, opt-in mailing lists will get only 5% to 10% of the emails they send flagged as spam by our system. In Brazil, the better email marketers get 30% to 60% of their outbound email flagged as spam by Cloudmark, and the less careful ones hit 90% to 100%. Because of the flood of unsolicited marketing email, Brazilian consumers seem perfectly happy to have newsletters from major brands sent directly to their spam folder. By comparison, in the US the CAN-SPAM legislation forces email marketers to use opt -in mailing lists and to honor unsubscribe requests. So, consumers expect to see the legitimate marketing communications they do receive in their inbox rather than their spam folder. Though the majority of the spam sent to Brazil is coming from Brazilian email marketing companies working on behalf of Brazilian corporations, most of the emails do not originate there. France sends more spam to Brazil than is sent from Brazil itself, and the US is not far behind. This is simply because it is cheaper to rent the servers and bandwidth in these countries. However, this can backfire on the hosting companies, as some or all of their IP address space may be blocked by spam filtering companies and their legitimate customers will be unable to send email. For example, Hostwinds LLC currently has 75% of their total IP address space blacklisted by Cloudmark as Brazilian spammers are using them heavily.

Clo

udm

ark

Glo

bal e

Mes

sagi

ng T

hrea

t Rep

ort

Hig

hlig

htin

g sp

am a

nd s

cam

tren

ds o

bser

ved

in S

MS

and

emai

l fro

m A

pril

1, 2

013

– Ju

ne 3

0, 2

013

Brazil receives about ten times as much spam from other countries as it sends to them. Most of the outbound spam from Brazil is typical botnet traffic and the majority ends up going to the US. We don’t see any large-scale illegal spam operations based in Brazil. A Brazilian with the capability of sending bulk email is better off sending legal spam to Brazilians than sending illegal spam to other countries.

Is there any hope for improvement in Brazil’s advertising spam deluge? Brazilian ISPs are beginning to provide feedback-based spam filtering. If this becomes the norm in Brazil, email marketers will be forced to adopt a reasonable code of practice in order to guarantee deliverability.

OVH (France)!

Locaweb Serviços de Internet S/A (Brazil)!

Hostwinds LLC (USA)!

DataCorpore Serviços e Representações (Brazil)!

Akna Tecnologia da Informação Ltda. (Brazil)!

Infolink Panama Corp. (Panama)!

Secured Servers LLC (USA)!

DH&C Outsourccing S/A. (Brazil)!

Limestone Networks (USA)!

Hostlocation Ltda (Brazil)!

Alog-02 Soluções de Tecnologia em Informática S.A. (Brazil)!

Leandro Felix (Brazil)!

Carolina Internet (USA)!

Universo Online S.A. (Brazil)!

Ipglobe Internet Services Datacenter Ltda (Brazil)!

FortaTrust USA Corporation (USA)!

Global Village Telecom (Brazil)!

Panamaserver.com (Panama)!

Figure 10. Sources of Spam Sent to Brazil!Source: Cloudmark!

About Cloudmark

Cloudmark builds messaging security software that protects communications service provider networks and their subscribers against the widest range of messaging threats. Only Cloudmark Security Platform™ delivers instant security and control across diverse messaging environments, enabling communications service providers to create a safe user experience, protect revenue and safeguard their brand, while streamlining infrastructure and reducing operational costs. Cloudmark's patented solutions protect more than 120 tier-one customers worldwide, including AT&T, Verizon, Swisscom, Comcast, Cox and NTT.

Cloudmark Headquarters 128 King Street Second Floor San Francisco, CA 94107 Telephone: +1-415-946-3800 Fax: +1-415-543-1233 Email: sales@cloudmark.com

Cloudmark Europe, Ltd Davidson House Forbury Square Reading, RG1 3EU United Kingdom Email: emea@cloudmark.com

Cloudmark Labs 41 Boulevard des Capucines 75002 Paris France Telephone: +33 (1) 80 48 08 20 Fax: +33 (1) 45 26 18 10 Email: paris@cloudmark.com

Cloudmark Singapore 3 Temasek Avenue Centennial Tower, #21-07 Singapore 039190 Telephone: +65 6549 7845 Email: apac@cloudmark.com

Cloudmark Japan Hibiya Central Bldg. 14F 1-2-9 Nishi-Shinbashi, Minato-ku Tokyo 105-0003 Japan Telephone: +81 (0)3 5532 7636 Fax: +81 (0)3 5532 7373 Email: japan@cloudmark.com