A text-message spam campaign that flooded mobile phones and irritated perhaps millions of iPhone users last summer reared its ugly head again towards the end of 2014. The messages offer recipients a cheap way to order designer products like handbags and sunglasses. In a curious twist, one researcher says those who “fall” for the spam appear to get what they order. But it’s still a scam — the bags are fakes, of course, sent directly from China. And who knows what really happens to the personal information you give the spammers.
At one point last summer, this one “product promotion spam” campaign, which specifically targeted Apple’s iMessage users, made up as much as 40% of all unwanted text messages received by U.S. users, says spam-fighting firm Cloudmark.
By September, the campaign had all but disappeared. But from September to December — perhaps in time for the holidays? — it reappeared. Preliminary research shows a four-fold increase during that stretch, Cloudmark says. The new version of the scam adds knock-off Ugg boots, perhaps just in time for winter.
Last year, Cloudmark researcher Tom Landesman “fell” for the spam’s offer. He visited the fake Michael Kors site hawked by the spam, and ordered a bag using a limited value credit card. It’s easy to imagine the spammers’ goal was identity theft, and that the card and other information would immediately be used for fraud. Instead, he actually received a fake, shipped from China, made of poor imitation leather and cheap clasps. Buttons were inscribed with Chinese instead of English.
The Internet Protocol address of the knock-off websites advertised in the spam suggest they are in China, Landesman said. Packages are shipped from locations in and around Suzhou, China, not far from Shanghai.
So far, at least, there are no signs the spammers are interested in identity fraud. They’re just selling fakes.
“I suppose they see it as advertising…China has a lot of unique advertising ideas,” Landesman said. “China doesn’t have the same legislative disincentives (for spammers).”
While recipients do seemingly get something for their money, they are still getting cheated, Landesman says — they don’t get what they think they are paying for. He breaks spam into three categories: Simple spam, which is just noise; scams, with false advertising; and malicious texts, such as bank phishing messages seeking banking credentials.
“This is kind of middle-of-the-road. Arguably you can go to a flea market and buy something similar,” he said. “Still, you should absolutely ignore these messages.”
Text message spam is not the nuisance that email spam can be — in many parts of the world, three out of four emails are spam — but text spam is certainly on the rise. Given the widespread adoption of smartphones, it’s much easier for a text spammer to get a recipient to follow the complicated chain of events required to monetize a victim, such as directing recipients to a website to enter personal information.
Other technological circumstances can make things even easier for spammers. The knock-off campaign Cloudmark examined specifically targeted Apple’s iMessage users. iMessage makes it easy for users to follow text chats from phone to tablet to desktop, but because users link their email addresses and mobile phone numbers, spammers have an easier time finding targets. The messages run through Apple’s servers, rather than through mobile carriers’ text message systems, which can save users money, but that also shifts the burden of spam filtering to Apple. And iMessage users by default send a return receipt, which is gold to a spammer, Landesman said — it reveals to spammers they have a “live” phone number to attack, or sell to other spammers.
Any mobile text users can protect themselves chiefly by ignoring the spam. If you choose, you can forward the message to 7726 (which spells SPAM on old telephone keypads), where an industry group will help block future messages from the same sender, or with the same content.
iMessage users can take the additional step of turning off return receipt notification, or block notification of messages from users who aren’t in their contact list.
Image courtesy Cloudmark
More from Credit.com
This article originally appeared on Credit.com.