As some of you may know, Chinese operators are making great effects to stop spammers on their mobile networks, along with the help from government and regulators. As part of the efforts, a new regulation announced in September last year, requires all new mobile network subscribers to register their phone numbers using their true identity(手机号码实名制), which makes it much easier for regulators to marshal traffic within the networks. Meanwhile, existing users also need to update their information with their operators, required by the regulation. The new regulation forces spammers to find an alternative way to send spam. For a long period of time, we have seen an interesting trend, that Chinese-targeting spammer groups are sending their spam from North American mobile networks. One of them we are monitoring, codenamed SIKA, seem to have outsourced or offshored their spam operation to the United States.
SIKA has a simple, but very effective and cost efficient structure, to operate under the radar of both Chinese and North American operators. They utilize many North American mobile phones- for which you can often get a cheap unlimited international messaging plan – as spamware ‘soldiers’ of SIKA. Spamware enables a spammer to have control over multiple devices that capable of sending SMS, and send large amount of spam traffic through these devices at the same time. Spamware is a common issue in China, along with other spamming techniques, like illegal transmission stations. However, the obvious advantages of overseas spamware compared to illegal transmission stations is you can easily escape the jurisdiction while fake stations can be busted by local law enforcement. These soldier numbers together generated large amounts of spam traffic that is sent towards subscribers inside Chinese mobile networks. Further benefit from this is no expensive international SMS from China to cross, all costs are covered by the unlimited messaging plan. These numbers are managed by Chinese command & control points that are located inside China.
Over time, we have seen hundreds of North American phone numbers that were used by SIKA. We’ve seen numbers registered from areas across US, like California, New York and Texas. On the other hand, only a few C&C addresses within China have been used to manage all these soldiers. Investigation suggested these C&C points were mainly registered in three cities from central and south of China, Shenzhen (Guangdong), Xiangtan (Hunan) and Chongqing. Interestingly, our intelligence also suggests that the owners of the soldier mobile devices in the US and the C&C addresses in China are connected via family ties, rather than pure business.
The text message spams sent to China from SIKA consist of giveaway scams, loans, selling second hand cars and massive real estate marketing campaigns. They don’t stick to one spam, but often send a few different spam campaigns at the same time. This behaviour suggests they are more likely spammer for hire (a mercenary type spammer), providing a platform for whatever is needed to be sent. One of the typical giveaway spams they were sending is:
This Spam pretends to be from a popular talent show from China Central Television (CCTV), the national TV network in China and tries to trick subscribers in China to believe they are the winner of lottery amongst all SMS voters of the talent show.
Among all the malicious traffic, real estate marking has taken a large portion of it, which we believe is more or less having a connection to the huge bubble of Chinese real estate market at the moment.
After some research, most of the spams are promoting properties in south China, like Guangdong and Hainan. As often mentioned in reports, quite a few empty houses from over developed projects exists in these areas. After looking into the recipient group, we found quite interestingly, spammers sent these market messages all over the country, especially to the north side of China, including big cities like Beijing, Jinan (Shandong), trying to lure their investments into real estate.
SIKA has generated large amount spams from North American networks over to China. During one spike, more than 70,000 people in China were affected by North American spam in less than a week, and as many as eight different spam campaigns can be active at the same day. Due to so many ‘soldiers’ they have in the network, SIKA can keep each spammer device at low volumes, hiding under the radar. Our intelligence also shows that the network often hibernates for long periods, but come active during Christmas and Chinese New Year, targeting the holiday season.
In conclusion, as a mercenary type spammer, SIKA had built a very ‘successful’ network and business model. Previously they operated under both Chinese and north American operators without been detected for a long time. We expect to see more Chinese spammers adopt this operation as a counter-strategy to the tightened domestic environment. However we have been monitoring and blocking them when detected, which should make their operation much more difficult in the future.