As with any network-connected device, mobile phones and the applications they run bring their own security problems. While newer phenomena like QR codes and mobile botnets will likely be a growing concern, spam sent by text messages remains an issue for carriers and mobile phone users.
Cyveillance recently asked Alex Bobotek, Co-Vice Chairman, of the Messaging Anti-Abuse Working Group (MAAWG) to comment on security risks and trends in spam sent by SMS.
Cyveillance: Most mobile users in North America would not report that they receive much text message spam. Is that because text message spam is not sent to North American users or because the filters set up by mobile carriers are very effective? In either case, is text message spam considered a problem that’s mostly solved here?
Alex Bobotek: Text message spam in North America accounts for less than 1% of messages. It is a problem but it isn’t, and hasn’t been, as severe a problem as email spam, where 80-90% of messages are spam. This is largely due to the carriers’ best-in-class spam filters at the email interfaces, higher costs to senders of mobile spam, and aggressive actions against spammers. These conditions have made it more difficult to spam phones than email inboxes.
Cyveillance: Although certain types of email spam are reportedly on the rise, the overall volume of email spam sent appears to have dropped. How do the current levels of text message spam compare with what you’ve seen in the past?
Alex Bobotek: Unfortunately, although the volume is still comparatively low, the quantity of North American text message spam reaching subscribers’ phones has been increasing rapidly over the past two years. From around 2003, email-to-text spam – traffic sent as email to carriers’ email SMS gateways for delivery as text messages – has been a problem. But the industry has dealt with this effectively, reducing deliveries to a trickle. In the last two years, however, abusers have been exploiting unlimited or other low-cost messaging rate plans to send high volumes of spam. Some of this comes from mobile phones, chiefly prepaid, anonymously-purchased devices controlled by spammers. Additionally, as SMS services become more open to Internet marketers through short codes, affiliate spam has also increased.
Cyveillance: Is there a common topic in text message spam? Does it share the generally slimy advertising for adult sites, illegal online pharmacies, gambling (the “3 P’s: porn, pills, and poker), payday loans, replica rolexes and gucci bags? Or does the mobile environment tend to bring out other topics?
Alex Bobotek: Text messages are more expensive to send, even for spammers. So some of the spam campaigns that depend on high message volume such as pharmaceuticals are rare. Campaigns with higher expected profit per message, such as “free gift cards” and “payday loans,” are more common.
Cyveillance: When spammers send messages by SMS, what are the tactics they often use to avoid detection?
Alex Bobotek: As with email, there are techniques for staying under the radar, such as “snowshoeing,” which is spreading the load across multiple sending devices or accounts, and “polymorphism,” which is generating variations in the messages. Interestingly, it’s more common in SMS than email to bury a small volume of spam in a larger stream of legitimate messages. This is probably because it is much more difficult to spoof an SMS sender’s address (i.e., a sender’s phone number or a short code) than an email address.
Additionally, there’s little mobile botnet activity to date in North America. There are two leading theories as to why this is: First, there is more profit in botting PCs because of the lower cost to infect and the higher value when they are infected, so the professionals are attacking computers instead. The second theory is that the conditions aren’t ripe yet, but mobile botnets are coming as mCommerce and mBanking grow, smartphones gain market share, app downloads explode, and a single mobile OSs gains a dominant market share.
Cyveillance: Do any particular text message spam campaigns that you’ve seen stand out in your mind as being particularly clever or devious?
Alex Bobotek: Absolutely, but I’m afraid I can’t publicize these. On the other side of the spectrum, one not-so-clever spammer bought postpaid phones from a carrier’s mobile phone store, showing his driver’s license to set up an account. He allegedly then sent millions of diet pill spam messages. This turned out to be quite convenient for the carrier’s lawyers, who needed a name and address where they could to which to send the legal process notices. The case got almost comical when the guy tried to argue that it was academic research.
Cyveillance: In your experience, where are the senders of most text message spam to North America located geographically?
Alex Bobotek: They are mostly in North America. Sending from a mobile phone, the most common source of text spam, to a North American mobile is most economical from phones located in North America. Of course, botnets and more sophisticated or specialized spam organizations could change this. However, today most of the text spammers are just developers and hi-tech entrepreneurs with an ethics deficit, rather than script kiddies who have rented resources or obtained an affiliate kit. Therefore, they tend to be in the areas with the most hi-tech developers and entrepreneurs.
Cyveillance: The advanced persistent threat is a common topic in information security these days. Have you seen evidence of unsolicited text messages being used as part of APT attacks?
Alex Bobotek: APT isn’t my specialty, so I’ll just comment on a few factors that may make text messaging more or less likely to be used in APT attacks. Numerous surveys show that people – correctly, due to much lower levels of mobile abuse – trust their SMS inbox more than their email inbox, which would seem to make text messaging spam a good choice for these attacks. However, many APT attackers targeting U.S. organizations seem to prefer not to use resources that can be traced to parties located in the U.S., such as a prepaid phone traceable to a U.S.-based purchaser. Additionally, it’s difficult to spoof a local phone number from outside the country and a message from a foreign phone number, would likely raise suspicion.
Cyveillance: What is MAAWG’s recommended response for consumers who receive text message spam?
Alex Bobotek: Text message spam should be reported to the carrier. Some carriers, such as AT&T and Verizon, have set up the short code 7726 – “SPAM” on the keypad – to report spam so you just forward the spam text message to 7726. North American carriers are quite aggressive in protecting their subscribers through both technical defenses and legal means. But with billions of legitimate text messages passing through their networks every day, they need consumers’ help in identifying the spammers, which will then enable carriers to block and prevent their subsequent spam activity. Google “report text message spam ” for instructions.
Cyveillance: Any parting comments?
Alex Bobotek: As with wired Internet abuse, collaboration between ISPs and network operators, government, vendors and academia is the key to managing abuse. Industry led the way in creating collaboration forums such as MAAWG that have worked well in email and that are now working to control mobile messaging abuse. Attending these forums is the best way for security professionals and vendors to learn about and collaborate in fighting mobile abuse.
Many thanks to Alex Bobotek and the MAAWG for taking the time to answer our questions.