SMS spoofing - Q&A with CCRC staffDate: August 19, 2004
Source: Computer Crime Research Center
This kind of high tech felony exists for a relatively short time. It is a "new lingo in cybercrime". But it might have a horrifying future.
How is the spoofing carried out? What does an individual need?
SMS spoofing became possible after many mobile/cellular operators had integrated their network communications with/in the Internet. So anybody could send SMS from the Internet using forms at the websites of mobile operators or even through e-mail. Unfortunately, I won't break you in telling that there's no perfect security, it is only defined by the level of sophisticated technical arms of malefactors. Thus the Internet forms, designed to send SMS, possibly may have some vulnerabilities in their codes., Using these vulnerabilities at websites, malefactors create a malicious code (trojan), usually a web-based software, or in some other way obtain access to the SMS-Internet tunnel.
Surprisingly, nowadays you can use legitimate SMS tools that are available on the market for spoofing. For instance, Clickatell, a provider of carrier-grade bulk SMS messaging solutions and applications that can be integrated and used immediately within a global environment developed various software allowing bulk and personalized SMS messaging to existing databases, SMS delivery using Lotus Domino and other integrated SMS solutions. Therefore any person can purchase or even download evaluation copy to commit this kind of crime. Internet sites rendering SMS sending services provide these programs. Collection of phone numbers of subscribers is the main task of these sites. They are quickly entered in the base of phone numbers, these numbers are often used by spammers. Cellular companies with all their gateways and firewalls appear aside of this process being confident in their security.
There is also dedicated Open Source tool – “SMS spoof”. It is a PalmOS application that allows you to send spoofed SMS messages. It uses a dialup connection to an EMI/UCP-compatible SMSC. It can be used with a modem connected to the Palm, such as an IR link to a GSM phone with a built-in modem. SMS spoof has been tested with Telenor's SMSC in Norway, but it should work with any SMSC that supports the EMI/UCP protocol, as long as no authentication is required.
How could individual protect himself (herself) from being spoofed?
You should contact both law enforcement and cellular provider. They should find, block and show police a source in the network where the spammer hides. But it takes too much time and efforts. Also you may probe into your phone’s settings to allow incoming SMS only from the authorized numbers. Far from all mobiles have such options. Moreover there’s no guarantee that spam-program won’t use your friends’ numbers. So there is no silver bullet solution yet.
Can you give some real-world examples of this crime?
Eventually one of my pals has experienced SMS spoofing on his own cell phone. Offenders sent SMS saying: "Your mobile phone was hacked", "It is a trojan", "Nokia is shit", "Your co-workers ordered this attack" and about 50 other irritative messages. And he started to think that we had arranged this attack. These SMS were sent from the Internet "101" number. He turned to the operator and they were at a loss how to react. What could he tell police then? Next, he just banned all incoming messages from "101" Internet and this SMS havoc stopped, though someone of his familiars might have contacted him in this way.
Asian School of Cyber Laws (Pune) recently conducted experiments in SMS spoofing at the national and international level. They were able to successfully spoof SMS messages and make them appear to come from other people's cellular phones. These people were using GSM based cellular phone services in various parts of India and other Asian as well as African countries.
Were there any precedents of prosecuted cases on phone spam?
Not so long ago, July 22, 2004 a US mobile carrier Verizon Wireless filed suit against Jacob Brown and 50 unidentified individuals, alleging that the defendants sent over 4.7 million unsolicited commercial text messages to Verizon Wireless subscribers, Larry Garfield of infoSync World informed.
The complaint alleged that Brown and his co-defendants have sent unsolicited ads to its subscribers advertising ephedra, mortgages, detective software, sexual improvement pills, and similar products. 4.7 million messages were sent to customers in California, Connecticut, Massachusetts, New York, and Rhode Island in the US. Although Verizon employed spam filtering software on its text message servers, it said that about one million of such messages managed to slip through anyway. Verizon is now seeking an injunction against the defendants as well as damages.
Laws regarding mobile phone spam in the United States are still unclear. The CAN-SPAM Act, which was passed by the US Congress and went into effect on 1 January of this year, instructs the Federal Communications Commission to create rules to protect users against unwanted messages on mobile devices, but such rules are not yet in place and will not be until 26 September. Therefore, Verizon is filing suit under the 1991 Telephone Consumer Protection Act (TCPA), which predates modern mobile phones, on the grounds that SMS spamming software should be considered an "automatic telephone dialling system", which is illegal. The suit also claims that the defendants faked return address information on their unsolicited messages, a practice that is extremely common among e-mail spammers.
Mobile phone spam has become an increasingly large problem in parts of the world that make heavier user of mobile phones, but is not yet an epidemic in the United States the way e-mail spam is. Nonetheless, it is still a problem. Many carriers have taken to employing spam filtering software, while Verizon in particular blocks about 50,000 text spam messages per day.
Add comment Email to a Friend