In recent months there has been a significant increase in user complaints about receiving Viber spam. Analysing the latest spam messages, we can see they are consistent in their language and in their call to action: click on a link to watch a video tutorial. The messages, shown below with the corresponding destination website, use financial motivation to encourage the user to click on the link. As is evident through these two examples, the attacker offers a substantial amount of money (between €450 and €550) and then drives the victim to a website which boasts the opportunity to earn even more money. This is a common tactic amongst OTT messaging attacks.
The websites themselves are noteworthy in that the attackers have obviously tried to build the credibility of their page by including logos from reputable news outlets as a reference point for their product, including SkyNews, Bloomberg and BusinessWeek. They also include logos from McAfee Secure and VeriSign Trusted in an attempt to validate the security of their website. The attackers are well-versed in societal norms and are abusing the strength of these brands to lure victims into a false sense of security.
Comparable to our last analysis of Viber spam, the sending messages are still coming from the same operator in China, and they’re attacking users in countries all over the world. We’ve also detected WhatsApp spam coming from regions in China and India.
The Viber app launched in 2010 has over 249 million monthly active users from its 606 million registered users worldwide. Twitter shows users voicing their concerns and frustrations about the incessant spam messages again and again.
(Sample Tweets from users: @Dee83x and @burkes_backyard)
Presently available in 36 languages, the app’s global presence is rising; however, with an increase in global presence comes an increase in responsibility.
Ensuring that users are protected from spam messages is stated to be Viber’s top priority. A statement on their website support page says just that; in addition the page provides a number of ways to help protect users from receiving spam messages.
This, however, is only the start; while Viber works to decrease spam, they also need to stop users from leaving the application and heading for the competition.
In an attempt to maintain their user base Viber is continuously pushing out updates to the application – the only change in their latest release being an attempt to decrease the amount of spam messages users are receiving.
And reportedly, Viber is also testing a new function in select markets which allows users to choose whether or not they would like to view the message before blocking it. If they do choose to view to view the message, the user can decide whether to Add to Contacts, Report Spam or Block Contact.
But what if this isn’t enough?
In July, we wrote about the influx of OTT spam and the evolution of spammers from across the world. OTT applications have become the logical next step when hackers want to ‘cross-over’ from targeting SMS users to the growing base of people using these applications and these criminal groups are continuously fine-tuning their messaging abuse tactics to increase their ‘hit-rate’. These attackers approach spam like a business, focusing on the total addressable market. As the market evolves, so does their target audience.
Viber already offers one solution to this growing issue, which is to go into the message and block the contact in an effort to shut down any further messages. This however is a short-term response and attackers can simply use new accounts - they are always looking for new ways to circumvent defences. For example, as we highlighted in previous WhatsApp blog posts, a newer abuse tactic to deal with defences there has spammers creating a group, adding a selection of sequential numbers to the group (in an effort to hit as many users as possible) and then deleting the group – essentially making contact blocking irrelevant. Right now this tactic is specific to WhatsApp but as spammers evolve, they will continue to come up with tactics like these to circumvent any defences in place.
A new suggestion has come to the forefront by users and is quickly gaining momentum. The recommendation is to only let contacts message you; however, introducing a setting that makes it possible to ‘block unknown numbers’ is a bold move for a company in the communications industry.
(Sample Tweets from users: @jzzskijj and @BrennyK23)
We need to consider the implications should Viber install this new feature. From a design perspective, this function extremely limits the ease at which people can use the application. By forcing users to add a contact to their address book before receiving a message or call, Viber is limiting users’ ability to connect with any one of the 606 million registered users.
The main objective of a messaging application is to enable users worldwide to send messages and calls with simplicity. Developing a more complicated process is not likely to be taken well by users and means that Viber cedes the ability for subscribers to communicate without already being contacts.
As users repeatedly take to social media to voice their concerns, Viber – and other OTT messaging applications – will need to make a firm decision. The concept of limiting talking to other subscribers is a backward step in the evolution of communication and any system that wants to be truly open needs to consider alternatives before imposing such a measure. The ideal – but much more difficult solution – is to address this spam problem by building in better defences. Protecting users against any type of attack should be their number one priority and OTT applications are now facing a business decision with serious consequences.
Viber is faced with a dilemma and needs to determine where they stand to gain the most – a loyal base of current users or a growing list of less spam-tolerant users.
Should they implement recommendations from their current subscribers at the expense of making it more difficult for new users to join, or should they invest the financial and personnel resources into upping their security defences? The time to act is quickly approaching and OTT applications need to decide: is design more important than security?
(Tweet from @jcruzzfotodotcom)
Special thanks to Cathal Mc Daid, Ciaran Bradley, Barry Scallan and Colm Keena for their contribution to this blog.