We recently encountered an interesting activity involving the use of International SMS termination to defraud mobile subscribers. This was not the usual SMS phishing scam, frequently referred to as Smishing. The outline below is intentionally vague so as not to alert perpetrators as to how we are combating this threat, but detailed enough to make other operators aware of this potential issue.
One of our customers brought to our attention that they were contacted by some subscribers who had received unexpectedly large mobile bills. The main cost was SMS messages sent to various international numbers. The users claimed that they had never sent these messages, and based on their previous bills, it appeared to be completely out of character. As a result, the International SMS portions of the bills were waived.
Our customer then asked us to investigate this issue as we supply all their SMS infrastructure, including their fraud prevention and protection system. Our initial investigation identified what appeared at first to be an elevated person-to-person SMS traffic to three different international jurisdictions. In all cases, multiple destination MSISDNs were used.
We initially thought this might be distributed SMS Gateway applications that attempt to consume the unused portion of the subscribers bundle in exchange for monetary reimbursement. However, this isn’t the typical traffic pattern of such activity which tends to stay on-network. Through subsequent investigation, we inferred that some “free” applications are being installed by the subscribers (for Android these applications are almost certainly side-loaded, not from the Google Play Store).
These “free” applications request for multiple permissions when installed, including permission to send SMS messages (or on vulnerable devices, using exploits to achieve the same thing without user interaction).
In the background, unbeknownst to the subscriber, the application is sending international SMS messages and the subscriber is being charged for them.
These messages are sent to numbers associated with services that revenue-share between mobile operators and service providers, but look like normal MSISDNs. (As an aside, the first emergence of this functionality was called a “Foreign Subscriber Gateway” or “FSG”. It was launched by Logica back in 2001, and many of us here at Openmind actually worked on that product). These services have many legitimate uses, and we are not suggesting that the destination mobile operators are knowing participants in the activity we are describing.
The way these services usually work is that an organisation can register with a mobile operator for FSG-like services, and are assigned one or more MSISDNs. Messages arriving for that MSISDN are sent to the organisation over SMPP/HTTP and the termination revenue is shared.
What we believe seems to be happening is that an organisation is registering these FSG MSISDNs in many different operators, in many different jurisdictions and are embedding the functionality to covertly send messages to these MSISDNs in a monetisation library included in the “free” application.
While the content of the messages appears either random or attempts to look like a person to person message, the messages also contain an identifier which, we believe, is used to identify the application and distribute the revenue. We see many different patterns for constructing the content of the messages which leads us to believe that this monetisation library is quite widespread.
As an example of the breadth of the exploit, in one 24 hour period, we identified over 800 different MSISDNs being used for this exploit in over 40 different jurisdictions.
Openmind Networks has a mechanism to identify these MSISDNs in near-real time, and this list of MSISDNs can be fed into any SMS Firewall product to mitigate this issue.
