May 7, 2012Dancho Danchev By Dancho Danchev

Managed SMS spamming services going mainstream

Are you receiving SMS spam? According to the latest reports, millions of mobile users do.

The trend is largely driven by what Webroot is observing as an increase in underground market propositions offering managed SMS spamming services to new market entrants not interested in building and maintaining the spamming infrastructure on their own.

In this post, I’ll profile a recently advertised managed service offering SMS spamming capabilities to potential customers, discuss the latest innovations in this field, their impact to mobile security, and what are some of the key factors contributing to the growth of SMS spam.

More details:

The service is currently offering the following features to new market entrants into the area of mobile spam:

  • Managed SMS spamming using the customer’s database of mobile numbers
  • Managed SMS spamming using a specific mobile number range
  • Managed SMS spamming based on a specific carrier
  • Managed SMS Spamming based on a specific city
  • Managed SMS Spamming based on a specific country

These unique features offer cybercriminals the ability to better tailor their market proposition to unaware customers, potentially exposing them to scams and mobile malware attacks.

What’s also available in the service proposition, is the ability to choose a custom text message, next to the option to spoof the number of the sender to any given number. Clearly, this has been introduced with the idea to prevent affected users from blocking SMS messages from a single number.

What about the price? For up to 10,000 SMS messages, the price is 0.34 rubles ($.01 USD) per SMS, from 10,000 to 35,000 messages, the price per SMS is 0.29 rubles( $.01 USD) per SMS, from 35,000 to 100,000 the price per SMS is 0.25 ($.01 USD) rubles, and for any orders above 100,000 SMS messages, the price is 0.20 rubles ( $.01 USD) per SMS.

Let’s review some of key factors contributing to the growth of SMS spam.

Sample screenshots of DIY (do-it-yourself) SMS spammers currently available for sale:

Key factors affecting the growth of SMS spamming:

  • Managed SMS spamming services proliferating – Webroot is currently aware of several services offering managed SMS spam service, with that number increasing if we take into consideration the number of managed services advertised around cybercrime-friendly web forums, that don’t necessarily have a dedicated web site advertising their market propositions. Thanks to the increased demand for such services, mobile spammers are prone to continue supply new and diversified market propositions to new market entrants.
  • DIY SMS spammers available for download – Another segment within the mobile spam market, is the overall availability of DIY (do-it-yourself) SMS spammers. For the time being, the majority of these only affect Russian and Eastern European carriers, and primarily take advantage of the carriers’ Mail2SMS feature. For instance, if enabled, the user can receive emails in the form of SMS messages, once a service, or an individual sends an email to the following address – Although for the time being, the majority of DIY SMS spam tools rely on  the Mail2SMS feature, there are exceptions taking advantage of API keys issued by managed SMS spam providers allowing them easy access to a dedicated SMS gateway allowing them to send spoofed SMS messages internationally.
  • Harvested databases of active mobile numbers per country, city, mobile carrier offered for sale – Taking into consideration the fact that the service profiled in this post offers the opportunity to send SMS spam messages on a per country, city, and mobile carrier basis, a logical question emerges. How did they manage to build their database of mobile numbers, and segment them so that marketing-savvy cybercriminals can abuse them at a later stage? Affected users often leave their mobile numbers in order to access content found in spam and phishing emails. By doing so, they allow cybercriminals the opportunity to collect, store and resell these numers at a later stage. The geolocation process takes place either automatically based on freely available information for a particular prefix, or manually, by having end users enter their city, country and  carrier into the spammer’s database. Another popular technique that mobile spammers use is to collect mobile numbers from freely available free international SMS sending services, which secretly collect all the data that passes by their interface in an attempt to monetize the traffic by reselling the numbers to spammers at a later stage.

What are some of the latest innovations in the field of mobile SMS spam? Based on a comparative review of several managed SMS spamming providers, all of them are interested in vertically integrating by offering  managed MMS spamming feature, next to managed Bluetooth spamming. As far as MMS spamming is concerned, not only does the feature offer interactivity for the spammers’ message, it also allows  them to efficiently spamvertise malicious Java applications to millions of end and corporate users whose mobile number has been somehow exposed, and is now in the hands of mobile spammers.

Webroot predicts that we’ll soon witness a mass spamvertised MMS campaign containing mobile malware, including localized messages to the native language of the prospective recipients thanks to the availability of managed localization and proofreading services within the cybercrime ecosystem.

With these ‘turn-key’ cybercrime-friendly solutions freely available within the cybercrime ecosystem, we also predict an increase in SMS spam hitting end and corporate users across multiple market verticals.

If you’re one of the unlucky individuals that receives these spam messages, do NOT interact with them, even if they offer you the opportunity to unsubscribe. Much like email spam, unsubscribing will only end up confirming that your mobile number is valid.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Hello, there are some tools, that help you stop SMS Spam, i’d like it.

To block unwanted spam messages:

Install Jalapeno Antispam on your smartphone. It will monitor all incoming messages.

Mark unwanted messages as spam. You will not receive messages from this sender nor same message from other senders.

After reaching a certain limit of complaints from other users, a message will be black-listed on the server to prevent all Jalapeno Antispam users from receiving it.


  1. […] obtained database consisting of 98,000 fax numbers. This and the recently exposed capability of managed MMS spam sending, indicate the vendor’s ongoing customerization of  their business […]

  2. […] predict that just like MMS, Bluetooth and SMS spamming services, SMS flooding service will gain even more popularity in the long term as a way to assist a […]

  3. […] SMS spam, they will also sell access to the database, which will be later on incorporated in managed SMS spam service, offering the ability to send SMS spam using an already harvested database of mobile […]

  4. […] driven by a widespread adoption of growth and efficiency oriented strategies applied by cybercriminals within the entire spectrum of the cybercrime ecosystem, we’ve […]

  5. […] driven by a widespread adoption of growth and efficiency oriented strategies applied by cybercriminals within the entire spectrum of the cybercrime ecosystem, we’ve […]

  6. […] Managed SMS spamming services going mainstream – Have you received SMS spam recently? You’re not the only one. Thanks to managed SMS spamming services available at selected cybercrime-friendly online communities, cybercriminals now have access to millions of verified phone numbers, segmented on a per country/per city basis, allowing them to better tailor their fraudulent, or purely malicious campaign, in a cost-effective manner. What’s worth emphasizing on this emerging market segment is that cybercriminals are already capable of spamvertising malicious MMS attachments to prospective victims of their malicious/fraudulent campaigns. By ensuring that their campaigns possess valid mobile phone numbers before spamvertising them, it’s only a matter of time before we start intercepting malicious campaigns containing legitimately looking messages, and that also includes the attachments. […]

  7. […] a good reason not to connect to the public Web with your phone? Wonder where all that SMS spam is coming from? Keep […]

  8. […] software updates from the wireless provider. Add this to the ever-growing threat of mobile malware, mobile SMS spamming, and a DIY phone number harvesting tool, it’s easy to see how our mobile devices are the most […]

  9. […] in mind. These verified databases will be later on used as the foundation for a highly successful spam/scam/malicious software disseminating campaigns, thanks to the fact that the cybercriminals behind them will no longer be shooting into the […]

  10. […] SMS spam, they will also sell access to the database, which will be later on incorporated in managed SMS spam service, offering the ability to send SMS spam using an already harvested database of mobile […]

  11. […] Thanks to the easy to obtain premium rate phone numbers, scammers continue actively looking for new ways to monetize content that’s often available for free. Users are advised to avoid interacting with such services, as next to selling publicly obtainable software, they often harvest and resell the mobile phone numbers to vendors of managed SMS spam services. […]

  12. […] The application called “Will you win?” in Japanese, steals contact details, as well as the phone number of the malware. Why would a malware author want to collect the phone numbers of already infected devices? Pretty simple. The malware author is busy building a database of mobile phone numbers to be later on offered as a service to prospective SMS spammers. […]

  13. […] what would be the market trending tactic of choice for cybercriminals? It’s outsourcing to a vendor of managed SMS spam services, which would result in a higher quality standard applied to the campaign, as well as a […]

  14. […] number harvesting application, a common tool in the arsenal of mobile spammers, as well as vendors of mobile spam services. Since the practice is an inseparable part of the mobile spamming process, cybercriminals […]

  15. […] May of 2012, we highlighted the increasing public availability of managed SMS spam services that can send hundreds of thousands of SMS messages across multiple verticals. These services […]

  16. […] of months ago researcher Dancho Danchev already remarked the increasing public availability of managed SMS spam services,  these services could be used by criminals to send hundreds of thousands of SMS messages. The […]