Carl Weinschenk spoke to Ciaran Bradley, the vice president of handset security products for AdaptiveMobile. On Dec. 19, the Irish security vendor released a report indicating that the U.S. was the victim of the most SMS spam in the world.
Technology moves ever forward – for the bad guys as well as the good. Ciaran Bradley, the vice president of handset security products for AdaptiveMobile, said that the use of SMS spam to further borderline marketing offers is proliferating and that the United States is the most affected country. Bradley told IT Business Edge blogger Carl Weinschenk that a study conducted by the firm revealed the sophistication of these ecosystems is growing and companies offering dubious deals now can utilize one-stop shops.
Weinschenk: What did the research look at?
Bradley: This report goes behind the stats and looks at what is happening with SMS spam in the past 12 to 18 months and investigates the ecosystem to understand what is driving things. The deep intelligence allows us to design more effective defenses.
Weinschenk: What is the top-line conclusion?
Bradley: The spammers we are going up against are motivated and professional people looking to make a buck like anyone else.
Weinschenk: Is there anything that differentiates the United States?
Bradley: What is unusual about the United States and different than other territories in which we are present is that SMS is generated by well-organized criminal gangs.
Weinschenk: What does the landscape look like?
Bradley: The existing affiliate industry, which typically is also known as the Internet marketing industry, is where people promote services of dubious value -- some people call them scams -- via email and websites. For instance, one is the Acai berry diet. Others are work from home or miracle services for health and beauty issues such as reducing wrinkles. They all are of dubious value. That industry already was bordering on scam when it was driven by email. SMS is a gold mine for them. Some of the more unscrupulous ones are targeting SMS to generate new revenue.
Weinschenk: How does it work?
Bradley: An affiliate or Internet marketer signs up for a promotion that they want to advertise. They would then mount an SMS spam campaign with huge numbers of SMS text messages that say something such as, “Congratulations, you won a $1,000 WalMart gift card -- or Target or Best Buy – even though the unscrupulous people are not associated with those retailers. If you got that text – say for a Best Buy gift card – you would be directed to a website that looks like it’s Best Buy but is not associated with them. If you click on the link it will ask you to enter a code in the text message. It then will say, “Congratulations, you won” and then send you to another Web page. That page is run by the person advertising the service. The target has moved from the affiliate to the company running the scam.
Weinschenk: I don’t like the direction this is going in…
Bradley: Then you are asked a series of questions, such as phone number, address and such. But if you read the small print in the terms and conditions it says that the offer is not associated with the brands they are showing. Then they will do something such as outline the steps you need to take to claim the gift card or prize. They are very difficult to meet and it may cost more money than the card is worth. One example may the necessity to agree to two offers from silver and gold awards packages and nine from a platinum package and to refer three people who must do the same. Various approaches require a purchase, filling in financial applications and other things.
Weinschenk: What would the targeted person get from this?
Bradley: Typically the scammers offer a $500 or $1,000 gift card. Depending on how far the victim gets in process there may be trial of the product. The victim has given their credit card number, and one of the terms and conditions may be a minimum commitment of $60 a month for three months, with a cancellation fee of $40 or something.
Weinschenk: If these are such blatant rip offs, why don’t the scammers just take the credit card numbers and sell them?
Bradley: The simple answer is that they put in terms and conditions that are not consumer-friendly -- but probably are legal in most states. They can legitimately say that in their eyes the victim owes them money. If it was a complete fraud or the people were using a [fraudulently obtained] credit card number there would be a refund demanded for fraudulent challenge. The people who are behind these scams spend time and money determining that terms and conditions are borderline legal.
Weinschenk: What is new about all this?
Bradley: The spamming side of it is quite new. The newsworthy thing is that the spammers are sending out text messages for services being advertised by affiliate messages and getting a cut either for a successful sale or if the customer fills out the form. If hundreds of thousands of messages end up with a couple of conversions, those numbers quickly add up.
Weinschenk: So you are saying that the outreach to potential victims via SMS is the new piece.
Bradley: We have seen text messages in the past. What we found is that actually there is a much more sophisticated ecosystem on underground forums to facilitate this. You have lists of mobile phone numbers for the U.S. They are selling them. One hundred thousand numbers can be as low as $400.
Another part of this ecosystem is the SMS blasters, who actually deliver text messages for you. They offer it as a service. You can buy a list from one and go to the blaster for delivery. The bad guy also may say, “I also need some products and promotions,” so they sign up for an affiliate network. The last component is the advertiser, the people who own and run the cheesy services.
Weinschenk: Now that we have this insight into how this works, what is being done?
Bradley: There are ways to offer improved defenses to our customers. These and the other aspect will come out in due time. The affiliates will get the message that it is never appropriate and that their activities are unwelcome.
Weinschenk: I assume they know that and don’t care. Are proactive measures planned?
Bradley: You will see over time that they will feel the pressure. Once the message gets through that the carrier network is not the place for this they will move on to some other format to promote their dubious offers.
You could say that we are taking the battle to them. The thing is that they are no longer anonymous. We have gathered a lot of information on them.
Weinschenk: And once you know that, you have a legal hook. While the offers may be marginally legal, using SMS as a tool in the way you describe isn’t.
Bradley: Sending out bulk unsolicited text messaging is definitely is illegal.
Weinschenk: Is this effort – addressing the SMS element to catch these guys or at least make them change their strategy – just an AdaptiveMobile initiative, or are other parties involved?
Bradley: We certainly are working with our customers and other entities. A very strong element of this is that a number of industry initiatives work quite closely with others in the security and telecoms industry. I myself am the deputy chair of the Messaging Security Group within the GSM Association, which is the global trade body for the telecom industry. Both carriers and private companies are working to take the fight to the bad guys.