By Dancho Danchev
Are you receiving SMS spam? According to the latest reports, millions of mobile users do.
The trend is largely driven by what Webroot is observing as an increase in underground market propositions offering managed SMS spamming services to new market entrants not interested in building and maintaining the spamming infrastructure on their own.
In this post, I’ll profile a recently advertised managed service offering SMS spamming capabilities to potential customers, discuss the latest innovations in this field, their impact to mobile security, and what are some of the key factors contributing to the growth of SMS spam.
The service is currently offering the following features to new market entrants into the area of mobile spam:
- Managed SMS spamming using the customer’s database of mobile numbers
- Managed SMS spamming using a specific mobile number range
- Managed SMS spamming based on a specific carrier
- Managed SMS Spamming based on a specific city
- Managed SMS Spamming based on a specific country
These unique features offer cybercriminals the ability to better tailor their market proposition to unaware customers, potentially exposing them to scams and mobile malware attacks.
What’s also available in the service proposition, is the ability to choose a custom text message, next to the option to spoof the number of the sender to any given number. Clearly, this has been introduced with the idea to prevent affected users from blocking SMS messages from a single number.
What about the price? For up to 10,000 SMS messages, the price is 0.34 rubles ($.01 USD) per SMS, from 10,000 to 35,000 messages, the price per SMS is 0.29 rubles( $.01 USD) per SMS, from 35,000 to 100,000 the price per SMS is 0.25 ($.01 USD) rubles, and for any orders above 100,000 SMS messages, the price is 0.20 rubles ( $.01 USD) per SMS.
Let’s review some of key factors contributing to the growth of SMS spam.
Sample screenshots of DIY (do-it-yourself) SMS spammers currently available for sale:
Key factors affecting the growth of SMS spamming:
- Managed SMS spamming services proliferating - Webroot is currently aware of several services offering managed SMS spam service, with that number increasing if we take into consideration the number of managed services advertised around cybercrime-friendly web forums, that don’t necessarily have a dedicated web site advertising their market propositions. Thanks to the increased demand for such services, mobile spammers are prone to continue supply new and diversified market propositions to new market entrants.
- DIY SMS spammers available for download – Another segment within the mobile spam market, is the overall availability of DIY (do-it-yourself) SMS spammers. For the time being, the majority of these only affect Russian and Eastern European carriers, and primarily take advantage of the carriers’ Mail2SMS feature. For instance, if enabled, the user can receive emails in the form of SMS messages, once a service, or an individual sends an email to the following address – mobile_number@sms_gateway_at_mobile_carrier.com Although for the time being, the majority of DIY SMS spam tools rely on the Mail2SMS feature, there are exceptions taking advantage of API keys issued by managed SMS spam providers allowing them easy access to a dedicated SMS gateway allowing them to send spoofed SMS messages internationally.
- Harvested databases of active mobile numbers per country, city, mobile carrier offered for sale – Taking into consideration the fact that the service profiled in this post offers the opportunity to send SMS spam messages on a per country, city, and mobile carrier basis, a logical question emerges. How did they manage to build their database of mobile numbers, and segment them so that marketing-savvy cybercriminals can abuse them at a later stage? Affected users often leave their mobile numbers in order to access content found in spam and phishing emails. By doing so, they allow cybercriminals the opportunity to collect, store and resell these numers at a later stage. The geolocation process takes place either automatically based on freely available information for a particular prefix, or manually, by having end users enter their city, country and carrier into the spammer’s database. Another popular technique that mobile spammers use is to collect mobile numbers from freely available free international SMS sending services, which secretly collect all the data that passes by their interface in an attempt to monetize the traffic by reselling the numbers to spammers at a later stage.
What are some of the latest innovations in the field of mobile SMS spam? Based on a comparative review of several managed SMS spamming providers, all of them are interested in vertically integrating by offering managed MMS spamming feature, next to managed Bluetooth spamming. As far as MMS spamming is concerned, not only does the feature offer interactivity for the spammers’ message, it also allows them to efficiently spamvertise malicious Java applications to millions of end and corporate users whose mobile number has been somehow exposed, and is now in the hands of mobile spammers.
Webroot predicts that we’ll soon witness a mass spamvertised MMS campaign containing mobile malware, including localized messages to the native language of the prospective recipients thanks to the availability of managed localization and proofreading services within the cybercrime ecosystem.
With these ‘turn-key’ cybercrime-friendly solutions freely available within the cybercrime ecosystem, we also predict an increase in SMS spam hitting end and corporate users across multiple market verticals.
If you’re one of the unlucky individuals that receives these spam messages, do NOT interact with them, even if they offer you the opportunity to unsubscribe. Much like email spam, unsubscribing will only end up confirming that your mobile number is valid.