Cybercriminals impersonate trusted brands in text messages
Cybercriminals are disguising themselves as trusted message senders by manipulating the sender ID on text messages, making it appear that the messages are from legitimate companies. The sender ID appears to be the message’s source on your device. It is supposed to represent the organization or individual that sent the message. If you check your SMS or text, it is the name of the sender instead of the number that would appear on top of the message.
The sender ID is used to validate the sender’s identity for an electronic message, such as a text message. While it’s a way to identify phishing and spam messages that can lead to fraud and malware distribution, cybercriminals found ways to manipulate it by impersonating the sender ID of a legitimate organization or person. This deceptive tactic can easily mislead people into believing they interact with a legitimate source, putting their personal information at grave risk.
Since cybercriminals have recently been using the Globe sender ID to defraud people, I asked Anton Bonifacio, Chief Information Security Officer of Globe Telecoms, for clarification. Anton shed light on how this technology is being exploited.
Anton said cybercriminals exploit vulnerabilities in the 2G (second-generation cellular technology) network to impersonate legitimate message senders. These vulnerabilities stem from the 2G network’s outdated encryption methods and failure to ensure mutual authentication between mobile phones and cell towers. “The problem is, there is no option to turn off the 2G network in your devices,” Anton explained.
The encryption used in the 2G network is no longer considered secure, making it relatively easy for attackers to intercept and decrypt messages. However, telcos cannot yet switch off the 2G networks as many still use it for their legacy solutions. Additionally, the 2G GSM network only verifies the identity of the mobile phone user, not the cell tower, which allows criminals to create fake base stations, known as “Stingray” devices or IMSI catchers. These devices deceive phones into connecting to them as if they were legitimate network towers, enabling attackers to intercept communications and even send fraudulent messages.
IMSI catchers trick nearby mobile phones into connecting with them instead of legitimate cell towers. Since they operate outside the official cellular network, telecom providers’ normal security measures are bypassed. This means filtering of suspicious links is ineffective.
Anton further explained, “The primary function of an IMSI catcher is to imitate the behavior of a cell phone tower. It tricks nearby mobile devices into connecting to it, assuming it's a legitimate base station. Once a phone connects to the IMSI catcher, it requests the International Mobile
Subscriber Identity
(IMSI), a distinctive identifier that wireless networks use for authentication. By intercepting information transmitted between the user's device and the network, the IMSI catcher can identify individual users based on their IMSI numbers.”
“The IMSI catcher disrupts existing cellular networks by jamming their signals. It then spoofs signals to mimic a legitimate cell tower, enticing nearby phones to connect. The IMSI catcher intercepts phone numbers, call data, text messages, and other information transmitted between the user's device and the network. By decrypting this data, it identifies users by their unique IMSI numbers.” He added.
Anton notes that IMSI catchers were historically used for political purposes but have now been used by cybercriminals to scam people. He explains that Globe Telecom has implemented various security measures, including refraining from putting links in official messages, but ultimately, tackling this issue requires government intervention.
Anton stresses the need for law enforcement agencies, such as the Philippine National Police (PNP), National Bureau of Investigation (NBI), or Cybercrime Investigation and Coordinating Center (CICC), to take action against the criminal groups deploying these illegal devices. He also suggests stricter importation and assembly controls for IMSI catcher components to curb availability.
Until a more comprehensive solution is established, it’s essential to adopt certain precautions. Firstly, maintaining vigilance is crucial by carefully scrutinizing messages, even those seemingly from familiar sources, as they may still pose risks. Secondly, refrain from clicking on links in unsolicited text messages to mitigate the potential threat of phishing or malware attacks. Lastly, if there's any doubt about the legitimacy of a message, it’s advisable to directly contact the sender through their official channels for verification, ensuring the authenticity of the communication. These measures can help mitigate the risks associated with fraudulent or malicious messages until more safeguards are in place.