New Zealand Police released images on Thursday of an SMS blaster they reportedly seized in August. The associated press release stated this crimeware had never been seen in New Zealand before. The use of the SMS blaster was first identified by noticing mismatches between the SMS scams notified by the public to the 7726 national reporting number and the SMS traffic conveyed by actual networks. The authorities subsequently executed a search warrant at a home in central Auckland where they found the SMS blaster and arrested a 19 year old man. The teenager has been charged with interfering with a computer system and has a court hearing scheduled for December 10.
There was little information in the press release, but the photographs (pictured below) suggest the SMS blaster was found in the back of a car.


Nothing was said about the teenager having a car, where that car was driven, or over how long a period the SMS blaster was in use. It is likely that the authorities do not really know how many people received smishing messages from this device. The criminal advantage in using a portable radio device to connect directly to a victim’s phone is that it circumvents any form of monitoring that would occur if communications involved the use of an operator’s network. The real goal of the police announcement is to allay the public’s fear without admitting that neither law enforcement agencies nor network operators are capable of proactively detecting SMS blasters. The press releases states almost 120 phone users in New Zealand were ‘affected’ by this device sending smishing messages that contained links to a bogus bank website. That represents the minimum, not the maximum number of potential victims, some of whom may not have been identified. The most important takeaway is that New Zealand’s authorities needed the public to blow the whistle on the suspicious SMS messages sent by SMS blasters because nobody in the police or private sector would otherwise learn of them.
Years have passed since Commsrisk started warning about the inevitable spread of mobile radio devices being used as simple fake base stations to send thousands of scam SMS messages. The threat was not taken seriously by most countries despite the extent to which the authorities in East Asian countries were already ramping up resources dedicated to locating SMS blasters. One reason to ignore the threat was that fraudsters will use cheaper methods to send scam SMS messages in bulk if they can. It should have been predictable that the progressive enforcement of tougher controls over A2P SMS and P2P SMS would prompt criminals to execute workarounds using widely-advertised technology which bypasses mobile networks entirely. Bank frauds are lucrative; employing teenagers to drive around SMS blasters is cheap in comparison.
I grit my teeth whenever I see another example of this trend where a new country says it has found its first SMS blaster, and how this supposedly shows that cooperation between police and the private sector is effective. It rather suggests complacency. Finding one SMS blaster is better than finding none, but finding a single SMS blaster tells us nothing about how long it was in use before it was detected, or how many other SMS blasters may currently be in use. Current methods of identifying smishing scams effected by SMS blasters are haphazard, patchy and cumbersome. Some countries may be trying to reassure the public after finding their first SMS blaster, but there will be many more in circulation around the criminal underworld that have not been found yet. If SMS blasters have been used for smishing frauds in countries like Norway and New Zealand then it is hard to believe that international criminal syndicates have not tried to use the same cheap technology in much bigger countries like the USA or Japan, neither of which has reported the use of an SMS blaster yet.



