20.5k unique visitors in the last 3 days

New Zealand Finds First SMS Blaster Bank Smishing Fraud

The authorities were coy about how many victims may have received smishing messages.

New Zealand Police released images on Thursday of an SMS blaster they reportedly seized in August. The associated press release stated this crimeware had never been seen in New Zealand before. The use of the SMS blaster was first identified by noticing mismatches between the SMS scams notified by the public to the 7726 national reporting number and the SMS traffic conveyed by actual networks. The authorities subsequently executed a search warrant at a home in central Auckland where they found the SMS blaster and arrested a 19 year old man. The teenager has been charged with interfering with a computer system and has a court hearing scheduled for December 10.

There was little information in the press release, but the photographs (pictured below) suggest the SMS blaster was found in the back of a car.

Nothing was said about the teenager having a car, where that car was driven, or over how long a period the SMS blaster was in use. It is likely that the authorities do not really know how many people received smishing messages from this device. The criminal advantage in using a portable radio device to connect directly to a victim’s phone is that it circumvents any form of monitoring that would occur if communications involved the use of an operator’s network. The real goal of the police announcement is to allay the public’s fear without admitting that neither law enforcement agencies nor network operators are capable of proactively detecting SMS blasters. The press releases states almost 120 phone users in New Zealand were ‘affected’ by this device sending smishing messages that contained links to a bogus bank website. That represents the minimum, not the maximum number of potential victims, some of whom may not have been identified. The most important takeaway is that New Zealand’s authorities needed the public to blow the whistle on the suspicious SMS messages sent by SMS blasters because nobody in the police or private sector would otherwise learn of them.

Years have passed since Commsrisk started warning about the inevitable spread of mobile radio devices being used as simple fake base stations to send thousands of scam SMS messages. The threat was not taken seriously by most countries despite the extent to which the authorities in East Asian countries were already ramping up resources dedicated to locating SMS blasters. One reason to ignore the threat was that fraudsters will use cheaper methods to send scam SMS messages in bulk if they can. It should have been predictable that the progressive enforcement of tougher controls over A2P SMS and P2P SMS would prompt criminals to execute workarounds using widely-advertised technology which bypasses mobile networks entirely. Bank frauds are lucrative; employing teenagers to drive around SMS blasters is cheap in comparison.

I grit my teeth whenever I see another example of this trend where a new country says it has found its first SMS blaster, and how this supposedly shows that cooperation between police and the private sector is effective. It rather suggests complacency. Finding one SMS blaster is better than finding none, but finding a single SMS blaster tells us nothing about how long it was in use before it was detected, or how many other SMS blasters may currently be in use. Current methods of identifying smishing scams effected by SMS blasters are haphazard, patchy and cumbersome. Some countries may be trying to reassure the public after finding their first SMS blaster, but there will be many more in circulation around the criminal underworld that have not been found yet. If SMS blasters have been used for smishing frauds in countries like Norway and New Zealand then it is hard to believe that international criminal syndicates have not tried to use the same cheap technology in much bigger countries like the USA or Japan, neither of which has reported the use of an SMS blaster yet.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email