.Smartphone adoption reaches 6.7 billion people globally
The wave of criminal attacks on the telecommunications industry appears not to be abating as new modes of fraud have emerged.
The GSMA, which revealed this, noted that securing mobile infrastructure, devices, services, and customers are evolving activities, as threat actors constantly re-invent previous attack techniques and new ones.
According to the body, repackaged and re-imagined attacks seek to build on previous attacks though disguised in new ways, stressing that they either fraudulently use mobile services or defraud mobile customers directly.
It noted that extensive measures are employed to limit the customer impact of fraud and avoid a negative impact on mobile operators’ reputations. These new threats include Artificial Inflation of Traffic, flash SMS’, Quishing, Qakbot banking Trojan, and Vendor Email Compromise, among others.
GSMA explained that Artificial Inflation of Traffic is a type of SMS fraud seeking to generate high volumes of fake traffic via mobile applications or websites and then profit from higher revenue from the artificially generated SMS traffic. For example, the telecoms body said the fraudster exploits application-to-person (A2P) SMS verification, where a one-time password is sent to verify users’ phone numbers during the registration process, then takes a share of the profits from the traffic, while the enterprise incurs inflated A2P SMS costs without added value.
It informed me that an SMS text blast sends a message to a large group of people simultaneously. However, relatively low-cost, portable and easy-to-use fake mobile base transceiver stations (SMS blasters) can be used for fraudulent use.
According to GSMA, these have been more traditionally used as IMSI catchers to spam mobile phones located within the transceiver’s radio coverage area with fraudulent SMS messages.
The body stressed that the relatively low level of technical skill involved in the use of these SMS Blaster devices has resulted in increased deployment of this attack type.
GSMA said a ‘flash SMS’ is a special type of text message that displays immediately on the mobile phone screen without the user having to take any action to read it, even if the screen is locked. It stressed that a Flash SMS also does not leave a record on the customer’s phone, that is it is not visible in the SMS inbox.
It said whilst there are legitimate uses for flash SMS messages, they can also be used as part of a fraud attack as a ‘convincer’ aimed at fooling the mobile user into undertaking an action to further an ongoing scam.
Speaking on Quishing, GSMA said this is a combination of quick response (QR) code and phishing, an attack technique that leverages QR codes to mislead users into interacting with malicious digital content.
“When a user scans a malicious QR code, it typically redirects them to an attack website85, which may deploy malware or solicit log-in or personal information. When contained within an email, Quishing can be effective, as QR codes may not be scanned by traditional email security controls,” it noted
The GSMA has previously reported on flubot attacks, often observed as blended attacks combining smishing and voicemail lures, with banking malware injects.
However, it said the ‘lures’ have been frequently framed in a message relating to a fake parcel or package delivery. It said although some of the original flubot infrastructure has been taken down, the attack approach appears to have been re-invented on new infrastructure using new fraudulent messages. It said, for example, these messages might impersonate family members asking for money or be framed as a Ramadan Competition on WhatsApp.
Another fraud is the Qakbot banking trojan malware, which was primarily spread through phishing emails and malicious attachments. It was reported that Qakbot has now started using OneNote.
The GSMA report also informed of Vendor Email Compromise (VEC), which is a type of phishing attack where an attacker gains access to a vendor’s business service account, and then, uses that account to spread malicious emails to the vendor’s customers.
Accordingly, VEC can target entire supply chains by hijacking email accounts belonging to vendor employees; setting forwarding rules or monitoring the Inbox; creating a spoofed domain to resemble the vendor’s; sending well-timed messages to customers of the vendor, requesting changes to payment details and using Office 365 tools to enhance the look and feel.
Reportedly, attackers have used VEC to spread phishing sites and to appear as legitimate as possible. Malicious emails were sent to multiple recipients, who appear to be customers or prospects of the company, and thus they are more likely to trust compromised emails from the vendor.
Analytically, GSMA noted that the re-invention and repackaging of previously observed attack types mean constant vigilance is required to respond to these new indicators of compromise (IoCs).
The GSMA said its Telecommunications Information Sharing and Analysis Center (T-ISAC) community delivers a safe and secure platform on which to share new IoCs in real-time.
Amidst this development, the telecoms body said there are now more than 6.7 billion smartphones in use worldwide, with five per cent growth year-on-year. GSMA said the need for a strengthened mobile application security posture is more evident than ever.
“When consumers purchase a new smartphone, many consider security, privacy and data protection. Overall smartphone security can be considered as a combination of the security of the operating system, the device platform and interfaces, the security of installed software, mobile network security services and the user actions in operating the device,” it stated.
According to Statista, the number of smartphone users in Nigeria, Africa’s largest economy and most populous country, is forecasted to grow to more than 140 million by 2025, amounting to 66 per cent smartphone penetration.
However, GSMA noted that smartphones typically run both pre-installed and
user-loaded applications, saying software application security is therefore an important factor in the overall secure operation of the device.
According to it, smartphones usually contain up to four types of apps, which are pre-installed system permission apps which, cannot be uninstalled by the device user, pre-installed non-system permission apps, which can be uninstalled by the device user, device user apps installed from a controlled source (e.g., the App Store or Google Play) and device user apps ‘sideloaded’ directly to the device.
GSMA revealed that Google evaluated apps on the Google Play Store and estimated that less than one per cent of all downloads from Google Play are potentially harmful applications (PHAs).
It disclosed that one way in which bad actors attempt to circumvent Google Play’s security controls is through versioning. It said versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate, but later an update is pushed from an attacker-controlled server, changing the code on the user device that enables malicious activity.
