Business & Technology

Behind the Firewall: Mobile

By Stefanie Hoffman | August 29, 2013

Say what you want about large Telcos and other phone companies. Lately, they're putting up a fight to ensure that their customers don't get scammed.

According to a recent USA Today article, several carriers have implemented policies aimed at shielding American users from a burgeoning industry of cybercrime operators behind some of the world's biggest SMS premium texting scams.

As mentioned in a previous Fortinet post , SMS texting scams, otherwise known as SMShing, entail the act of tricking users into downloading an infected mobile app that causes smartphone owners to foot the bill for expensive premium text messages - sometimes to the tune of $20 per text.

[Image courtesy of IMeowbot & Intel Free Pass via Wikimedia Commons


Image courtesy of IMeowbot and Intel Free Pass via WikiMedia Commons.


As with phishing and spear phishing ploys, malware operators often rely on a variety of social engineering tactics in order to convince users that the scam is a legitimate offering. The same holds true for SMShing.

According to the article, mobile security company LookOut traced nefarious activities of at least 10 groups based in Russia and Eastern Europe that were behind a complex and intricate network of affiliate programs.

To say the least, these aren't your mother's hackers. In fact, the groups have been around for years and have the ability to match any sophisticated, multi-level marketing scheme imaginable. Their efforts have paid off, netting them millions of dollars in illegitimate profits.

Not surprisingly, these schemes have run rampant across Asia and parts of Europe - in particular Russia - where there is often little consequence for these types of scams.

Here's how the scams work, according to LookOut: First, operators develop malware that can be easily masked by popular apps distributed in third party independent app stores with little regulation.

Image courtesy of Lookout [

Image courtesy of LookOut.


From there, they establish comprehensive online marketing campaigns aimed at luring in potential "affiliates" with cash and other incentives. Those affiliates, in turn, direct victims to infected apps via social media and other online ads.

Naturally, cybercriminals have to talk up their operations to make them appear legitimate. So, similar to their phishing and spear phishing counterparts, they implement sophisticated and nuanced social engineering schemes, leveraging tactics that compel users to install bogus updates for Adobe Flash, Skype, Opera, and Google Play, among others.

Cybercriminals reap in the profits once a phone becomes infected and begins sending and billing SMS premium texts.

As previously mentioned in a Fortinet post , SMS scams have been around for a long time. And, as with other malware campaigns, they will likely evolve to become more sophisticated, evasive and resistant to standard security mechanisms.

Like any good entrepreneurs, cybercriminals are always looking for greener pastures in new and lucrative markets. And with increased reliance on smartphones for necessary day-to-day functions that require copious personally identifying information, such as banking, they won't have to look far.

Subsequently, it might not be too surprising to see an upsurge of new SMS premium texting scams emerge on the security landscape in the not too distant future.

With that in mind, there are a few ways that users can protect themselves.

For one, stick to downloading apps from established and regulated app stores, such as Apple's iTunes, the Android App Store or Google Play.

It will also become increasingly necessary for users to install and regularly update mobile antivirus or antimalware software on their devices. While still not widely accepted, mobile antivirus will provide a much-needed layer of defense that will go a long ways to stave off SMShing campaigns and other mobile threats.

Finally, users need to learn and abide by their company's mobile security policy regarding their personal devices used in the workplace. For companies, that means incorporating a robust mobile security strategy into the organization's overarching network security policies, while anticipating that BYOD policies will need to evolve to keep up with a groundswell of rapidly changing mobile threats.

Join the Discussion