Operators stand to lose between $1m to $2m over a one to three day period, as a result of fraudulent SMS campaigns, according to an ex-GCHQ official. Gareth Maclachlan, now COO at Adaptive Mobile, a firm he co-founded, said that cyber-criminals have been carrying out spam and phishing campaigns in the PC/fixed-line internet world for years, but are seeing even bigger opportunities by targeting mobile operators, due to the way the mobile ecosystem is set up.

Dawinderpal Sahota

May 18, 2012

5 Min Read
Operators losing millions to spam, claims ex-GCHQ official
Operators stand to lose millions through fraud, claims COO at Adaptive Mobile

Mobile operators are losing between $1m and $2m over a one to three day period as a result of fraudulent SMS campaigns, according to an ex-GCHQ official.

Gareth Maclachlan, now COO at mobile network security specialist Adaptive Mobile, a firm he co-founded, said that while cyber-criminals have been carrying out spam and phishing campaigns in the PC/fixed-line internet world for years, they are seeing even bigger opportunities in targeting mobile operators, due to the way the mobile ecosystem is set up.

“If I try to perform a crime on the internet, I have to somehow get the user to give up their credit card details, but now people have gotten a little more savvy to it and it’s a lot harder to get people to respond to spam or to click on phishing links and download viruses. It’s got to a point to where if you can make $20,000 to $25,000 on a global email spam campaign, that’s now seen as a very successful campaign from a criminal’s perspective,” he said.

“But the mobile network is basically a huge digital network built for taking money out of your pocket. Mechanisms such as premium shortcodes, premium phone numbers already legitimately exist in order to allow firms to monetise content – so as soon as I get over the security barriers, it’s cheap and easy to run an activity in the mobile space. I can make money far more easily against a mobile network than I ever could on the internet.”

He explained that a common example is when cyber criminals gain remote access to users’ phones to make just a single SMS message, perhaps just once a month, and send it through to a short code that they have registered through a ghost company. They can even deliver a piece of content to the user’s phone that they have created, so it looks like a legitimate purchase.

“If it’s $1 or $2 per message, the user probably won’t notice that on their bill. If it’s prepaid, people often don’t notice either. If it’s on a corporate account, your bill has disappeared into finance, they’ve got no idea that you didn’t actually make that transaction, so as long as you don’t pop above the radar and just continue to make small transactions, you can very quickly build up a very large return.”

There are also a lot of campaigns that will use missed call or voicemail alerts, Maclachlan said, which are run so that it looks like the user is receiving an identical to the message to the one they would normally get if they had a message waiting. But users do not realise that when they try to reply or call back, that number is actually connecting them to an international premium priced phone number rather than their actual voicemail box.

“So you’ll sit there and it’ll play you a dial tone – then you’ll get a message such as: “Sorry we can’t connect you to your voicemail at this time, please try again later.” Most people will hang up, try later and eventually get fed up. Because operators have international settlement, they’ll hand over money to roaming hub companies every day, and in return, they’ll receive some money back for calls that have been passed to them. It’s only 30 days later, when people get their bills they will phone up the operator and start to complain.”

He explained that this is when the operator realises that, two or three weeks ago, it lost money because it transferred too much over to the roaming hub.

“That’s where the operator suffers directly. The subscriber is out of pocket and complains to the operator.  The operator has to incur those costs.”

Operators also get hit by scammers because every time a subscriber phones up and experiences such an issue, the operator is incurring costs to deal with that customer care complaint. Maclachlan estimates that every call to an operator’s helpdesk costs about $10 to handle – so to then investigate, retrieve billing records, go through and try and work out whether the user actually made the call or not – the cost can go up to $50 to $60.

“It actually becomes very expensive for operators and I think this is why operators are increasingly seeing that they have to tackle the source of crime and secure their networks. They just can’t afford to have an escalation in terms of these issues that they are already facing.”

When Adaptive Mobile looks at these attacks, the firm will typically see campaigns hitting operators to the extent that it loses them $1m to $2m over a one to three day period.

“So the losses they may suffer could be quite substantial. Those might be a direct loss or revenue leaking out of a network – through a standard SMS fraud campaign.”

AdaptiveMobile recently conducted its third Global Security Insights in Mobile report, polling 1024 consumers, and found that 83 per cent of consumers would change their operator if their privacy was compromised. In addition, eight out of ten consumers feel extremely strongly about security, representing both an opportunity and a threat for operators today. However, the public is also willing to invest in good security, with 75 per cent willing to pay more to gain privacy-protected apps, according to the mobile security firm’s own research.

It also revealed that 59 per cent of consumers currently feel ‘out of control’ of their phone security, indicating that there is still significant caution around matters such as downloading free applications.

You May Also Like