4 B. Srinivasan et al.
potentially be more effective than traditional attacks over the Internet, as they
can abuse the trust that has traditionally been associated with telephony. Simi-
lar to traditional email messaging, SMS [18] has become a popular abuse target,
as past research efforts have shown [30,35,36,38].
While traditional email spamming activities have been extensively studied,
long-term properties of SMS spam operations are not well understood by the
community. SMS abuse data and long-term network traffic observation of such
abuse are necessary to study the behavior of SMS spam operations. By using
data that spans a period of close to five years, in this study we aim to present
such a long-term analysis of SMS spam abuse. Our hope is that such analysis
will provide better understanding of the network properties of SMS spam abuse
which can be used to build more effective defenses against it.
We call SMS spam cross-channel abuse because it relies on and can be
observed in both the telephony and Internet channels. In other words, such
attacks involve both a telephony resource (e.g., a phone number) and a tradi-
tional Internet resource (i.e., a domain name and/or an IP address). To study
cross channel abuse, we explore how SMS spam campaigns utilize the domain
name system (DNS) and other Internet infrastructure. We build a SMS spam
attribution system called CHURN, which is used to analyze abuse data from
a period of five years. CHURN analyzes SMS-spam datasets from two differ-
ent abuse reporting sources: passive DNS datasets from a large Internet Service
Provider (ISP), and application layer web information around these SMS spam
campaigns. CHURN’s ultimate goal is the attribution of SMS spam campaigns
with respect to the domain name infrastructure they employ in their abuse
activities.
Our SMS spam attribution analysis reveals that cross channel abuse is highly
effective and long lived. We found that the Internet IP infrastructure used by the
spammers to support SMS spam campaigns is surprisingly stable. For example,
abuse campaigns tend to use a handful of IPs in a few networks over several years
to continue their activities. This shows current defenses are either unaware of the
abuse infrastructure utilized by SMS spam campaigns or they are not effectively
using such information to combat cross-channel abuse. We hope that our paper
will demonstrate the value of situational awareness around this problem, which
could be used to reduce the potential for social engineering and other attacks
facilitated through such cross channel abuse. Summarizing, our paper makes the
following contributions:
– We build and present a cross-channel attribution system to automate the
collection and analysis of SMS spam abuse. Our system, namely CHURN, uses
a hierarchical clustering technique that employs network level, application
level, and popularity-based statistical features to cluster related SMS spam
domain names into campaigns over time.
– Using CHURN, we conduct a five year study that yields attribution results
for a plethora of real world SMS spam campaigns. We use (1) 8.32 million
SMS abuse reports that consist of messages that directed users to scam web-
sites, (2) more than 56 thousand DNS resource records related to the SMS