Understanding Cross-Channel Abuse with SMS-Spam Support Infrastructure Attribution

Recent convergence of telephony with the Internet offers malicious actors the ability to craft cross-channel attacks that leverage both telephony and Internet resources. Bulk messaging services can be used to send unsolicited SMS messages to phone numbers. While the long-term properties of email spam tactics have been extensively studied, such behavior for SMS spam is not well understood. In this paper, we discuss a novel SMS abuse attribution system called CHURN. The proposed system is able to collect data about large SMS abuse campaigns and analyze their passive DNS records and supporting website properties. We used CHURN to systematically conduct attribution around the domain names and IP addresses used in such SMS spam operations over a five year time period. Using CHURN, we were able to make the following observations about SMS spam campaigns: (1) only 1 % of SMS abuse domains ever appeared in public domain blacklists and more than 94 % of the blacklisted domain names did not appear in such public blacklists for several weeks or even months after they were first reported in abuse complaints, (2) more than 40 % of the SMS spam domains were active for over 100 days, and (3) the infrastructure that supports the abuse is surprisingly stable. That is, the same SMS spam domain names were used for several weeks and the IP infrastructure that supports these campaigns can be identified in a few networks and a small number of IPs, for several months of abusive activities. Through this study, we aim to increase the situational awareness around SMS spam abuse, by studying this phenomenon over a period of five years.

[1]  Wouter Joosen,et al.  Parking Sensors: Analyzing and Detecting Parked Domains , 2015, NDSS.

[2]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[3]  Dawn Xiaodong Song,et al.  Design and Evaluation of a Real-Time URL Spam Filtering Service , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[5]  Vern Paxson,et al.  @spam: the underground on 140 characters or less , 2010, CCS '10.

[6]  Michael McGill,et al.  Introduction to Modern Information Retrieval , 1983 .

[7]  Nan Jiang,et al.  Understanding SMS Spam in a Large Cellular Network: Characteristics, Strategies and Defenses , 2013, RAID.

[8]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[9]  Roger Piqueras Jover,et al.  Crime scene investigation: SMS spam data analysis , 2012, IMC '12.

[10]  Jr. G. Forney,et al.  The viterbi algorithm , 1973 .

[11]  Wei Wang,et al.  Discovery of emergent malicious campaigns in cellular networks , 2013, ACSAC.

[12]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[13]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[14]  Stefan Savage,et al.  Spamscatter: Characterizing Internet Scam Hosting Infrastructure , 2007, USENIX Security Symposium.

[15]  Luis Mateus Rocha,et al.  Singular value decomposition and principal component analysis , 2003 .

[16]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[17]  Lawrence K. Saul,et al.  Knock it off: profiling the online storefronts of counterfeit merchandise , 2014, KDD.

[18]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[19]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[20]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[21]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).