An Open Letter to Mobile Operators: How to Stop SMS Phishing Attacks

Dear Operator,

Mobile malware isn't new but hackers have now realized how easy it has become to deliver mobile malware, spyware and banking trojans via SMS phishing URLs. If you think FluBot is bad, I'm sorry but life is going to get much worse unless we implement the right type of solution.

After polluting the world with COVID-19 and other forms of SMS scams, hackers discovered that "cybersecurity" companies don't offer products and services for SMS. There are lots of consumer apps, but none of them can stop new deceptive URLs inside SMS messages.

As I'm sure you're aware, SMS Firewalls are designed to help MNOs gain insights and protection for SMS traffic and revenue. But what you don't know, is that while blocking over 95% of "SPAM", they're not cybersecurity firewalls, and they do absolutely nothing to stop FluBlot or other SMS-led phishing attacks. In fact, I've tested every MNO in the UK and not one stopped a single message with a known phishing URL.

Why I think FluBot is a game changer for hackers

[Update: 7th June 2020 FluBot hits Ireland]

[Update: 24th June 2020 - The Irish Times publishes a story about MetaCert's solution that has the potential to kill SMS scams (not a press release)]. Read the article here.

After leading some notable projects in the mobile space, I came to understand and appreciate your commercial considerations, infrastructure, and business processes. I empathize with your current situation because mobile malware being delivered via SMS phishing URLs was extremely rare before now.

Now that it's obvious to hackers that no MNO in the world can stop a single message with a new deceptive URL before maximum harm has been done, they're likely to come at you with more of the same. Moreover, they're more likely to use SMS-led phishing campaigns to target your business and enterprise customers' networks and their customer data. It's no longer just about "subscribers". The perception that this is a consumer problem is wrong. It's everyone's problem now.

Even Proofpoint struggles to offer a solution for you

Proofpoint is the Goliath of anti-phishing security for email. They published a very comprehensive analysis on the entire FluBot situation here - it's an incredibly helpful report for non-technical management as well as engineers, and is referenced by other security vendors and many media outlets. 

In conclusion, Proofpoint's advice for stopping FluBot is:

"Be wary of unexpected SMS messages"

All leading security vendors think it's hard

"Use antivirus for mobile devices""Don’t open suspicious links""Avoid shady apps""Don’t give apps unnecessary permissions"

F-Secure

"Don’t click!"

Malwarebytes

"Install anti-virus software

"Sophos

After a thorough search online, I found that everyone seems to have the same advice:

• Media: "subscribers should avoid opening links from people they don't know"
• Industry analysts: "subscribers should avoid opening links from people..."
• Security vendors: "subscribers should avoid opening links from people..."
• Brands: "subscribers should avoid opening links from people..."
• Banks: "subscribers should avoid opening links from people..."
• Operators: "subscribers should avoid opening links from people..."

Meet the experts who investigate and classify suspicious URLs

In the context of FluBot and phishing URLs, there are two types of vendors in the cybersecurity industry:

1. Vendors who own a threat intelligence system - such as Google, Cisco, Akami, Mimecast, Webroot, MetaCert, Symantec and Microsoft. More vendors exist, but it's a very small list. These vendors also offer products and services.
2. All other security vendors license "threat feeds" (URL blocklists) from the vendors above. Leading anti-phishing vendors integrate more than one feed in an attempt to block as many known dangerous URLs as possible.

Why it will never be possible to detect new deceptive URLs in SMS messages

1. Criminals are finished with a deceptive URL as soon as enough people have fallen for it. For SMS, that's about 3 minutes.
2. Leading vendors need 2 to 3 days to investigate and classify new suspicious URLs as dangerous.
3. If you're exceptionally lucky, you can have a phishing site taken down after 24 hours.

Similar to the concept of single-use water bottles, deceptive URLs are typically used for a single campaign or targeted attack. Even if we could block a new UNKNOWN dangerous URL in 5 minutes, maximum damage has already been caused.

How to test solutions that promise to stop FluBot

I had some people run tests across every operator in the UK in June 2020 because SMS scams seem to be rampant there - not one of them stopped a single message with a deceptive URL. So, testing a new solution will be quick and easy - send a message with a new deceptive URL to yourself on your own network.

Grab a URL at the top of the search list on PhishTank and send it to yourself in a message. When your SMS spam filter doesn't stop it, you'll know it's time to get anti-phishing security. Remember, while good spam filters block more than 95% of spam, they block zero messages with new phishing URLs. Blocking phishing URLs that hackers no longer care about, doesn't count as meaningful security.

The journey that led hackers to SMS

Criminals targeted mobile apps before SMS

When MetaCert built the first patented in-app security integration for mobile apps, few people even knew what a WebView was. Aside from us, nobody thought in-app security was a problem. Today, it's obvious that opening links inside an app is a potential threat, and leading mobile security vendors provide solutions to tackle it today.

Criminals targeted Slack before SMS

When MetaCert built the first patented security integration for Slack (as well as HipChat, Skype and Messenger), nobody thought it was necessary because phishing attacks were never reported on Slack. I predicted it would become a problem because it didn't take a rocket scientist to figure it out. Gartner analysts were skeptical whenever I met them in person, and security vendors thought it was a waste of time. Today, many leading security vendors provide anti-phishing security integrations for Slack, and Gartner has a "magic quadrant" for its favorite vendors.

Telegram and Discord

After we killed the phishing epidemic on Slack for the cryptocurrency world in 2017, criminals quickly left and moved their campaigns to Telegram and Discord. MetaCert didn't build security solutions for either of those platforms because we began to realize that being too early isn't good for business. Today, criminals are happily walking away with hundreds of millions of dollars worth of crypto, while also targeting specific companies with spear phishing attacks that lead to major data breaches and the theft of customer data.

If anyone reading this letter would like to build a solution to stop phishing on Telegram or Discord, get in touch as we have an API to make it easy for you.

Then, they came for SMS

When MetaCert first brought SMS phishing to the attention of some mobile operators and SMS Firewall vendors, nobody cared enough to do anything about it. And it's not like SMS scams haven't plagued society for the past two years. Why now? Answer = FluBot. FluBot is infecting mobile devices with malware that's more nefarious than anything I've seen before.

There's no hiding from FluBot and it's not going to stop unless something different is done to address it. But if history has taught us anything, it's that criminals will stop targeting SMS as soon as it becomes prohibitively expensive for them. When we kill SMS scams, criminals will move to whatever platform provides the least point of resistance. Today, SMS is the easiest target I've ever seen:

• 99% delivery rate
• 95% open
• Almost every victim opens within the first 3 minutes
• Access to massive amounts of sensitive data on mobile devices
• Mobile devices are used for 2FA
• Easy to install banking trojans and spyware
• Impossible for AI spam filters to differentiate between a phishing text and legitimate one
• Mobile webpage is 10x quicker and easier to setup than a fake desktop website
• Hackers know that there's ZERO SECURITY for FluBot - that's why they're still using it in Europe.

Let's try something different

Why

I believe Internet security is flawed by design, so it's time to redesign it.

The entire security industry continues to "assume every URL is safe... until confirmed as dangerous", even though phishing was first discovered on the AOL network in 1995 and according to the FBI Threat Report, 2020 was the worst year in history for phishing, and the first quarter of 2021 is worse than Q4 2020. It's getting worse and worse and worse and I don't see any signs to suggest this trend is going to change in our lifetime.

While everything you read and hear will lead you to believe that today's phishing attacks are more "sophisticated", they're not!

• Email Phishing = deceptive URL
• Slack Phishing = deceptive URL
• In-app phishing = deceptive URL
• Social media phishing = deceptive URL
• SMS Phishing = deceptive URL

There are phishing techniques that don't involve URLs, but they're few and far between by comparison.

The FluBot malware itself is very very very sophisticated, but I personally don't think about it because I'm focused on making sure people don't open the URL that leads to the download. A vaccine is better than a cure. Why spend massive amounts of time, energy and money on studying the malware when it will never be hosted on your network.

Let's provide space for the anti-malware security professionals to focus on a solution that helps with the removal of malware once it has infected a device or network. Don't allow it to distract you when all you should care about, are the URLs subscribers think are from people they know.

There's only one way to stop FluBot

I see a world in which SMS messages are trusted and loved by everyone. This can happen if we make it easy for subscribers to spot a new scam in less than 3 seconds.

With my proposed Zero Trust approach, hackers won't even get past their own personal test - not matter what phishing URL they use.

Since December 2017, not a single person or entity has ever fallen for a deceptive URL or website when protected by MetaCert's Zero Trust URL & Web Access Authentication system. I've seen a few websites claim to offer a "Zero Trust" system to stop FluBot. Please make sure they have a partnership with MetaCert because we've seen screen shots of our warning messages being promoted on SMS Firewall vendor websites without attribution.

More trust in SMS = more revenue

We can turn SMS into the single most trusted channel for delivering marketing messages and alerts, if we adopt a Zero Trust strategy. We can easily demonstrate to the banking industry amongst others, how we can dramatically increase conversion rates so they can build better relationships and trust with their customers.

If subscribers know they can open any link in any text message and never worry about what's on the other end, they're more likely to open more messages. More messages being opened, means... you get the picture.

We proved this strategy to be true with our Slack security integration for the crypto ecosystem, globally. Just ask any crypto company that has been around since before 2017 what they think of MetaCert. We turned it from the least secure place for crypto communities, to the safest place. And it happened almost overnight. It'll be much easier to do this for SMS.

With the help of a regulator, we're about to engage with the banking industry inside one European country to help them see what we see - I'd like to encourage one or two banks to dramatically step up their SMS campaigns post security implementation to test our bold assertions. And we can then publish a report for all other banks and other industries to see.

Save time, money and energy

• Save time and money supporting a service for subscribers to forward suspicious messages/links to a short code (it doesn't add any value anyway). MetaCert can provide a simple automated service that requires little human interaction from our end.
• Save time and money on anti-fraud campaigns.
• Save time and money on fielding questions and concerns from the media.
• Make the regulators happy with self-regulation that works.

Meet Zero Trust SMS

The demo below shows how it works from the view point a criminal, and your subscribers.

Don’t get left behind

In the past 10 weeks, MetaCert has 4 SMS Firewall vendors signed up as strategic partners and 10 carriers who registered their interest. Of those 10, 1 agreed to start a trial and the rest are expected to request a trial.

"Wow! This is the only way to stop scams on our network"

Everyone who sees a virtual demo

Even if you believe FluBot or future malware variants won't be downloaded by anyone on your network, adding a subscriber-focused security solution can only benefit you whenever people need help to spot a new scam.

Please feel free to get in touch by way of a LinkedIn connection request, or email me directly [email protected] Learn more about the journey that took me here.

I look forward to hearing from you soon

Paul

MetaCert CEO