Over 100 Billion SMS messages are sent per year in the U.K., whilst this figure continues to fall due to mobile device users opting to use alternative communication mediums such as WhatsApp, Facebook Messenger and Signal – we are still a nation dependant on this older form of messaging. If you think it’s going to disappear anytime soon you should look at email as a example of how older technology can exist for years, despite being made technologically obsolete.
Like email phishing, SMS phishing (SMShing) scams continue to rise and are driving cybercrime throughout the UK. When you look at email phishing quite a lot has been done to combat this, DMARC, SPF, and DKIM go a long way to making it harder for the scammers. Education of users aims to raise awareness of these kind of frauds, teaching people the ways nasty links can bring ransomware and steal credentials… but it seems we are long way behind with thwarting the SMS scams. As part of our business aims and objectives this year we are hoping to fight back against these social engineering frauds targeting unsuspecting people across the country.
We hope to bring a change in legislation that will make it harder for people to do one simple thing that is the fundamental part of nearly all SMShing frauds – Spoofing the Sender ID!
So what is a Sender ID and why is it so important to focus on this?
Have you ever received a text message from just a name? If you have a look on your phone you might have one from your bank, or maybe a service you use. Have a look at the example below if you aren’t too sure what this is…
How are fraudsters taking advantage of spoofing the Sender ID?
With roughly 7 in 10 U.K. mobile phone users using smartphones, these ‘pocket computers’ are our main contact with the internet. So it makes perfect sense that fraudsters are thinking long and hard of various scams to separate us from our information, money and in cases of Android ransomware – even the use of our devices itself!
Most of the people sending spoofed SMS messages will have a financial motive, normally a link inside the message will send you to a banking login page on your device, designed to capture your password (Phishing). Some more advanced scams might pretend to be from an email host, ISP or an online account such as Google. The motive for these kind of messages might be to steal your data.
On a really bad day, these messages might be used to aid social engineering attacks. This scenario might see various messages used to aid scams. Such as being used as a pretext to visit a office location for an onsite attack.
Whats wrong with current legislation?
Pretending to be from a financial institution and attempting to defraud people is a crime, however these types of crimes are rarely investigated. A freedom of information request has been submitted to our local police force in order to validate my claim and can be found here. Current legislation is awkwardly placed between these messages being an advertising SMS, covered by the ICO. Generic fraud attempts covered by Action Fraud and advanced ‘internet enabled crime’ covered by the UK Policing authorities. Current legislation also focusses on the moment after a malicious SMS has been sent, with very little legislation covering SMS providers. These businesses typically send out legitimate advertising for companies where addressing the message and masking the Sender ID with their brand is a perfectly good use of using custom Sender ID’s. Fraudsters take advantage of these services to perpetrate crime. No current legislation makes it compulsory for these operators to report these messages.
All in all current legislation is ineffective, outdated and doesn’t currently match the impact that this crime is having on innocent people.
Where is Project ‘Sender ID’ hoping to go?
At The AntiSocial Engineer replicating crime is what we do! But we do this to reduce the impact crime has on businesses and the UK public. In our research we have found that we need to focus on Sender ID spoofing and it will be our primary business focus for the following months. This is bigger than anything we have ever done before, the sheer scale of what is needed will undoubtedly need collaboration, partnerships and guidance along the way. Our goal is to make it harder for criminals to maliciously spoof Sender ID’s. Making this easy route to crime less appealing, more advanced and easier to prevent.
We will need to work with telecommunications providers, lawyers, lobbyists, hobbyists, PR agencies and organisations that Project ‘Sender ID’ will benefit.
If you feel you could offer advice and help or you would like to follow the campaigns progress drop us an email over at [email protected] or share us using the sharing options below.
- Campaign awareness and launch
02/01/2017 – Launch of Project ‘Sender ID’
- Investigate current crime rates, quantify malicious text messages using a spoofed Sender ID
01/01/2017 – FOI Request made to West Yorkshire police, seeking local arrest figures.
17/02/2017 – After an extended wait the FOI received a reply. 2 People arrested in West Yorkshire, 0 convictions so far.
- Speak to the current SMS providers, see how these crimes effect them
02/2017 – Several SMS Vendors contacted.
- Seek collaboration – Experienced marketers, lawyers, funders, people with experience in implementing change in the legislative arena
01/2017 – Meetings with people from an undisclosed policing authority.
02/2017 – Meeting with SMS provider, discussed solutions and current trends of SMShing.
02/2017 – Follow up meetings with undisclosed policing authority and industry peers to discuss the issue of ‘spoofing’.
05/2017 – Discovered a large telecoms company and sought to inform them of the dangers of spoofed messages.
02/2020 – Call with O2 and their team to discuss ways to reduce spoofing and number portability scams.
- Investigate countries that have made steps in stopping malicious sender ID spoofing.
UK – Basic framework of legislation and enforcement, very few convictions.
India – Illegal activity, CLI spoofing will be punished with 3 years imprisonment. Websites offering spoofing blocked.
USA – Act’s in place, various penalties – including imprisonment.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.