SMS Spam and Mobile Messaging Attacks Introduction ... - GSMA

SMS Spam and Mobile Messaging Attacks 

Introduction, Trends and Examples 

January 2011

GSMA Spam Reporting Service 

SMS Spam and Mobile Messaging Attacks - Introduction, Trends and Examples 

January 2011 

Contents 

1 Introduction 4 

2 Market trends resulting in an increase of SMS attacks 6 

3 Types of mobile spam attacks and examples 6 

3.1 Types of Mobile Messaging Abuse 7 

3.2 Types of SMS Related Mobile Signaling Abuse 9 

4 Analysis of Mobile Spam 10 

5 Conclusions 12



January 2011 

1 Introduction 

In most parts of the world the mobile messaging channel is currently regarded as “clean” 

and trusted. It is increasingly being used as a payment authorisation method for banking 

transactions and presents a valuable opportunity for further monetisation through mobile 

advertising. The level of trust in SMS between MNOs and their subscribers is unprecedented, 

as shown in a recent survey conducted by the IAB/DMA in the UK in September 2010 

where 63% of subscribers said they were happy to receive SMS and MMS from their network 

operator. 

The success of the mobile messaging channel has, unfortunately, made it a very attractive 

target for attack by spammers. The level of trust means almost all messages received by 

subscribers are opened and read and, because of the ease of use of Smartphones, numbers 

are easily dialed or links clicked on further exposing the subscriber to risk. This, combined 

with the ever reducing cost of sending SMS spam (through unlimited text plans) and the 

various methods of billing available, has meant that mobile messaging abuse is becoming 

increasingly sophisticated and on the rise. 

To further exacerbate the situation attackers are finding the traditional fixed email channel 

increasingly unprofitable as ISPs implement more accurate spam filtering techniques and are 

focusing their activities on the SMS channel. 

Cents Per Message 

Spam Increasingly Profitable in SMS 

1.2 

SMS Profit 

1.0 

Average Revenue per SMS 

Cost to send SMS 

0.8 

0.6 

0.4 

0.2 

0.0 

2005 2006 2007 2008 2009 2010 

Profit Decreasing in Email 


1.2 

Email Profit 

1.0 

Average Revenue per Email 

Cost to send Emails 

0.8 

0.6 

0.4 

0.2 

0.0 

2005 2006 2007 2008 2009 2010 

Whilst SMS spam is not perceived as a major issue in some regions it now constitutes 

20-30% of all SMS traffic in Asian markets such as China and India. Both countries have 

regulated to restrict the number of messages each subscriber can send in one day but this 

is not containing the problem. As the profitably of SMS spam continues to grow previously 

unaffected markets will suffer an increase in attacks, with the unprotected networks being 

targeted first. A worrying dynamic is that attackers are using advanced methods and 

techniques to avoid detection and have gone beyond simple spam messages to fraudulent 

scams, mobile viruses, phishing, spyware and mobile botnets. 

Mobile Subscribers 

Report Spam to operator 

GSMA Spam 

Reporting Service 



Reporting Dashboard 

Provides operators easy access 

to trend data and facilitates data sharing 

between operators 

Mobile Operators 

Data feeds enable MNOs to 

block attacks using preferred 

technology 

High Variation of Sending Numbers Within Attacks



January 2011 

A consequence of this increase in SMS attacks is that mobile network operators are seeing 

their brand value and profitability eroded in a number of ways: 

Poor Customer Experience: Mobile spam is regarded as a personal intrusion and negatively impacts the 

customer experience and damages the MNO’s reputation amongst its subscribers. This can lead to subscriber 

churn to other MNO’s or reduction in usage of SMS / data services, particularly if the only available option 

to prevent spam is to restrict messaging services. Absence of any mechanism to report mobile spam further 

frustrates subscribers 

Higher Infrastructure Cost: As the volume of mobile spam and other malware increases, the MNO must 

add additional capacity to its network, particularly to messaging servers and SMSC infrastructure to cope with 

peaks caused by attacks. 

Higher Operational Cost: Mobile messaging abuse generates an increase in customer complaint calls 

to MNO help desks. These have to be investigated and refunds often have to be made. A major attack from 

outside the MNO’s own network will often result in costly mitigation and refunding of inter-carrier charges. 

Interconnect Issues: When receiving large volumes of spam from another operator, some MNOs will “cut 

off” incoming SMS and MMS messages from the originating operator. This periodic cycle of blocking and then 

restoring interconnection causes operational headaches and costs for both operators. 

Threat of Regulation: Lack of an effective industry response to mobile messaging abuse invites regulators 

to impose regulatory requirements on MNOs, as seen recently in India where subscribers are limited to 100 

SMS messages per day and unlimited text plans are banned .



January 2011 

2 Market trends resulting in an increase of SMS attacks 

Messaging attacks are primarily driven by a desire by the attacker to make money. There are 

five primary market drivers that have emerged over the last 3 years that have contributed to 

this: 

Driver #1: Networks are faster, open on the access side, open to the Internet 

and application portals 

Mobile networks are increasingly under threat due to their evolution from closed, circuit switched networks 

accessible via voice only handsets, to open, Internet Protocol (IP) based networks. The access side has opened 

up to mobile devices and 3G data cards. The network side also has connectivity to the Internet and open 

interfaces to external portals. 

Driver #2: Users are demanding more applications on their mobile phones 

Devices are becoming increasingly powerful and have the capacity to run a wide range of user downloaded 

applications. Attackers are able to embed malware within these applications with relative ease. 

Driver #3: The SMS channel is regarded as clean and secure 

There is an unprecedented level of trust in SMS and subscribers are comfortable with using SMS for 

confidential information exchange, payment authorisation and accessing financial and other critical 

applications on their mobile devices. 

Driver #4: Move towards all-you-can-use unlimited messaging and high-limit data plans 

As discussed in the introduction unlimited messaging plans are making the economics and the ROI for sending 

mobile spam via SMS much more attractive and lucrative than ever before. 

Driver #5: Consumer Demand for SMS over Traditional Email Vehicles 

SMS has surpassed email as the number one form of communications between individuals around the world, 

with more than 75% of the global population being active users of SMS/MMS messaging technologies 

(source IDC). SMS is popular because the messaging protocol is supported virtually on every phone, and is 

often viewed as a more efficient and less invasive form of communications compared to voice.



January 2011 

3 Types of mobile spam attacks and examples 

As discussed in the introduction attackers targeting the SMS channel have already gone 

way beyond simple unsolicited spam messages. The need to keep volumes low to avoid 

detection has given rise to a number of sophisticated attacks that yield a high permessage 

return. 

3.1 Types of mobile messaging attacks 

The various types of mobile messaging attacks seen in networks today are: 

1. SMS Spam – This is the most basic form of attack where unsolicited messages are sent to 

subscribers for mass advertising and Social Engineering Viral Hoaxes. In a recent attack 

in the US subscribers were encouraged to forward the message to all of their contacts in 

return for $30 off their next bill. 

2. Premium rate fraud – Unsolicited messages that trick subscribers to call premium rate 

numbers or sign up for subscription services that are charged to the bill. 

Some UK and France examples – 

(1) You have been chosen at random at 9.56 AM and won the check n°409248 ! Call the 0899XXXXXX to know 

the exact amount and to cash! Thank you ! (cts 1.35€+0,34mn). 

(2) Hi, it’s me !I’m still waiting for your call. I hate when you don’t call back. Gimme a call at 0899XXXXXX. 

South African Spam Example that Originated from MTN Nigeria - 

“CONGRATULATIONS! YOUR CELL NO.HAS WON 500.000 POUNDS IN THE ONGOING SONY ERICSSON 

MOBILE PROMO.FOR CLAIM CALL +447045754969 & EMAIL: sonyericsson-inc@europe.com”. 

This message originates in MTN Nigeria from +23480300085500. 

The Australian courts recently convicted a fraudster who tricked subscribers into making 

AUS$4m worth of premium rate calls using a dating scam. Only 1.8m SMS messages 

were sent, giving a return of AUS$2.40 per message. 

3. Phishing (including SMShing) – Unsolicited messages asking subscribers to call certain 

numbers to extract confidential information, which is then used for other purposes. 

For example: 

BANK OF THE CASCADES: urgent account notification, verify unusual activity, call 1800-####. 

When the subscriber called back, the automated system obtained personal information 

from caller. There were 10 unique attacks in 1 day with small volume per attack (5-15K 

messages) which escaped volume based controls and could only be detected by content 

based checking. The customer care costs for one North American operator were around 

$500K per month.



January 2011 

4. VASP Abuse – Unsolicited messages sent to subscribers from services providers for 

marketing purposes. In many countries this is regulated and prosecutions against 

attackers have begun to increase. 

5. Mobile Malware including Bots spreading via messaging – Malware, short for malicious 

software, is software designed to infiltrate a mobile device without the owner’s 

informed consent. Typically this involves mobile messages sending links to and asking 

to download executables that are harmful and lead to application exploits. Three of the 

most common forms of malware include: 

- Virus: A malicious computer application that is able to reproduce itself. It can only infect a new host if it is 

distributed to the host through some means outside of the capability of the computer program. 

- Worm: Self-propagating malicious computer program. It uses some means to send copies of itself to other 

nodes on the network. A worm can spread and infect many hosts very quickly in a networked environment. 

- Trojan: A computer program that doesn’t replicate, but instead enables hackers un-authorized access into 

the infected host. Keystroke loggers are a severe form of a Trojan. 

Customers of Santander bank were recently targeted in an attack where PC botnets 

were used to harvest customers’ internet banking and mobile phone details which, in 

turn, were used to send a virus to their mobile phones. Once the phone was infected the 

attackers were able to authenticate internet payment instructions using the code sent to, 

and captured from, the mobile device, removing thousands of dollars from customer 

accounts. 

6. Acceptable Use Policy Violations - Subscriber generated abuse in violation of acceptable 

use policy for type, content and volume. Subscriber groups could include users that are 

underage, part of a restricted corporate HR policy or data plan, or restricted due to time 

of day. 

E.g. Underage children accessing pornographic content, corporate users forwarding 

personal emails to colleagues wasting company time and money, or opening up 

pornographic content on their business accounts.



January 2011 

3.2 Types of SMS Related Mobile Signaling Abuse 

The perpetrators of SMS attacks have traditionally used mobile signaling abuse techniques 

to gain access to an MNO’s network. This is becoming less prevalent as more networks offer 

unlimited text plans but is still a problem in many regions. The following is a partial list of 

some of the popular messaging related signaling abuse observed in the industry. 

n SMS spoofing: SMS spoofing is when the identity of the sender is taken over by a hacker. 

SMS messages are sent for free by the hacker whilst the victim is charged for sending this 

fraudulent traffic. This scenario can be accomplished using a mobile switching centre 

emulator in a roaming scenario. The emulator sends the message to the victim’s home 

SMSC whilst pretending the victim is roaming in a foreign network. 

n SMS faking: SMS faking is when the hacker gains unauthorised access to the Mobile 

Network Operator’s network by faking the Signaling Connection Control Part (SCCP) 

calling and called party addresses. This enables the hacker to send free messages on 

the victims network whilst pretending the messages have come from another network. 

This typically consumes network bandwidth in both the SS7 cloud and the radio access 

network. The network operator is the victim in this case. 

Some operators are protected against both SMS spoofing and faking with messaging 

security solutions integrating into their mobile SMSC/SMS router infrastructure. 

n SMS flooding: SMS flooding takes place when unsolicited SMS messages are sent to a 

user, which can cause a denial-of-service condition in both the core network and radio 

access networks. 

Mobile messaging security solutions protect against flooding type attacks using SMS 

sender rate-limiting algorithms, volume controls, user-reports, sender reputation and 

sender intelligence.



January 2011 


Spam Increasingly Profitable in SMS 

1.2 

1.0 

0.8 

0.6 

0.4 

4 Analysis of Mobile Spam 

0.2 

SMS Profit 

Average Revenue per SMS 

Cost to send SMS 

Profit Decreasing in Email 


0.0 As more operators deploy anti-mobile spam solutions 0.0 in their network, the mobile 

spammers 2005 2006are becoming 2007 2008smarter 2009 about 2010how they 2005 devise 2006 the potential 2007 attacks. 2008 2009 A detailed 2010 

analysis of several such attacks reveal that the attackers use a variety of sophisticated 

techniques that leverage different message attributes such as volume, sender phone number, 

target URL, target phone number and content. Here are some of the key observations: 

n Sophisticated message modification: Attackers use sophisticated message modification 

techniques and apply it on every part of the message content including: 

- Query strings on call-to-action URLs vary between messages in attack 

- URL shorteners used (tinyurl) with variation in URL between messages in attack 

- Multiple target phone numbers 

- Content variation between messages within same attack (check number, 

distance, time of day) 

n Longer duration: Attacks could last several weeks without interruption, targeting groups 

of subscribers at a time that could be geographically distributed 

n Smaller batches: Spam messages can be sent in small quantities or batches over time to 

Mobile Subscribers GSMA Spam 


Mobile Operators 

Report avoid Spam attention 

to operator Reporting Service 

Reporting Dashboard 

Data feeds enable MNOs to 


Provides operators easy access 

block attacks using preferred 

n Sender number variation: Attackers are to trend observed data and facilitates to use data a sharing batch of a large pool of sender 

technology 

between operators 

ids (MSISDNs) and apply a high variation of sender numbers (an very low use of same 

numbers) within the same attack to mimic 1-to-1 type of message sending patterns 

1.2 

1.0 

0.8 

0.6 

0.4 

0.2 

Email Profit 

Average Revenue per Email 

Cost to send Emails 

High Variation of Sending Numbers Within Attacks 

Attack Messages Submitted Unique Senders Average Messages per Sender Attack Description 

1 981 867 1.1 Click URL to view “video message” 

2 888 779 1.1 Call premium rate # to collect cheque 

3 796 613 1.2 Click URL for “personal message” 

4 680 634 1.0 Click URL for “sms video” 

5 373 332 1.1 Call premium rate # for sexual vmail 

Low Re-Use of 

Sending Numbers 

Between Attacks 

4 

5 

3 

4 

5 

2 

1 

4 

5 

3 

4 

3.5 

3 

2.5 

2 

45 

40 

35 

30 

25



January 2011 

n Personalisation: Use of varying degrees of personalization including the use of recipient’s 

own MSISDN to make the message look more ‘real’ 

n Learn and grow the attack: Sending small quantities of spam messages to observe how the 

operator’s SMS infrastructure, protocol and content filters and policies are responding. 

Typically the attackers collect such data and design their attacks to get around such filters 

and policies. One such example is provided below. 

Impact Volume Limit on Spam Volumes 

12,000 

50,000 

Spam Messages Sent Per Sender 

10,000 

58,000 

6,000 

4,000 

2,000 

Volume Threshhold Implemented 

(5,000 messages per time interval) 

45,000 

40,000 

35,000 

30,000 

25,000 

20,000 

15,000 

10,000 

Total Aggregate Spam Volume Sent (Red Background) 

5,000 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 

Time Interval 

0 

Here the attackers figured out the volume limits policy by sending several smaller batches of 

messages to evade any volume-based filters. Once this was determined, they started using 

several parallel senders and mounted a much bigger attack (as seen in shaded area). 

5 Conclusions 

It is inevitable that MNOs across the globe will see a rise in the volume and sophistication 

of SMS attacks in 2011. The widespread introduction of unlimited text plans has made the 

economics of SMS spam profitable for the attackers, the SMS channel is trusted, there is a 

billing mechanism in place and subscribers are making use of the increased sophistication 

of their handsets to access sensitive information and make financial transactions. As a 

minimum, mobile network operators need to monitor the volume and impact of SMS attacks 

within their network and be ready to deploy effective counter measures when required.

For further information please contact 

spamreportingservice@gsm.org 

GSMA London Office 

T +44 (0) 20 7356 0600 

www.gsmworld.com/spamreportingservice 

January 2011

SMS Spam and Mobile Messaging Attacks Introduction ... - GSMA

Create successful ePaper yourself

Delete template?

Save as template?