Its the economy, stupid. It worked for spammers now, and it will work for spammers in the future.
Successful entrepreneurs (which is what spammers are – as distasteful as their product may be) look for large, growing markets with low-cost manufacturing and distribution to turn a profit. When markets become saturated by competitors and restricted or taxed by regulators, they must seek out new markets.
Mobile messaging is very much like email was back in the late 90s. Mobile messaging (email for North America, SMS for the rest of the world) is the killer app of the mobile era for all the same reasons – we can stay "connected" whenever and wherever. The problem is that all of the abuse that came with email is now coming to mobile devices and for the most part we are just as vulnerable as we were then.
The attackers are not feeling nostalgic, they are feeling opportunistic. Somewhere around a third of all humans have a mobile device and that number is growing exponentially. And while the evasion techniques that the bad guys have learned over the years are still viable, many of the protection techniques that the good guys employed are not being applied across mobile networks or handsets as mobile operators have decided to take a "wait-and-see" approach. The paradox is that people want features first, and then security, but only after the problems become too big to ignore any more.
There are really two categories of mobile threats that are of consequence:
Wireline-to-wireless threats – with technology convergence driving down the cost of bringing traditional wireline services (such as email and web) to wireless networks, mobile email and internet to SMS message abuse is quickly on the rise.
Wireless-Specific Threats –– this includes mobile network to SMS spam, "smishing" (SMS phishing) attacks and mobile malware (namely viruses and worms).
In North America, the mobile spam problem is still perceived to be small since relatively few people have ever received an unsolicited SMS and even fewer have gotten a virus on their phone. Again, it's about economics and market dynamics –– North Americans don't see SMS abuse because we don't use SMS as much as other regions. In South Korea, however, SMS spam is more common than email spam –– mostly because there is a larger audience of SMS users than desktop email, but also because it is very inexpensive to send SMS messages on those networks.
Estimates vary widely, but recent surveys indicate that between 18 and 25 percent of U.S. mobile subscribers have received SMS Spam. However, market and industry trends point to a likely change in spammer behavior in the near future. SMS adoption is growing at more than 100 percent in the U.S. (current usage estimates are at 40 percent compared to 60 percent or more in Europe and Asia) and the major carriers are now offering bundled or unlimited text plans, which will fuel even more traffic. This means that there is a growing market and reduced cost of distribution for the attackers.
So it's not a question of if SMS spam will become a problem, it's a question of when. It's also a question of how to deal with it when it does reach the phone.
On the computer, there are many different options for blocking spam and a nice big screen with a mouse and full size keyboard to quickly recognize, block and delete the messages that may still get through. However, even on today's most advanced mobile devices, dealing with spam is a major nuisance. Blackberry is a wonderful way to send and receive mobile email, but it can be a maddening experience for users trying to sort through the volume of spam delivered to the device while their desktop client efficiently sorts or deletes these messages automatically. With spam volume reaching 95 percent of all consumer email, this represents an enormous waste of network resources as well as personal productivity.
It's important to note, however, that spam is actually one of the weaker financial performers in the attacker's portfolio. A 0.1-percent response rate on 2 million messages advertising a $3 blue pill only yields $6,000 in revenue. The real money is in identity theft and scams that are delivered through phishing attacks. Again, we look eastward to see the trends. Asians and Europeans regularly use their mobile phones for payments, banking alerts and premium rate subscriptions. In those countries, "smishers" have successfully targeted mobile users to either extract personal information or to sign them up for fraudulent services. The very fact that this type of attack is so unexpected and so difficult to distinguish from a legitimate message is why attackers are so successful. In addition, the text limitations of SMS make it difficult for users to differentiate legitimate requests from scams – when the only option is to press "ok," even sophisticated users can be fooled at least once. Just recently, major U.S. banks, including Wells Fargo and Bank of America, announced the availability of banking by mobile phone. Now, consumers can use their cell phone or smart phone to access balance information, receive automatic account alerts, pay bills, transfer funds and find nearby ATMs or banking centers. The advent of mobile banking opens the doors to a new area of fraud.
As mobile devices adopt more advanced operating systems, they become vulnerable to more categories of abuse. The Symbian OS, which is popular on phones in Europe and Asia, is estimated to have 200 known exploits, some of which could potentially access SIM cards for spoofing or hijacking personal information –– think about the potential consequences for professionals who access corporate resources through their mobile devices. As data transfer rates increase and devices remain connected, keylogging and remote controlled exploits could become commonplace just as they have in the fixed line world. The attackers have more freedom to distribute these mobile exploits in email and SMS because the end-users are less aware, less restricted in their actions and poorly equipped to deal with the consequences. There are also other distribution methods emerging, including MMS for pictures or video and Bluetooth, both of which have been exploited for viruses and advertising.
Nuisance ads and scams are here today and the potential for serious abuse is real. It will only take one outbreak like "Melissa" or "I Love You" to raise awareness. With predictions of multi-billion dollar revenue streams from mobile commerce, mobile advertising and content delivery, we need to keep focused on protecting the channels and the endpoints. The good news is that traditional security firms are working to deploy client-side protection and content filtering solutions are beginning to be deployed in mobile networks. Some options include:
Blacklisting or barring certain mobile numbers from sending to their network. The downside? Messaging abuse originating from overseas networks or from the internet is more difficult to control because it is difficult to validate the origin and requires cooperation from other service providers. SMS spoofing and hijacking third-world mobile networks are already commonplace and this will only have limited benefit as we have seen with email.
Filtering messages is another option, but filtering on the handset is challenging technically with so many different operating systems and capabilities on current handsets. Even if there was significant consolidation of handset technology in the market, the ability to distribute updates to so many end-points is daunting. Carriers, software developers and handset manufacturers would need to work very closely to ensure the viability of this approach.
A third option is message filtering solutions that are capable of intercepting traffic in real time within the carrier network. Messages can be evaluated in any format or language (email, SMS, MMS, etc) and filtered based on protocol or content properties. This is the approach that has proven to be most successful recently in major wireline carriers. As technologies converge and carriers continue to consolidate and offer multiple service lines (internet, phone, wireless and television), this will likely be the preferred solution.
Whichever approach mobile carriers and handset manufacturers choose to look into, the time to start looking at options is now, when they can still be proactive –– the reality is, after all, that they have a lot at stake in keeping things safe. The real risk is that people have the same irrational exuberance over the mobile opportunity that existed during the internet boom and forget the fundamentals of economics and security.
- Dave Champine is senior director of product marketing at Cloudmark
