Big Spam Message Hunting – Reducing SMS Spam volumes by 78% in N.A.
Today we announced an overview of SMS Spam figures for 2013. Our headline figure was that we have seen a drop in malicious SMS spam of nearly 80%. In reality we could have used a range of figures to describe basically the result of the same thing – the essential collapse of spam being sent by mobile phones in North America over 2013. This collapse is largely due to operations over the last year that have involved us tracking, hunting and trying to take down the biggest, most dangerous mobile spammers in North America, who we call the ‘Big Five’
Preparing for the Hunt
First some context, when we refer to spam over text messages, we re-use the email industry standard of bulk & unsolicited messaging. This includes a host of malicious spam types like fake banking alerts, phishing sites, work at home scams and so on, which are sent to mobile phones randomly or in a targeted fashion. We don’t refer to text messages in which the receiver may have signed up for at some stage, for example legitimate and subscribed marketing messages, social network notifications or messages from your carrier etc. Many people can and do find that these are unwanted, but they are not generally fraudulent, and normally can be opted out of.
Second the scale, the reductions we have seen are in our wireless customer’s North American traffic, which accounts for close to half of all sms messaging within North America. Therefore the spam types are representative of what is encountered in the whole mobile environment. However the same scale of the drop may not be experienced by our non-customers. In addition as spam from mobile phones has been blocked, mobile spammers have been switching to send from different means, such as from Email to SMS gateways – and has been seen in the media – to send on other Messaging types. Spam being sent via these systems has generally not been tracked and so are still being received by subscribers. Finally mobile spam leaving or entering North America is also included, so while there is considerable spam between Canada & the US, spam to and from North America is normally not a huge percentage of total figures, meaning this did not materially affect the total output.
The above graph shows the over 100 million (103,349,587) mobile attacks that we detected and blocked during the year. We do not use estimates or subscriber reports of spam number and then take multiple of this to get at a ‘true’ figure, we take the real numbers. Looking at the monthly level, we can see that mobile spam blocked fell from a high of 22 million in March 2013 to 4.7 million in December 2013, this is where we get our figure of nearly 80% (1-4716490/22014229 to be exact). This roughly works out at a SMS spam rate of considerably less than 0.01% for the month of December in our customer’s total SMS messaging traffic.
You can see that the majority of mobile spam is at the start of the year, and it seems to approach a steady state towards the later part of the year. This monthly graph hides a myriad of stories however, and to give the true account of the year and why this graph looks like it does we need to look at the data at a closer level, both in time and in context. A closer time period is shown in the weekly graph below, but for context we need to take you into the mobile security jungle.
Know your Target
Mobile spam is not a random uncoordinated phenomenon, it is sent by known threat actors. These actors range from sophisticated multi-national criminal operations to small local aggressive scammers. These are the groups who our analysts monitor, track, and ultimately work against. We call this activity ‘hunting’, for obvious reason. Internally we give these groups code-names, based on type, location, and other attributes, as intelligence on these groups is key to anti-spam techniques against them – which can have a huge impact on the mobile spam ecosystem. Many of these ‘hunts’ are still on-going, and frequently we have seen these targets shift strategy or terrain to hide from us, but here we will talk about the ‘Big Five’ from 2013, and the part that hunting them played in the year.
The Big Five for 2013 are specific, high-value, targets that we have hunted and reduced spam from, completely in some cases. There are of course many other groups both in North America and worldwide that we tracked and blocked during 2013 and onwards, but the Big 5 has occupied much of our time and much of the spam you have received in the past, so these were singled out for particular attention. Note – we have not given specific examples of the message content, this is in order to preserve the secrecy of our on-going operations.
You can see from the graph below that we categorise the result of ‘actions’ against these groups to 3 types: Strike, Trapped & Takedown. We initiate actions against these groups all year, but these are ones of particular interest against the Big 5. Strikes are those actions which have a large impact on a spammer group, although they still retain the ability to function. One possible outcome of a Strike would be a spammer switching from sending spam from a wireless carrier to send from a VoIp Carrier. Trapped is when we do an action that causes a significant (typically >80%) reduction in spam from the group or disruption in activities. Finally Takedown is when the group is effectively terminated. Normally we can only tell what the end result of the action is weeks or even months later, and, as you can see, actions we take can often have a response from the spammer, who often step up their spamming attacks to break free.
This type of spam was a very aggressive spammer sending huge amount of fraudulent phishing messages from tens of thousands of phone numbers to mobile phone users across the United States. Extensive intelligence gathering followed by a series of targeted takedowns in conjunction with carrier partners in mid to late February 2013 crippled its activity, causing a significant drop in sms spam in the US.
Current Status: Stuffed, they re-appear briefly but not for long periods. However there are signs that they have passed some of their techniques and experience on to other spam groups, particularly RHINO.
This highly adaptive and alert spammer was responsible for the sending of huge amount of free-giveaway scam text messages in the early part of the year. Based in the US North-East, an intensive anti-spam hunt over several days was required in order to adapt to their changing attacks, which sometimes changed in less than a minute, but eventually succeded in bringing them down in mid March, causing a huge drop in mobile spam in North America. At the height of the struggle sms spam in North America increased to over 8 million a week, driven primarily by this group’s attempts to overwhelm defensive systems.
Current Status: Forced out to prowl the edges, but getting bolder. Like a true Leopard, they have changed their spots multiple times. Recently they have re-appeared, sending spam from other systems than mobile phones and are currently ‘hiding’ in less well defended areas.
The most sophisticated mobile spammer in operation in North America. De-centralised and highly nocturnal, at night they send a series of aggressive Adult-themed messages to targets throughout the US. Their main base is in the western part of the US but they have affiliates throughout the US. They tend to fly ‘under the radar’ of traditional mobile anti-spam defences as victims are typically reluctant to report the received messages to their carriers. A series of strikes allowed them to be trapped in the middle of October, and the last sighting of them was in mid November.
Current Status: Possibly extinct. Once they were trapped the amount of spam they sent was a fraction of what it once was, and a series of co-ordinated strikes reduced it to zero. However caution is advised as they have demonstrated considerable cunning in the past.
Determined, aggressive and persistent. This aggressive spammers sends millions of unwanted marketing mobile spam to specific areas of the US South-East, regardless of whether someone has opted in or not. They run a less sophisticated operation than many of their fellow spammers, but make up for it in determination and brute force, sending a range of different types of marketing spam.
Current status: Disorientated. Over many months their spam has greatly lessened in volume, however vigilance is required as they could attempt to surge at any moment if they see the opportunity.
A persistent, determined spammer who now share a lot of attributes with the LION group, although initially they had a greater affinity to the LEOPARD group. Based in the US South-East, they send spam nation-wide and have moved between sending carriers, when they have been forced on. They send a large variety of message types ranging from phishing scams to fake pharmaceutical offers. Recent activity has reduced their spam sending capability considerable
Current Status: Still very active, but spam reduced, and more reductions are to come.
After the Hunt
It goes without saying that a lot of the above has been achieved due to extensive co-operation in the mobile industry, to them we owe thanks, as without co-operation mobile spam would not have been reduced as much. And this is just the start – as more and more wireless carriers introduce anti-spam protection spam volumes will reduce further, plus future anti-spam legislation and legal interventions will help to make the environment in the future even less hospitable for these spammers. If earlier figures are to be believed, Mobile spam is nothing like it once was. However we must stay vigilant, other groups are still active, and new ones may arise to stake vacated territory. You can help us in the anti-spam hunt by:
- never responding to mobile spam
- never ring any number or click on any link in spam message
- tell your operator about any message you think is malicious spam
Finally – a warning: even once taken down, spammer groups watch and probe defenses, hoping to take advantage of any perceived weakness or dropping of our guard. Another side-effect we have seen first-hand is that the sms spammer groups still active in North America have had to evolve to survive, and in doing so have become some of the most dangerous and persistent in the world.
But to paraphrase Hemingway: Certainly, there is no hunting like the hunting of spam, and those who have hunted spam long enough and liked it, never care for anything else thereafter.
You may also be interested in reading our post about the JPMorgan Chase SMS phishing spam attack.
*A note on January, due to changes in our stats collection we do not have data from January 2013. If we did our estimates show a very high probability that spam figures for January exceeded the spam figures for March. However we have elected to use only real message figures, not estimates.