Mobile devices are an inseparable part of the modern cybercrime ecosystem. From ATM skimmers with SMS notification next to fake antivirus scanners for Android users, the growth of the mobile malware segment is pretty evident.
In this post I’ll profile a recently spamvertised managed SMS flooding service, in the context of E-banking fraud, and just how exactly are cybercriminals using the service as a way to evade detection of their fraudulent transactions.
Screenshot of the SMS flooding advertisement:
The ad offers SMS flooding service covering all countries. The prices? 500 SMSs cost 40 rubles ($1.21), 1000 SMSs cost 80 rubles ($2.43), and 10,000 SMSs cost 700 rubles ($21.29). The service offers a test with 50 SMSs, and reserves the right to offer services to users requesting more than 10,000 SMSs.
Although modern crimeware successfully undermines the effectiveness of two-factor authentication and SMS authorization, next to crimeware variants modifying the actual balance of the affected victim, certain financial institutions offer SMS alerts to customers who inquire about the service. What exactly does the service do? Basically it sends a SMS to the owner of the bank account every time money comes in and goes out of this account depending on the user’s preferences. In this way, if a customer becomes a victim of financial crime, they can immediately alert their bank for the fraudulent transactions.
Naturally, cybercriminals quickly adapted to the new service. From professional social engineering attempts aiming to trick a financial institution into changing the default mobile number of the account owner to a mobile number located within the same country, but operated by the cybercriminal — renting mobile phone numbers for committing cybercrime is available as a service — to launching a DoS (Denial of Service) attack against the mobile device of the account owner in an attempt to prevent him from successfully reading the SMS notification alerting him of the fraudulent transaction, cybercriminals can be pretty creative when it comes to bypassing this value-added feature.
This is exactly what the SMS flooding service is all about. Next to launching random SMS flooding attacks at a particular number in an attempt to disrupt a competing firm’s mobile communications with its potential clients just like DDoS attacks do, the service also has the capability to assist in a situation where a cybercriminal is about to transfer money out of the compromised account, but wants to prevent its owner from receiving a SMS notification of the fraudulent transaction. By sending thousands of SMS messages in the exact same time when the fraudulent transaction will trigger a SMS notification, the cybercriminal increases the average time for a successful detection of the account’s compromise, since its owner would miss the SMS notification sent from the bank in between sorting out the thousands of SMS messages received.
We predict that just like MMS, Bluetooth and SMS spamming services, SMS flooding service will gain even more popularity in the long term as a way to assist a cybercriminal on his way to hide a fraudulent transaction.