In late January, there were a number of newspaper articles alerting the public in the United States to a new text message scam. This scam saw spammers send members of the public unsolicited text messages disguising themselves as delivery notifications from reputable delivery service brands such as FedEx. Subscribers who receive the messages are asked to click through to a link where they are directed to a website that asks them to give additional private information such as security or credit card details in exchange for a free gift. Unwittingly, mobile subscribers may share their confidential information with scammers impersonating the delivery service company and may use this information to commit fraud.
These types of scam messages are often referred to as “smishing" attacks. Smishing attacks are similar to phishing attacks. Fraudsters impersonate reputable brands to obtain personal information. However, with smishing, SMS/text messages are used instead of email to deliver the malicious messages.
One of our leading Threat Intelligence analysts, Mallesham Yamulla, takes an in-depth look at the data behind the attacks examining volumes, frequency, geography and content of these malicious messages. He presents his findings below:
Threat Intelligence Analysis of the Package Delivery Spam text/SMS messages sent out to mobile subscribers in the US. by Mallesham Yamulla
Are mobile network subscribers concerned about these package delivery spam text messages?
Yes, many subscribers in the United States are receiving the same unsolicited package delivery text messages/SMS Spam multiple times on their mobile phones.
Subscribers are enquiring about this SMS spam with their friends, family and community members on social media and other communication channels, wanting to know if they have received these kinds of texts too.
Let’s see how people are searching for these text messages on Google Search. Here they might have used the keyword delivery spam to search.
Subscribers also reported the messages to their respective mobile operators to have it investigated and to stop these types of messages being delivered to their phones.
The trend of Google searches made with the mentioned keyword are very similar to the trend of their complaints against this SMS spam.
Our intelligence and data
AdaptiveMobile Security’s Messaging Security protects billions of subscribers worldwide with our SMS firewall which detects and blocks SMS Spam. We protect over 280 million subscribers in the United States and our analysis of Delivery Package Spam SMS attacks in this blog comes from our US subscriber data.
When did these attacks begin?
It seems that these unsolicited text messaging campaigns started appearing in the first week of December 2019 and then increased in volume during January 2020.
From the first week of January 2020, the cybercriminals step-up their efforts to de-fraud innocent subscribers, especially in the third week of January when the volumes of their attacks peak.
Complaints are piled up with the mobile network operators as the messaging traffic volumes of unwanted package delivery notifications are increasing daily.
Timing of Package Delivery SMS Spam attacks
These spam text messages attacks peak specifically on Friday, Monday and Tuesday.
The spammers would assume that most people may get time to order or purchase something they need online 1 or 2 days before Friday or during the weekends. The spammers try to leverage this behaviour and execute spam attacks in an attempt to de-fraud vulnerable subscribers.
When we look at the time hour intervals of spam volumes, here about 30% of spam text messages in the morning business hours from 8AM to 11AM and another 35-40% of messages in evening business hours from 4PM to 7PM are strategically sent out to customers.
Package Delivery SMS Spam traffic volumes and SMS Spam reports across USA
The most package delivery spam attacks happened in: California (CA), Florida (FL), Texas (TX), New York (NY) and Georgia (GA), over 70% of the spam is generated across these states. This geo-pattern makes sense, as these are the most populous and economically developed states and unsurprisingly they are also the top states for online purchases .
AdaptiveMobile Security detects and blocks the Delivery Package SMS Spam
The diagram below graphs the reactiveness of our Messaging Security SMS Firewall and expert Threat Intelligence Service, to the Delivery Package SMS Spam attacks.
Here are some key points about the package delivery SMS spam traffic volumes:
- About 5.5 million messages were sent from December 2019 to January 2020.
- There were rising spam volumes in January 2020 except the 2nd week.
- Median value of total spam traffic is about 35K, i.e half of total traffic is less than or equal to 35K, and 75 % of total spam traffic is less than or equal to 150K, and there are also a couple of days on which the traffic volumes are above 500K.
- The spam has been detected by our Anti-Spam filters built up with latest machine learning algorithms.
Messaging Pattern Flows
A random sample of 1.2 Million messages was collected to figure out the messaging pattern flows from source A(Calling) to Destination B(Called).
First, let’s understand the situation of how many unique destinations there are per each source here – assuming that a Source Number is +12345689 and there are 5 destinations such as +3453253223, +2535343553, +4535325325, +5535325325, +6535325325, here each one them has received a single message from the mentioned source, hence it has got the 5 unique destinations, and got binned into 1-20 unique destinations group. If A had more than 101 unique destinations it would fall into its respective binned group.
Another case is how many messages are sent out from source A to destination B can be counted as the above Source has 5 unique recipients. One of them received a message 10 times, so here it can be said that that source A sent out about 10 messages to a single destination, at the same time it has reached to 4 other destinations with a single message.
Here are some key points:
- The total number of unique sources are about 120,000
- The distribution of destination count per unique source is as follows:
- 1-20 unique destinations are about 56%.
- 21-100 unique destinations are about 20%.
- More than 101 unique destination are about 24%.
- Now let’s look at the group of 1-20 unique destinations per a source:
- A single destination message is about 25%
- The 2 to 5 destination messages are about 7% each.
- Only one message (different patterns) is sent out from source A to Destination B, is about 98.5% and more than 1 messages is about 1.5%
From which of the source regions the higher volumes of spam are coming from and to which of destination regions its reaching, can be seen in the below visualization in which about 19 source and 15 destination regions are mapped.
The topmost subscribers affected by these spam attacks are from California (CA), Florida (FL), and Texas (TX). The spam text messages are delivered to them from the 3 different regions each. The spam originated from Alaska (AK) has reached to many of the destination regions compared to others. No message sent is from the same source to the same destination regions.
The following is the type of pattern and message type that has been delivered to customers.
Let’s consider this case,
- There are about 1.5 million messages, that contain the random names each followed by courier service name XXXX
- All of them have the same package tracking code as xx-xxxx-xxxxx
- Randomized URLs are used in each message with .info URL domains, and they all are redirected to the same fake webpage.
- If they were a legitimate courier service the messages would come with the unique tracking code to each of the customers; here the name used in this message doesn’t match with the customer name who received it and their URL domains should be registered to the name of the courier services.
Text analysis of the Package Delivery SMS Spam
The below visualization shows the most common three-word (trigrams) sequences,
- Since the beginning of the package delivery spam messaging campaigns, their text patterns are changed constantly
- Very few of the messaging text patterns are common in all the 8 weeks it has occurred.
- The text is getting randomized in the same week only.
Let’s take an example of messages from December 29th :
- Delivery details for shipment/package, delivery information for shipment/package
- Address details for shipment/package, Address information for shipment/package
- In both of above cases the content is different, but the context is still the same as slight adjustments are made.
These texts are randomly generated to evade spam filtering, but AdaptiveMobile Security’s Network Protection Platform, combining its leading SMS firewall and Threat Intelligence Service, can easily detect them.
Are the URLs used in package delivery text messages randomized too?
The short answer is yes. .info URL domains have been used in about 2 million messages. These domain registrations are done on the name of organizations mainly from Panama, China, and Hong Kong. All these URLs’ expiration period is just 1 year and redirect to 3-5 unique fake Amazon webpages, where they ask the customers to take a customer satisfaction survey. Then, as a reward for answering some questions, they are given the opportunity to claim an expensive product for free.
At this stage the attackers are trying to acquire the target’s confidential information such as credit or debit card numbers. The reward is ‘free’ but there is a small shipping and handling fee which requires payment to be made. By agreeing to pay the small shipping fee, the victim is also signing up for a 14-day trial to the company that sells the fake products. After the trial period, they are billed a certain amount of money every month and sent a new supply of the item they claimed as a reward.
There are also other URL variants with .com domains being randomized as shown in the below three cases:
- pack-waiting1[dot]com, pack-awaiting1[dot]com, pack-pending1[dot]com,
- pack1-waiting[dot]com, pack1-awaiting[dot]com, pack1-pending[dot]com
- 1pack-waiting[dot]com, 1pack-awaiting[dot]com, 1pack-pending[dot]com
Each of these mentioned URL patterns are created for almost nine different variants such as (pack-waiting2[dot]com, pack-waiting3[dot]com, XXXX, pack-waiting9[dot]com OR pack2-waiting[dot]com, pack3-waiting[dot]com, XXXX, pack9-waiting[dot]com OR 2pack-waiting[dot]com, 3pack-waiting[dot]com, XXXX, 9pack-waiting[dot]com)
The randomly sampled URL domains are listed in the table below, and they also have the same kind of behaviour as the above URLs. Some of these URL variants have started to get redirected to Google’s search home page, because they might have already been noticed and blocked. It is clearly noticeable that none of the listed URLs belong to the courier service agencies legitimate URL domains which is a key factor of how to watch out for this scam.
As you can see from our report the fraudsters are persistent and strategic in their attacks. Subscribers must continue to be vigilant, questioning the authenticity of text notifications which they have not instigated, and also double-checking any URL links before clicking through. General advice is to log on to the company’s official website directly to check any tracking codes you have.
Mobile network operators also have an important part to play, to protect their customers and strengthen their defences against ever-evolving sophisticated attacks threatening their networks.
AdaptiveMobile Security’s Messaging Security combines our leading SMS Firewall technology and our team of Threat Intelligence experts to identify and block attacks, rendering useless advanced persistent attackers’ infrastructure and preventing the use of private information by automated messaging attack campaigns. We detected and blocked these Package Delivery SMS Spam attacks in real time using our world class Anti-Spam filters built with the latest machine learning algorithms.
Here at AdaptiveMobile Security, we are committed to protecting nations, networks and numbers by providing advanced protection against cybercrime. We can help operators, aggregators and inter-exchange carriers take the right steps to secure their messaging services.
For any queries about how AdaptiveMobile Security can help protect your network send us a mail at firstname.lastname@example.org
Máirín is an experienced marketeer and project manager with a passion for global business strategy. With over 15 years’ experience gained across technology, banking, pharma and professional services sectors. She has successfully planned and executed award-winning global marketing campaigns. Including management of product launches and international events for a range of clients from small blockchain start-ups to larger brands such as Bank of Ireland, LinkedIn and Novartis. Máirín heads up our Marketing Communications team, evangelising for our telecom managed threat protection, response and intelligence products and services, protecting more than 2.1 billion subscribers worldwide. Máirín holds a MSc in Management from UCD Michael Smurfit Graduate Business School and is a member of the Marketing Institute of Ireland.