How Vodafone and Three Can Protect Subscribers in Ireland From SMS Phishing Attacks Like FluBot

Published in

METACERT

6 min readJul 5, 2021

Why?

I see a world in which SMS is the best way to deliver marketing campaigns and text alerts, so brands and banks can build better relationships with their customers. I also believe people have the right to feel safe and secure whenever they receive a message, no matter who it comes from, or what link it might contain.

For many, remote working has become the norm. This means business and enterprise customers are likely to appreciate operators who go the extra mile to protect their employees from future SMS-led attacks on their networks and customer data.

When I led technical and acceptance testing for numerous SMS, MMS and SS7 systems and applications for mobile operators during the 2000’s, everyone felt safe, because they were. However, SMS is the least protected channel today, and our entire landscape has changed so much that I believe it’s time to question the status quo when it comes to cybersecurity.

My mum can easily spot an imposter at her front door in Wexford, Ireland. But when it comes to SMS messages, she makes decisions by either guessing or using her gut. In fact, this is what most people do. They will be either lucky or very, very wrong.

It’s time to try something different.

How subscribers can now avoid links from people they don’t know

By adopting a “Zero Trust” strategy for SMS, subscribers will feel safe every time they open a message with a link — no matter who it’s from or what the link does at the other end. They could literally open every link inside every message and they will never fall for a dangerous service, login page or download.

How it works

The real situation with SMS security in Ireland today

The Irish Times published an article called “FluBot seeks to steal financial data on Android phones” on 24th June 2021 (my birthday🥳 ). If you care about SMS-led phishing, I urge you to read this article because it includes statements from Three and Vodafone — as quoted below.

MetaCert’s test results for SMS security in Ireland

MetaCert tested the security posture of Three and Vodafone in Ireland over the past few weeks. Before I provide the results, I should point out that while working for Eircell (Vodafone), I led technical and performance testing of the SMS infrastructure and I implemented a major business process improvement initiative to centralize IT, and I led an initiative to improve vendor selection and management. While working for O2 Products in the UK, I led technical and acceptance testing for the initial launch of the MMSC product in Ireland (as well as the UK, Holland and Germany).

I hope that by sharing my experience, I can show how much I understand and appreciate mobile operators’ infrastructure, business processes and commercial considerations.

250 unique SMS messages sent to a subscriber number on each network
Each message contained a unique phishing URL — for emphasis — that’s 250 different dangerous URLs sent via 250 different SMS messages
0 blocked

It’s NOT their fault

I’m not naming and shaming these companies. Quite the opposite — the test results are applicable to every mobile operator in every country in the world. Not a single operator has a security solution for SMS.

Contrary to what you might assume, SMS Firewalls are not “Firewalls” in the context of “cybersecurity”. Operators have SMS Firewalls to protect their network, traffic and revenue from SMS-related “SPAM”.

Why smishing has been a hard problem to solve until now

Every organization in the world must rely on technology, data, and services from the cybersecurity industry. The telco industry is no exception.

The cybersecurity industry however, doesn’t even have a category for SMS, let alone a solution. This is why Proofpoint and the cybersecurity industry at large, lacks a solution, or even advice for operators. Their advice is 100% focused on subscribers.

Proofpoint is the biggest anti-phishing security vendor in the world for email. Let’s see what they have to offer the telco industry:

FluBot is likely to continue to spread at a fairly rapid rate, moving methodically from country to country via a conscious effort by the threat actors.
As long as there are users willing to trust an unexpected SMS message and follow the threat actors’ provided instructions and prompts, campaigns such as these will be successful.

Proposed solution from Proofpoint:

To reduce your personal risk of becoming a victim of FluBot, Proofpoint recommends that all mobile users:
Be wary of unexpected SMS messages.
Refrain from installing applications outside of legitimate app stores.
Take the time to verify that the requested permissions make sense when you do install new apps.

If the cybersecurity industry doesn’t have a category for SMS, how are operators supposed to implement a solution that hasn’t been available until now?

Why SMS Firewalls are NOT the answer

Every major email provider has a SPAM filter, but nobody expects them to be an effective or reliable solution for phishing. That’s why we have a security category as described above and even then, anti-phishing security for email is not that reliable.

Email spam filters are effective at detecting spam because they use AI, ML and other tricks to detect signals attributed to spam inside the metadata and content. There’s more data to review inside an email than there is inside an SMS message. There’s usually many links within a single phishing email too — making it sometimes possible to do URL inspection on the fly, to ensure they all posses similar patterns.

Email phishing

SMS phishing

SMS messages contain a few words and a single link — making it mathematically impossible for any cybersecurity company to do URL-based inspection on the fly.

Look at the SMS message below. Is it from Three or is it from a team of hackers impersonating Three? Would you open this link? This is a real world example of a message sent to an Irish friend of mine, Paul Sweeney.

Hint:

The URL doesn’t start with HTTPS (no encryption = don’t go there!)
The sender uses 3ireland.ie instead of the “branded” three.ie
When you tap the link, it doesn’t open because every browser blocks websites that don’t start with HTTPS. If you persevere and hit “Advanced” on the block page and click-through to the “unsafe” website, it redirects to m.three.ie (NOT mobile.three.ie) The experience is different again when you follow the same link on a desktop computer.
Getting confused? Me too and I’m one of the two people who co-instigated the W3C Standard for URL Classification. 🤪
The sender doesn’t know if they should say “voicemail” or “voicemails”.
There are grammatical errors — no space between the ‘.’ and “Keep”.

Let’s take a closer inspection to see what’s going on…

So, is this a safe, trusted SMS message, or will it infect your device with FluBot?

The answer

It’s a legitimate message, with numerous legitimate URLs.

How are subscribers supposed to know how to spot deceptive URLs from hackers if they look more trustworthy than legitimate ones?

In fact, if their SMS Firewall was doing a good-enough job at detecting phishing-like “signals”, this and every message like it, would get blocked.

Again, subscribers are left to make decisions by either guessing or using their gut. They will be either lucky or very, very wrong.

So, whenever industry tells subscribers to “avoid links from people you don’t know”, they’re actually telling everyone to avoid every message with a link. That’s exceptionally bad for SMS revenue — a pain point that will hit the pocked in the next year — WHEN SMS becomes the least trusted channel for communications of any kind.

If you enjoyed this article I’d appreciate you taking a look at my Open Letter to mobile operators as it’s gaining momentum inside the mobile industry right now.