While the sophistication of mobile threats and delivery protocols differ from region to region, all signs point to a precipitous rise in mobile spam, phishing and virus attacks in 2008 said Cloudmark Inc. a provider of carrier-grade messaging security at the Mobile World Congress 2008 this week.
Factors such as the continued growth of mobile messaging, reductions in message delivery costs, inherent network vulnerabilities and new mobile marketing initiatives are converging to create a perfect storm for mobile messaging abuse and North and Southeast Asia are the most "developed" regions in the world in terms of mobile abuse.
Mobile spam is commonplace, driven mostly by the low (or even free) cost to send and receive SMS messages. In China, for example, operators charge less than USD 0.001 to send an SMS message from one mobile device to another. Due to attractive message delivery economics, operators are experiencing rising abuse from both on-network and off-network sources.
• In China, the average subscriber receives 6-10 mobile spam messages per day
•In India, certain operators face spam levels around 30 percent, even after protocol-level filtering
•In Japan, the current spam problem is expected to worsen as operators open their networks to e-mail-to-SMS and MMS services
According to leading mobile operators in the region, attackers are primarily using the following attack methods:
•SMS spoofing and faking -- a type of signalling fraud where spammers impersonate other mobile phone numbers and networks to send out spam
•On-network abuse -- attacks using signalling fraud that appears to come from valid accounts or are sent by attackers actually using valid accounts to send out spam either from unregistered pre-paid SIM cards or other subscriptions where the cost is low.
While mobile spam used to be considered a nuisance -- containing housing advertisements and pornographic messages -- they have morphed into dangerous scams as attackers learn how to monetize mobile spam. Today, new types of mobile spam leverage social engineering techniques to lure users into calling back premium rate numbers, texting premium rate short codes or entering personal information into a phishing site. For example, in Japan, some mobile users were sent messages threatening to expose their participation in a dating club unless they went to a certain phishing Web site to "unsubscribe."
As a result of this new trend in attacks, operators in Asia are facing growing complaints from customers who had previously ignored mobile spam. In addition, operators must contend with costly operational issues resulting from SMS attacks, including a decline in system performance and the impact on SMSC resources. Further, SMS faking and spoofing attacks from off-network sources cost operators hundreds of thousands of dollars each month in inter-carrier roaming and connection charges.
The situation in many parts of Asia has become so severe that government regulators are stepping in to mandate that mobile operators have greater control over mobile spam through such required actions as registration of pre-paid mobile SIMs and implementation of feedback loops that allow consumers to easily report spam using their mobile device.
"Developments in Asia can be viewed as precursors to the types of mobile abuse that will plague operators in the rest of the world," said Jamie de Guerre, chief technology officer at Cloudmark. "Mobile botnets and on-network signalling fraud, where bulk attacks are sent from within the operator's own network, are examples of advanced mobile threats currently seen in Asia that will likely extend to North America and Europe."
According to Cloudmark, mobile operators worldwide are concerned about the impact of growing messaging abuse on subscriber loyalty and overall public perception of an operators' brand, which in turn leads to increased customer churn and higher support costs. Most alarming to many carriers is the damage mobile abuse may cause to future revenue-producing services.
"The growth in mobile messaging abuse is exposing operators to additional and unnecessary costs at a time when they are turning to messaging and mobile advertising to open up new revenue streams," said de Guerre.
"For mobile operators, the greatest risk is that subscribers' zero tolerance attitude towards intrusive mobile spam will prompt them to change providers or opt out of mobile advertising and marketing opportunities, leaving much needed new revenue streams fatally crippled from the outset. For this reason, it's simply not an option for mobile operators to adopt a wait-and-see approach when it comes to their mobile messaging security strategy. Instead, operators must be keenly aware of the potential security challenges that lie in their path and take a proactive approach to protecting their subscribers, their brand and the future success of their mobile services." |
