The present disclosure relates generally to computer system and network security and, more particularly, to methods, systems, computer program products for detecting communication anomalies in a network.
Malicious parties are now targeting mobile customers with spam, fraud, and malware. To mitigate such mobile malware, one group of existing techniques primarily focus on the host device (e.g., anti-virus software for mobile devices), but users may not install such protections, and their effectiveness may be limited against new unseen strains of malware. Additionally, host-based protections typically have many inherent issues, such as polymorphic malware, anti-reverse engineering techniques, and purely spam/social engineered attacks that do not install a malicious application. Other techniques currently being used, such as reports that rely on user feedback about spam, volume analysis, and domain blacklists, may have significant weaknesses. While these techniques may be able to detect some individual numbers sending spam, these methods may fail to gain a picture of the entire malware campaign, which typically spans both Short Message Service (SMS) and Internet data with websites setup to defraud users who click on spam links. Also, in the case of malware infections, users may not even be aware of the infection so self reporting fails. Domain blacklists of known malware command and control channels can identify users who are infected, but the malware campaign has to be identified first to know what domains to blacklist in the first place. Attackers tend to use premium short code services to monetize their spam or malware campaign. These short codes, however, are typically hidden behind additional layers in the campaign. Initial spam messages generally send users to a website, which then in turn tricks users into revealing enough information to sign them up for a premium service. In a similar fashion, malware typically has many domains and layers of command and control associated with it before the users see contact with the premium short code.