When it comes to the messaging ecosystem, we know the threat landscape is constantly evolving as attackers vary their methods to bypass new regulations and other developments, but the significant threat to enterprises' brand reputation and profitability remain a constant.
Our CSO, Simeon Coney, expanded on this statement in his talk on New Threats to Enterprises at the MEF Wholesale Connects event back in September.
In a virtual discussion with MEF’s director of programs, James Williams, Simeon explored the most concerning new and evolving threats to the messaging ecosystem, the detrimental impact these threats are having on enterprises specifically, and the steps that should be taken to mitigate the effects. Although the messaging industry has been proactive about providing defenses, attacks continue to occur, grow, and evolve. Counting down from 5, Simeon outlines the most concerning new threats to enterprises we are seeing in the messaging industry.
5. Using Message-Based Services for Fraud
The use of services for fraud is in at number 5. We are beginning to see a new range of techniques using existing, legitimate services to commit fraud. Enterprises are deploying several legitimate message-based services. For example, when a new customer is acquired, they will be asked to provide some registration details – name, address, phone number etc. A welcome message or similar is often sent to the customer’s phone after registration. We have seen attackers signing up to this service and entering phone numbers in high-risk, high-cost destinations. This means that when the "welcome message" is sent, it generates revenue for the fraudster, costing the business more. Unfortunately, these enterprise companies often have limited knowledge on varying rates for sending messages, so this fraudulent activity is not caught until they receive their bill after the fact, at which point the traffic has been generated, and the cost has been incurred.
See below examples of high-risk, high-cost destinations identified in blue:
Map identifying locations with high-cost sending rates
Looking at the structure of the attack, we can see that the fraudsters test out their methods before committing to higher volumes:
Bar chart illustrating the volume of message-based fraud over time
SMS Fraud Mitigation
So how do we mitigate this threat? For attackers, the revenue rewards from this type of messaging fraud can be lucrative – therefore they continue to carry out these attacks. One countermeasure operators can take is a volumetric approach – watching for elevated levels of SMS traffic to a particular destination. Similarly, analyzing relative and even absolute rate changes could be another detection method. Simeon recommends a range of intelligence-led techniques across domains as the most effective way of mitigating these attacks. This means considering multiple variables - the risk profile of certain destinations, the ratio of contacts to specific destination numbers, saturation densities, and analyzing the behavior of suspicious accounts. Read our Commercial Traffic Management product page to learn more.
Williams makes a good point: What we don’t want to do is block whole number ranges, operators, or countries to stop these attacks. We need to tackle this activity before getting to that point. Even as a last resort, blocking a whole nation from receiving all traffic is not advised as this would prevent legitimate traffic from reaching a vast number of users, alienating a significant range of customers, and preventing them from accessing the SMS services they need.
4. Brand Phishing Attacks
Brand phishing attacks have been taking place for many years, but more recently we have seen increasingly sophisticated techniques. This is an issue for enterprises as their customers and employees are now being targeted, with attackers attempting to access and compromise essential internal systems using various techniques. The example below demonstrates how attackers have been using legitimate domain names – Uber in this case – to start a conversation with the user (observe the call-to-action: "Reply Stop") and gain the user’s trust to obtain personal information:
In the following examples, the attacker states that urgent action must be taken relating to a user’s Grab account to get them to click a link:
Mitigation of Phishing Attacks
Due to the precise nature of some of the targeted attack campaigns, volumetric detection methods will not be effective as far fewer messages are being sent in the case of spear phishing, or whaling attacks, for example. This means the volume of these messages sits below any typical detection threshold of a standard fraud detection mechanism using volumetric techniques.
Another issue Simeon flags are the legitimate messages being sent by businesses. Take a second to compare the following messages. Which one do you think is fake?
If you guessed the first message was fake, you are incorrect. The problem Simeon is highlighting here, is that the phishing message actually seems to be more legitimate than the real message sent by Bank of America. The link in the phishing message references ‘bankofa’ whereas the link in the official message consists of random numbers and letters. Additionally, there are no obvious spelling errors, making it trickier to differentiate between the real and fake messages. Phishing messages are becoming more sophisticated and harder to distinguish from legitimate messages, and so too, is mitigation. Even filtering by suspicious domain names is less effective now, as attackers can easily switch over to a new domain name after 100 messages or so. Again, Simeon recommends a combination of techniques to mitigate these attacks, including analyzing the call to action, detecting suspicious URLs and unauthorized senders from similar campaigns.
3. SS7 attacks against brands
SS7 attacks are not new, but we see an increase in their usage, especially in the areas of interception and redirection. The stakes are exceptionally high when the sender is a bank or financial institution, running the risk of things like one-time passwords for users’ online banking being redirected to an attacker. Simeon references an excellent report from the Financial Inclusion Global Initiative (FIGI) which you can find here. The following figures display the types of telecom attacks we see in the EU and their frequency, which have been pulled from this report.
Source: Financial Inclusion Global Initiative (FIGI)
Source: Financial Inclusion Global Initiative (FIGI)
These types of attacks have a knock-on effect on the whole messaging ecosystem. If the end user is impacted, they lose trust in the sending brand, which affects the ecosystem.
Mitigation of SS7 Attacks
When it comes to mitigation, the following four standards written by the GSMA cover a broad range of attacks and are good reference points:
However, the rates of implementation of these standards amongst operators are concerning:
Source: Financial Inclusion Global Initiative (FIGI)
Although the implementation rates of standards like SMS home routing is good, what stands out here when we are discussing SS7 attacks is the implementation of signaling firewalls which sits at a low 28.2% of operators. Firewalling is a technique that is strongly recommended and endorsed in the above standards. Mobile operators are responsible for their network infrastructure and are thus responsible for protecting it from these attacks. Implementing an effective signaling firewall is important for protecting users and enterprises from SS7 attacks, so these firewalls are essential for the health of the messaging ecosystem. This is undoubtedly an area where improvements can and should be made.
2. Artificial SMS Traffic Inflation Fraud
Artificial traffic inflation is a new and growing threat to the messaging ecosystem, as attacker techniques evolve to avoid detection. The impact of this threat should not be underestimated. To illustrate this, the graph below shows the volume of artificial traffic affecting just one brand in a single network:
Graph of the volume of artificial traffic affecting one brand one a single network
The impact is huge if we think about this volume in terms of whole regions with multiple networks, and multiple brands within those networks. I will also mention here, as James Williams noted, that had these volumes remained at the low rates they were at before the spike we can see in the graph, they could have gone on, potentially forever, without being detected.
Mitigation of Artificial SMS Traffic Inflation Fraud
These attackers have seriously upgraded their techniques, making detection much harder. Previously, sequential number ranges have been used as a detection method, but we are now seeing more realistic looking numbers rather than sequential ranges. In the past we have addressed traffic bursts as a method of mitigation, but now we have cleverer phasing of traffic submission, rendering this method of detection less effective. We have also looked at the rate of message failure to detect these messages before, but again, attackers have evolved, using tools that can bypass mechanisms searching for high failure rates. Even the spoofed content we have previously seen in these messages has migrated to real message content, meaning we can’t identify artificial messages by the content anymore.
Fortunately, a lot of this traffic is still detectable. Enea AdaptiveMobile Security is still identifying large instances of the behavior and blocking it, but the way these techniques have evolved is a concerning issue pertinent to the messaging ecosystem.
1. Customer Distrust of Messages
Finally, topping the charts is customer distrust. The culprit? You guessed it: grey routes. While generating revenue for some, grey route behaviors have-long term damaging consequences for the ecosystem. We are seeing sender ID’s and, indeed, message content being manipulated on a global basis by grey routes.
The pie chart below illustrates the percentage of messages which were otherwise altered from the point at which the enterprise sent them, to when the end user received them. Shockingly, only 3% of these messages were received unaltered. In all other cases, they were changed to some implausible sending identity.
Pie chart illustrating the percentage of messages manipulated by grey routes
Attackers design the alterations to those messages to encourage the user to respond to the message and reveal personal information. The implication for the brand is that users stop trusting legitimate messages and legitimate sender identities. In response to fraud attacks, brands will often specify their sending ID to customers, stating that they can trust messages from them. Unfortunately, this opens the door for threaded inbox attacks, where a message is spoofed and engineered to appear in the same string of messages as the legitimate sender ID. Enea AdaptiveMobile Security has observed a significant increase in the false reporting of legitimate A2P messages because of these types of attacks. We can conclude from this that customers trust legitimate services less and are thus not responding to these services. Simeon emphasizes the significance of this threat: when consumer trust is gone, they will look for alternative services. If this ecosystem does not monetize those alternative services, that is a significant revenue loss. This is why customer distrust is at the top of this list.
Recommendation: awareness and education
When asked for his advice for fighting fraud, Simeon recommends awareness and education. This applies to all members of the messaging ecosystem – operators, enterprises, and users. The industry is now at a point where it is clear what must be done. We need to understand and accept that it will be an ongoing process as we implement new standards and defenses, attacks evolve, and attackers become more sophisticated. For enterprises, being vigilant to emerging and changing attacks, and educating themselves regarding the techniques and impact of these attacks on their customers and consequently their brand, will significantly improve their ability to mitigate threats effectively.
Caitriona is a recent graduate of the National University of Ireland, Galway, where she completed a bachelor’s degree in global commerce. As part of her degree, Caitriona studied abroad in Canada and worked as a marketing intern back in Ireland. Over the course of her studies, she developed a passion for both marketing and cybersecurity, specialising in marketing in her final year. Caitriona is now working as a marketing assistant at AdaptiveMobile Security, a role that marries both of her passions.