Understanding Cross-Channel Abuse with SMS-Spam Support Infrastructure Attribution

  • Bharat SrinivasanEmail author
  • Payas Gupta
  • Manos Antonakakis
  • Mustaque Ahamad
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


Recent convergence of telephony with the Internet offers malicious actors the ability to craft cross-channel attacks that leverage both telephony and Internet resources. Bulk messaging services can be used to send unsolicited SMS messages to phone numbers. While the long-term properties of email spam tactics have been extensively studied, such behavior for SMS spam is not well understood. In this paper, we discuss a novel SMS abuse attribution system called CHURN. The proposed system is able to collect data about large SMS abuse campaigns and analyze their passive DNS records and supporting website properties. We used CHURN to systematically conduct attribution around the domain names and IP addresses used in such SMS spam operations over a five year time period. Using CHURN, we were able to make the following observations about SMS spam campaigns: (1) only 1 % of SMS abuse domains ever appeared in public domain blacklists and more than 94 % of the blacklisted domain names did not appear in such public blacklists for several weeks or even months after they were first reported in abuse complaints, (2) more than 40 % of the SMS spam domains were active for over 100 days, and (3) the infrastructure that supports the abuse is surprisingly stable. That is, the same SMS spam domain names were used for several weeks and the IP infrastructure that supports these campaigns can be identified in a few networks and a small number of IPs, for several months of abusive activities. Through this study, we aim to increase the situational awareness around SMS spam abuse, by studying this phenomenon over a period of five years.


Federal Trade Commission Domain Name System Payday Loan Internet Infrastructure Internet Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported in part by National Science Foundation grants CNS-1318167 and CNS-1514035. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.


  1. 1. - the swiss security blog.
  2. 2.
  3. 3.
    Federal trade commission FTC complaint assistant.
  4. 4.
  5. 5.
  6. 6.
    FTC robocall challenge.
  7. 7.
  8. 8.
    Identifying parking IP infrastructure: understanding malware evolution and the implications on data modeling.
  9. 9.
    Internet archive: wayback machine.
  10. 10.
    I.T. mate product support.
  11. 11.
    Malc0de database.
  12. 12.
    Malware domain list.
  13. 13.
    SagaDC summary.
  14. 14.
    SMS phishers exploit twilio and to steal mobile account logins.
  15. 15.
  16. 16.
  17. 17.
    Suspicious domains - SANS internet storm center.
  18. 18.
    Technical realization of the short message service (SMS), 3Gpp. TS 23.040, v13.0.0.
  19. 19.
    Text spammers settle FTC charges they illegally sent consumers bogus offers for ‘free’ gift cards.
  20. 20.
  21. 21.
  22. 22.
    What kind of SMS messages are not allowed to be sent using Twilio?
  23. 23.
  24. 24.
    Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M., Spamscatter: characterizing internet scam hosting infrastructure. Ph.D. thesis, University of California, San Diego (2007)Google Scholar
  25. 25.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: 19th USENIX Security Symposium, 11–13 August 2010, Washington, DC, USA, Proceedings, pp. 273–290. USENIX Association (2010)Google Scholar
  26. 26.
    Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains in the upper DNS hierarchy. In: The Proceedings of 20th USENIX Security Symposium (USENIX Security 2011) (2011)Google Scholar
  27. 27.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: The Proceedings of 21th USENIX Security Symposium (USENIX Security 2012) (2012)Google Scholar
  28. 28.
    Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 2012), Bellevue, pp. 491–506. USENIX (2012)Google Scholar
  29. 29.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2011), 6th February - 9th, San Diego, California, USA. The Internet Society, February 2011Google Scholar
  30. 30.
    Boggs, N., Wang, W., Mathur, S., Coskun, B., Pincock, C.: Discovery of emergent malicious campaigns in cellular networks. In: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC 2013), New York, NY, USA, pp. 29–38. ACM (2013)Google Scholar
  31. 31.
    Burges, C.J.: A tutorial on support vector machines for pattern recognition. Data Mining Knowl. Discov. 2(2), 121–167 (1998)CrossRefGoogle Scholar
  32. 32.
    Der, M.F., Saul, L.K., Savage, S., Voelker, G.M.: Knock it off: profiling the online storefronts of counterfeit merchandise. In: The 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2014), 24–27 August 2014, New York, NY, USA, pp. 1759–1768 (2014)Google Scholar
  33. 33.
    Forney Jr., G.D.: The Viterbi algorithm. Proc. IEEE 61(3), 268–278 (1973)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), New York, NY, USA, pp. 27–37. ACM (2010)Google Scholar
  35. 35.
    Jiang, N., Jin, Y., Skudlark, A., Zhang, Z.-L.: Greystar: fast and accurate detection of SMS spam numbers in large cellular networks using grey phone space. In: Proceedings of the 22Nd USENIX Conference on Security (SEC 2013), Berkeley, CA, USA, pp. 1–16. USENIX Association (2013)Google Scholar
  36. 36.
    Jiang, N., Jin, Y., Skudlark, A., Zhang, Z.-L.: Understanding SMS spam in a large cellular network: characteristics, strategies and defenses. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 328–347. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  37. 37.
    Lever, C., Antonakakis, M., Reaves, B., Traynor, P., Lee, W.: The core of the matter: analyzing malicious traffic in cellular carriers. In: 20th Annual Network and Distributed System Security Symposium (NDSS 2013), 24–27 February 2013, San Diego, California, USA. The Internet Society (2013)Google Scholar
  38. 38.
    Murynets, I., Jover, R.P.: Crime scene investigation: SMS spam data analysis. In: Byers, J.W., Kurose, J., Mahajan, R., Snoeren, A.C., (eds.) Proceedings of the 12th ACM SIGCOMM Conference on Internet Measurement (IMC 2012), 14–16 November 2012, Boston, MA, USA, pp. 441–452. ACM (2012)Google Scholar
  39. 39.
    Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008), 7–8 October 2008, Alexandria, Virginia, USA, pp. 24–31 (2008)Google Scholar
  40. 40.
    Pelleg, D., Moore, A.W., et al.: X-means: extending k-means with efficient estimation of the number of clusters. In: ICML, pp. 727–734 (2000)Google Scholar
  41. 41.
    Polakis, I., Petsas, T., Markatos, E.P., Antonatos, S.: A systematic characterization of IM threats using honeypots. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2010), 28th February - 3rd, San Diego, California, USA, March 2010Google Scholar
  42. 42.
    Salton, G., McGill, M.J.: Introduction to Modern Information Retrieval. McGraw-Hill Inc., New York (1986)zbMATHGoogle Scholar
  43. 43.
    Thomas, K., Grier, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time URL spam filtering service. In: 32nd IEEE Symposium on Security and Privacy (S&P 2011), 22–25 May 2011, Berkeley, California, USA, pp. 447–462. IEEE Computer Society (2011)Google Scholar
  44. 44.
    Vissers, T., Joosen, W., Nikiforakis, N.: Parking sensors: analyzing and detecting parked domains. In: 22nd Annual Network and Distributed System Security Symposium (NDSS 2015), 8–11 February 2014, San Diego, California, USA (2015)Google Scholar
  45. 45.
    Wall, M.E., Rechtsteiner, A., Rocha, L.M.: Singular value decomposition and principal component analysis. In: Berrar, D.P., Dubitzky, W., Granzow, M. (eds.) A Practical Approach to Microarray Data Analysis, pp. 91–109. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  46. 46.
    Yadav, S., Reddy, A.K.K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 48–61. ACM (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Bharat Srinivasan
    • 1
    Email author
  • Payas Gupta
    • 2
  • Manos Antonakakis
    • 1
  • Mustaque Ahamad
    • 1
    • 2
  1. 1.Georgia Institute of TechnologyAtlantaUSA
  2. 2.New York University Abu DhabiAbu DhabiUAE

Personalised recommendations