Regular readers of Commsrisk will appreciate the surge in stories about criminals using fake base stations this year, and how many of these reports come from countries where no such crime has ever been reported before. This week has seen credible reports from authorities in both Switzerland and South Korea that believe fake base stations are being used to facilitate fraud for the first time in either country’s history. However, one key difference is that the South Korean government believes a fake base station was used to intercept SMS messages, while the Swiss authorities believe a fake base station is being used to send them.
To briefly recap, an SMS blaster is a kind of fake base station that behaves like the component of mobile networks that uses radio transmissions to communicate with mobile phones within range. Criminals are increasingly using SMS blasters to bypass upstream controls implemented by comms providers that block harmful SMS messages. The typical sequence of events is that an SMS blaster is driven or carried around heavily populated areas where many mobile phones will temporarily connect to the device because it offers a stronger radio signal than any genuine mobile network, at which point the SMS blaster instructs the phone to downgrade its connection to 2G because this circumvents the security inherent to 3G and subsequent network generations. Then the phone receives one or more SMS messages from the SMS blaster. These messages impersonate legitimate organizations and contain links to scam websites.
Put simply, SMS blasters are old technology which continues to be legal in most countries because criminals previously had cheaper ways of sending SMS messages or other communications that lured victims to scam websites. The criminal use of SMS blasters has spread from China to other countries as an inevitable byproduct of effective restrictions on the flow of scam communications elsewhere in the comms ecosystem. The use of SMS blasters by organized crime syndicates adds to their costs compared to methods they previously favored, but this is worthwhile from their perspective because their scams are so lucrative. Google and other manufacturers have responded by making handsets that are more resistant to SMS blasters because they can be instructed not to downgrade to 2G. However, this is not a comprehensive control because 2G networks will remain necessary and widespread to maintain connectivity in many countries for a long time yet, and because many phones will continue to have 2G enabled.
No specific arrests or seizures of fake base station equipment have been reported in either Switzerland or South Korea so far, but reputable authorities in both countries have stated their use by criminals is now suspected because of the geographic distribution of phones targeted by scammers. It is likely that those authorities have also checked with telcos about communications to devices in the affected regions and not found any anomalous traffic on legitimate networks. Using radio signals to track and locate a fake base station is a challenging process that requires an intensive deployment of specialized resources. It is hence natural that countries with no previous experience will find it hardest to locate the first few fake base stations used by criminals. Nevertheless, it is pleasing that the general pattern of this crime is now understood by a wider spread of national authorities than before, allowing them to identify when the pattern of messages indicates a fake base station is operating within a region before they have located the specific device. This level of awareness is needed in order to direct the resources required to catch and stop the criminals who operate fake base stations.
In Switzerland, the warning comes from the most respected authority imaginable: their National Cyber Security Centre (NCSC). They reported on September 9 a case that is consistent with typical SMS blaster scams.
The NCSC is currently receiving a large number of reports about fake text messages purporting to be parking fines in western Switzerland. What stands out is that the people targeted by these phishing texts had in fact recently been in the places mentioned. This suggests that the scammers are using portable mobile phone stations — small devices that can be carried in a rucksack and which allow the scammers to intercept signals and send manipulated text messages.
The NCSC’s report also highlights other telltale indications that an SMS blaster is being used, such as one of the victims of the scam messages saying his phone had switched from 4G to 2G immediately before they received the message, then switched back to 4G afterwards.
The specific scam in this case involves fake parking fines. The messages contain a link to a phishing website where victims are told to enter their credit card information.
The NCSC’s update concludes with a promise to work with other Swiss agencies to tackle the problem.
We are aware of the threat posed by SMS blasters, and we are collaborating closely with the cantonal police forces, telecommunications companies, the Federal Intelligence Service and the Federal Office of Communications to address this issue.
On the same day as Switzerland’s NCSC warned the public about SMS blasters in western Switzerland it was also revealed that a joint public-private task force is investigating the potential use of one or more fake base stations in Seoul and the surrounding province of Gyeonggi. However, the case in South Korea differs because the authorities believe a fake base station was used to intercept SMS messages sent to the phones of victims, instead of the more common worldwide crime where fake base stations send scam messages to victims.
The joint public-private investigation team includes representation from the Ministry of Science and ICT (MSIT) and the Korea Internet and Security Agency as well as the police and KT, the country’s second largest mobile operator with almost 20 million customers. An announcement by MSIT described a recent series of frauds suffered by customers of KT. It stated:
KT가 고객 무단 소액결제 침해사고 원인의 하나로 불법 초소형 기지국의 통신망 접속을 언급했다
KT cited network access from illegal, ultra-small base stations as one of the causes of the unauthorized micropayment incident
Gyeonggi police separately reported that KRW80.6mn (USD58,000) had been stolen from 124 KT customers through unauthorized mobile payments. These ‘ghost’ payments were each relatively small but they come at a time when public confidence has already been shaken by the massive data breach affecting 25 million users of SK Telecom’s network, the leading South Korean mobile network by market share. KT says it has blocked unusual payment requests since the ghost payment fraud was identified. The telco insisted that no data had been hacked from their systems, which would be consistent with the theory that an uncommon criminal technique was used to intercept two-factor authentication codes sent by SMS to victims.
The prime reason to suspect that a base station was used to intercept messages is due to the geographic distribution of victims. Unlike more common frauds, there is a high concentration of reports of unauthorized KT transactions from individuals living in Geumcheon, a Southwestern ward of Seoul, and from the neighboring cities of Gwangmyeong and Bucheon. There have also been reports of unauthorized transactions from KT customers who live elsewhere, but this would be expected if an SMS message was intercepted while a victim was temporarily within range of a fake base station. For example, the crime might be committed while somebody is at work, but then noticed and reported after the person returned home. The victim is not aware of the crime when it occurs because it involves the interception of a message they never received, resulting in a looser geographic correlation in the locations where the crime is reported, but with every victim still needing to have been within range of a fake base station at some point in time.
This is the first potential case of a fake base station being used for crime in South Korea, but it is not the first known instance of South Korean involvement in a crime involving a fake base station. A Korean was arrested in Bangkok on August 20 after a search of the car he was renting confirmed he had been driving an SMS blaster around the city. Messages on the arrested man’s phone revealed he had been recruited to drive and operate the SMS blaster by a crime boss of Chinese ethnicity. The lure of foreign gangs has been so strong that South Korea’s police has actively sought to curtail scams involving Koreans who move abroad to work for scam gangs. Last year they even offered an amnesty and financial rewards to Koreans who returned home and became informants.
Radio communications security is normally considered to be a domain that exclusively interests high-end users, such as governments and the military. The proliferation of SMS blasters worldwide, and this potential new use of a fake base station for fraud in South Korea shows we need to start thinking about improving radio communications security to protect the general public from crime. The rate at which we have been updating our comprehensive map of SMS blasters reveals how much national authorities have tended to underestimate the speed at which radio comms equipment can be spread by scammers from one country to another. Most countries have laws against the frauds committed using radio comms equipment, but have no restrictions relating to the supply and ownership of this equipment. All countries should now be drafting legislation to prohibit the ownership of mobile base station technology except by those organizations which have a legitimate reason to use it.



