SMS spam cruises for suckers

If you get a text message out of the blue telling you you've won a free cruise to an exotic Caribbean location, don't start packing your bags. It's likely just a scam.

In its most recent report on SMS spam, Cloudmark notes that scam spam was very popular during the month of May -- especially those "get something free" dodges.

Something-for-nothing swindles have always been popular with spammers, because no matter how many times folks are told there's no such as a free lunch, they still believe there is. Last month, though, spammers departed from scam themes they've used in the past.

[See also: FTC crackdown on text spammers highlights business threat]

Online grifters milking win-free-stuff scams turned their focus to cruise fraud in May, capping what's been a slow decline in free gift card deceptions.

Those scams started becoming scarce after the Federal Trade Commission cracked down on the practice in March. At that time, the FTC charged 29 gift card perps with collectively sending 180 million unsolicited SMS messages to consumers, 12% of whom had to pay for the texts.

As popular as scams were during the month, bank phishing text spam was even more popular, making up more than 30% of the more than 480 million SMS junk messages sprayed on mobile phones in the United States during the period, according to the messaging abuse solutions provider.

"Bank phishing attacks tend to come in spikes," Cloudmark threat researcher Andrew Conway said in an interview. "Someone will run it for a few days or a week or so and then vanish."

That's because bank phishing runs higher risks for spammers than other cons. "Typical SMS spam comes under the consumer telephone protection act," Conway explained. "It's a civil offense so you're liable for fines and not likely to face jail time.

"Bank phishing is bank fraud and that you can go to jail for," he said.

Nevertheless, bank phishers continue to be drawn to SMS spam. "Phones are trusted devices," Conway noted. "People trust their phones more than they trust their email accounts. It gets more immediate attention, as well."

Adult content spam was also popular with SMS spammers last month, making up to almost 25% of junk volumes.

Adult content spam typically pretends to be from someone who wants to strike up a friendship with a target. If the target attempts to make contact, they're steered to an adult content site or webcam site where the site operator tries to persuade the target to buy services from the site.

One enterprising spammer has tried referring their victims to a chat channel where an artificial person designed along the lines of the old "Eliza" chat bot tries to talk the target into visiting an adult content or webcam site. "It's pretty unsophisticated," Conway noted.

Unlike computer spam, SMS spam doesn't contain as many malicious links, however. "With a malicious link in regular email, you can be taken to a site where you can get a drive-by infection," he said. "That doesn't happen as much on a phone.

"There are Trojans on Android phones, but you have to click on a link, download the app and go through the install process to actually activate it," he explained.

Meanwhile, a curious SMS spam campaign was discovered this week by ThreatTrack Security. It masquerades as a message from Google informing its targets that either their Google or Gmail account has been hacked.

"The messages are being sent out to completely random phones," ThreatTrack Senior Threat Researcher Chris Boyd said in an interview. "A lot of people who have received the message have actually said that they don't have any sort of Google account whatsoever."

What's puzzling about the spam is it doesn't seem to have any commercial purpose. People who respond to the message are asked to enter a verification code that was included in the spam, are told that voice mail has been activated and are disconnected.

"The Google account message may be irrelevant," Boyd said. "It may be a hook to verify that you have an active phone number. Once a number is verified, it can be bombarded with spam messages, scam offers and who knows what,."

The problem is that, while the campaign has been going on since March, that kind of activity hasn't occurred yet. "It's quite a mysterious campaign because usually the answer would have appeared by this point," Boyd said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags spamantispamapplicationsCloudmarkftcmobile securitysoftwareData Protection | Wirelessphishingdata protectionsmssecurity

More about Andrew Corporation (Australia)CloudmarkFederal Trade CommissionFTCGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place