SMS/MMS: The New Frontier for Spam and Phishing
I've always wondered why SMS/MMS isn't used more often for spam or other malicious activities (CommWarrior being one notable exception). After talking to people in the industry about this, (that is, the security industry with a cellular or mobile flavor) it became apparent that we all have numerous hypotheses that try to explain the lack of SMS/MMS spam or phishing attacks. Some of the ideas that I've heard over the years include:
a) It costs money to send SMS/MMS messages, whereas to send e-mail it, for all intents and purposes, is free.
b) Any spam originating from a single operator or third party SMS/MMS originator can easily be shut down.
c) There is no need to complicate things as people still fall for e-mail phishing.
These opinions are certainly valid, but I think the tide may be turning, albeit on a very small scale. SMS is starting to be used more frequently in malicious activities. For example, about four weeks ago, I received some SMS spam on my brand-new data-only SIM from a UK provider. At that point I had been the owner of the SIM for just two weeks, and only one person (other than me) had the number. However, the interesting thing about the spam I received was that instead of a standard SMS message, the originator used a specifically formatted SMS known as a “WAP PUSH” message. The fact it was sent in this format was interesting for a couple of reasons: first, the device asked if I wanted to visit a particular URL immediately upon receiving the message; and second, on the device I was using at least, the originator’s ID was hidden (no naming and shaming while the handset OEM investigates) due to the use of WAP PUSH. The spam message simply read: “Cats and Dogs Lick Clean your phone Screen! :-D” followed by a URL to visit. While doing a bit of research on the Internet I came across a great Web site (http://www.grumbletext.co.uk/) that monitors the mobile spam problem in the UK, and it soon became apparent that I wasn't the only one who had received this particular message.
Another example is a recent case in North America, where SMS messaging was used as a means to entice users to visit a Web site from their desktop PC. The scam was based on an SMS message that informed users that they had been subscribed to a certain Web site, and that they were being charged high rates per day for the “pleasure”. The SMS message also stated that in order to unsubscribe, the user had to visit another specific Web site. If the user then visited this site from a PC, they were prompted to enter their mobile number; at which point the site attempted to install a Trojan and a backdoor onto the PC. How very nice of them!
So, while it is definitely not anywhere near the same scale as e-mail borne phishing and spam, it seems that SMS/MMS will soon be one of the frontiers where the fight will be moving to. Please be sure to use caution when receiving and handling any incoming SMS and MMS messages. Keep in mind that when it comes to SMS messages the sender’s ID is easily spoofed, so we need to use the same caution, regardless of the apparent source of the message.