An Open Letter to Mobile Operators: How to Stop FluBot and other SMS Phishing Attacks

Dear Operator,

Mobile malware isn’t new but hackers have now realized how easy it has become to deliver mobile malware, spyware and banking trojans via SMS phishing URLs. If you think FluBot is bad, I’m sorry but life is going to get much worse unless we implement the right type of solution.

After polluting the world with COVID-19 and other forms of SMS scams, hackers discovered that “cybersecurity” companies don’t offer products and services for SMS. There are lots of consumer apps, but none of them can stop new deceptive URLs inside SMS messages.

As I’m sure you’re aware, SMS Firewalls are designed to help MNOs gain insights and protection for SMS traffic and revenue. But what you don’t know, is that while blocking over 95% of “SPAM”, they’re not cybersecurity firewalls, and they do absolutely nothing to stop FluBlot or other SMS-led phishing attacks. In fact, I’ve tested every MNO in the UK and not one stopped a single message with a known phishing URL.

After leading some notable projects in the mobile space, I came to understand and appreciate your commercial considerations, infrastructure, and business processes. I empathize with your current situation because mobile malware being delivered via SMS phishing URLs was extremely rare before now.

Now that it’s obvious to hackers that no MNO in the world can stop a single message with a new deceptive URL before maximum harm has been done, they’re likely to come at you with more of the same. Moreover, they’re more likely to use SMS-led phishing campaigns to target your business and enterprise customers’ networks and their customer data. It’s no longer just about “subscribers”. The perception that this is a consumer problem is wrong. It’s everyone’s problem now.

Proofpoint is the Goliath of anti-phishing security for email. They published a very comprehensive analysis on the entire FluBot situation here — it’s an incredibly helpful report for non-technical management as well as engineers, and is referenced by other security vendors and many media outlets.

In conclusion, Proofpoint’s advice for stopping FluBot is:

“Be wary of unexpected SMS messages”

“Use antivirus for mobile devices””Don’t open suspicious links””Avoid shady apps””Don’t give apps unnecessary permissions”

F-Secure

“Don’t click!”

Malwarebytes

“Install anti-virus software

“Sophos

After a thorough search online, I found that everyone seems to have the same advice:

  • Media: “subscribers should avoid opening links from people they don’t know”
  • Industry analysts: “subscribers should avoid opening links from people…”
  • Security vendors: “subscribers should avoid opening links…”
  • Brands: “subscribers should avoid opening links…”
  • Banks: “subscribers should avoid…”
  • Operators: “subscribers should avoid…”

In the context of FluBot and phishing URLs, there are two types of vendors in the cybersecurity industry:

  1. Vendors who own a threat intelligence system — such as Google, Cisco, Akami, Mimecast, Webroot, MetaCert, Symantec and Microsoft. More vendors exist, but it’s a very small list. These vendors also offer products and services.
  2. All other security vendors license “threat feeds” (URL blocklists) from the vendors above. Leading anti-phishing vendors integrate more than one feed in an attempt to block as many known dangerous URLs as possible.
  1. Criminals are finished with a deceptive URL as soon as enough people have fallen for it. For SMS, that’s about 3 minutes.
  2. Leading vendors need 2 to 3 days to investigate and classify new suspicious URLs as dangerous.
  3. If you’re exceptionally lucky, you can have a phishing site taken down after 24 hours.

Similar to the concept of single-use water bottles, deceptive URLs are typically used for a single campaign or targeted attack. Even if we could block a new UNKNOWN dangerous URL in 5 minutes, maximum damage has already been caused.

I had some people run tests across every operator in the UK in June 2020 because SMS scams seem to be rampant there — not one of them stopped a single message with a deceptive URL. So, testing a new solution will be quick and easy — send a message with a new deceptive URL to yourself on your own network.

Grab a URL at the top of the search list on PhishTank and send it to yourself in a message. When your SMS spam filter doesn’t stop it, you’ll know it’s time to get anti-phishing security. Remember, while good spam filters block more than 95% of spam, they block zero messages with new phishing URLs. Blocking phishing URLs that hackers no longer care about, doesn’t count as meaningful security.

The journey that led hackers to SMS

When MetaCert built the first patented in-app security integration for mobile apps, few people even knew what a WebView was. Aside from us, nobody thought in-app security was a problem. Today, it’s obvious that opening links inside an app is a potential threat, and leading mobile security vendors provide solutions to tackle it today.

When MetaCert built the first patented security integration for Slack (as well as HipChat, Skype and Messenger), nobody thought it was necessary because phishing attacks were never reported on Slack. I predicted it would become a problem because it didn’t take a rocket scientist to figure it out. Gartner analysts were skeptical whenever I met them in person, and security vendors thought it was a waste of time. Today, many leading security vendors provide anti-phishing security integrations for Slack, and Gartner has a “magic quadrant” for its favorite vendors.

After we killed the phishing epidemic on Slack for the cryptocurrency world in 2017, criminals quickly left and moved their campaigns to Telegram and Discord. MetaCert didn’t build security solutions for either of those platforms because we began to realize that being too early isn’t good for business. Today, criminals are happily walking away with hundreds of millions of dollars worth of crypto, while also targeting specific companies with spear phishing attacks that lead to major data breaches and the theft of customer data.

If anyone reading this letter would like to build a solution to stop phishing on Telegram or Discord, get in touch as we have an API to make it easy for you.

When MetaCert first brought SMS phishing to the attention of some mobile operators and SMS Firewall vendors, nobody cared enough to do anything about it. And it’s not like SMS scams haven’t plagued society for the past two years. Why now? Answer = FluBot. FluBot is infecting mobile devices with malware that’s more nefarious than anything I’ve seen before.

There’s no hiding from FluBot and it’s not going to stop unless something different is done to address it. But if history has taught us anything, it’s that criminals will stop targeting SMS as soon as it becomes prohibitively expensive for them. When we kill SMS scams, criminals will move to whatever platform provides the least point of resistance. Today, SMS is the easiest target I’ve ever seen:

  • 99% delivery rate
  • 95% open
  • Almost every victim opens within the first 3 minutes
  • Access to massive amounts of sensitive data on mobile devices
  • Mobile devices are used for 2FA
  • Easy to install banking trojans and spyware
  • Impossible for AI spam filters to differentiate between a phishing text and legitimate one
  • Mobile webpage is 10x quicker and easier to setup than a fake desktop website
  • Hackers know that there’s ZERO SECURITY for FluBot — that’s why they’re still using it in Europe.

Let’s try something different

I believe Internet security is flawed by design, so it’s time to redesign it.

The entire security industry continues to “assume every URL is safe… until confirmed as dangerous”, even though phishing was first discovered on the AOL network in 1995 and according to the FBI Threat Report, 2020 was the worst year in history for phishing, and the first quarter of 2021 is worse than Q4 2020. It’s getting worse and worse and worse and I don’t see any signs to suggest this trend is going to change in our lifetime.

While everything you read and hear will lead you to believe that today’s phishing attacks are more “sophisticated”, they’re not!

  • Email Phishing = deceptive URL
  • Slack Phishing = deceptive URL
  • In-app phishing = deceptive URL
  • Social media phishing = deceptive URL
  • SMS Phishing = deceptive URL

The FluBot malware itself is very very very sophisticated, but I personally don’t think about it because I’m focused on making sure people don’t open the URL that leads to the malware. A vaccine is better than a cure. Why spend massive amounts of time, energy and money on studying malware when we can stop the URL that’s used to download it?!

I see a world in which SMS messages are trusted and loved by everyone. This can happen if we make it easy for subscribers to spot a new scam in less than 3 seconds.

With my proposed Zero Trust approach, hackers won’t even get past their own personal test — not matter what phishing URL they use.

Since December 2017, not a single person or entity has ever fallen for a deceptive URL or website when protected by MetaCert’s Zero Trust URL & Web Access Authentication system. I’ve seen a few websites claim to offer a “Zero Trust” system to stop FluBot. Please make sure they have a partnership with MetaCert because we’ve seen screen shots of our warning messages being promoted on SMS Firewall vendor websites without attribution.

Meet the best-in-class security for SMS

The demo below shows how it works from the view point a criminal, and your subscribers.

In the past 8 weeks, MetaCert has 3 SMS Firewall vendors signed up as strategic partners and 8 carriers who registered their interest. Of those 8, 1 agreed to start a trial and 7 others are expected to request a trial.

“Wow! This is the only way to stop scams on our network”

Everyone who sees a virtual demo

Even if you believe FluBot won’t be downloaded by anyone on your network, adding our subscriber-focused security can only benefit you whenever people need help to spot a new scam.

Please feel free to get in touch by way of a LinkedIn connection request, or email me directly paul@metacert.com Learn more about the journey that took me here.

I look forward to hearing from you soon

Paul

MetaCert CEO

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.