Illicit commercial activity online has manifested into all things mobile. With revenue in the billions from mobile marketing, criminals are doing their best to harness the technology for their own monetary gain. Monetisable triggers that come from pay for performance activity on mobile such as clicks, downloads, registrations, video ads, referrals, games and surveys are driving substantial funds for scams and spam.
Initiating clever tricks with low detection rates, criminals subvert mobile network operators’ control to leave both consumers and corporations in the firing line for exploitation. These scammers, spammers and fraudsters are quickly developing methods and tools to manipulate the mobile, and the services it can provide, as well as the legal system.
The most common motive for phone hacking and attacks is to send phony promotional SMS messages, more commonly referred to as spam, to or from an unaware victim’s phone. This is a major concern facing networks today; Acision’s own audits have discovered volumes of illegitimate traffic as high as nearly 20 per cent in some regions of the world.
For operators, staying ahead of this ever-growing wave of attacks requires understanding the motivations and the tools used. Here we present a snapshot of the tactics being used today as part of the arsenal of SMS scammers, spammers and fraudsters:
One commonly used technique is app farming which, surprisingly, can result in monetary gains for the consumer. By downloading a special app, consumers are allocated a volume of SMS messages which the app providers claim is not spam, but actually consist of sending fake verification codes or personal information such as travel arrival or booking confirmations. In return for sending these spam messages, the consumer receives a share of the revenue that they generate. As there is a mix of legitimate and questionable traffic originating from the handset, it is easy for this illegal activity to go unnoticed by the network.
This is a scam used to bypass legal agreements by diverging the originating or terminating message. The message may be legally sent in one country but then uses an illegal network in the receiving country which, due to the complexity involved with mobile networks and international organisations makes it hard, although not impossible, for network operators to detect. By using this method, unscrupulous bulk SMS providers are able to achieve their delivery needs while incurring the lowest cost possible.
The most concerning methods are those where there is malicious intent rather than monetary gain. Malware is the hacking tool most similar to traditional computer hacking and involves a virus being sent to the target handset which can then have various detrimental effects. It may allow the hacker to access personal information, for example, or simply alter the functionality of the handset to allow access at a future date.
Premium rate fraud
In what is possibly the most morally questionable of tools utilised by hackers, consumers will respond to a text suggesting that they have won a prize and will unknowingly pledge themselves to a costly subscription which will only be identified in the next billing cycle. This technique is similar to phishing in which criminals will create a sense of urgency and engage their victims to respond with personal information such as banking or account details, which can then be used by hackers to commit fraudulent crimes.
Location sniffing, or “silent SMS”, exploits obtained handset data without the phone’s owner ever being aware they are being tracked. Although used legally and beneficially by the police in missing persons cases, scammers can use this method to unlawfully obtain valuable location or personal data. Messages are sent to a mobile, acknowledged by the device and then deleted without the user’s knowledge, allowing the sender to secretly determine whether the phone is on and where the user is located, for example. There has been a surge in this type of technique recently, which is most likely due to the rise in the use of smartphones and apps where it is easier to the send the device undetected texts.
This method, while technically not illegal, takes advantage of tariffs aimed at consumers. By linking a computer to a network of SIMs, it exploits an operator’s promise of unlimited text messaging, and is used to send bulk deliveries of generally promotional spam to consumers – a generally forbidden use of the facility, according to the T&Cs of most operators.
So what does this all mean?
Overall, SMS marketing is used to generate monetisable activity, and this is precisely why criminals try to exploit it. But with so many risks present, what can operators do to prevent these tech-savvy criminals damaging their relationships with customers? Ultimately, operators must have an understanding of the threats spammers pose not only to their bottom line, but also to their reputation and legal position with regard to compliance and regulations.
They must combat these threats by maintaining a strong back-end infrastructure with comprehensive network control and access, relentlessly developing this infrastructure to prevent criminal activity from infiltrating their networks. With knowledge of the threats out there, operators can navigate the increasingly complex and dynamic volume of scams, spam and fraud attempts and put the necessary precautions in place.