30.3k unique visitors in the last 3 days

Two Malaysians Arrested for Using an IMSI-Catcher in the Philippines

Were they spying on phone users or committing fraud? Tense relations with China and the politicization of similar arrests makes it difficult to judge.

Relations between the Philippines and China are difficult. Disputes over territorial rights in the South China Sea have led to dangerous confrontations; a recent encounter resulted in two Chinese ships colliding with each other as they chased Philippine vessels. Philippine officials have also accused China of interfering with elections held this year. This is said to involve online troll farms and other methods of spreading disinformation. Philippine President Ferdinand Marcos Jr. has ordered an investigation into allegations of election interference, which have been denied by China’s foreign ministry and its embassy in Manila. This context is necessary because news has been released of two Malaysians of Chinese ethnicity being arrested in Cebu City for using a radio comms device. It would be irresponsible to simply repeat the speculation swirling around them, as is the unfortunate norm for most websites and social media accounts that highlight stories relating to IMSI-catchers. The men may have been acting as spies, with the insinuation that they were collecting information from mobile phones on behalf of China, or they may have been using the radio comms device to commit fraud. Either way, it represents a continuation of a common theme for Philippines law enforcement.

The National Bureau of Investigation (NBI) reported that the men were arrested on August 8 in Cebu City. Their arrest was the result of an operation that began two weeks earlier. The names of the men were revealed to be Chong Hong Yee and Kim Chui Tan. A device described as an IMSI-catcher was found in the men’s hotel room, along with common electronic items like routers, mobile phones and RF modules. Cebu City is situated in the Visayan islands, south of Luzon, and is home to almost a million people. It is the sixth-largest city in the Philippines.

Local news media reports drew attention to the following:

  • the Chinese ethnicity of the Malaysian nationals arrested;
  • hotel staff had reported the men as ‘suspected terrorists’;
  • the arrested men had ‘sniffing devices’ used for ‘spying activities’; and
  • police cybersecurity investigators said the power of the radio device meant it could ‘draw off data up to 5G networks’.

Readers with a deeper technical understanding of security will share some of my doubts surrounding these claims. 5G security is much harder to crack than the security of earlier network generations, irrespective of how powerful any radio signal might be. It is implausible that spies were despatched to the Philippine’s sixth-largest city to exploit some little-known flaw in 5G security. The obvious place to do high-end spying would be in Manila, which is home to the country’s most important government offices and military headquarters. Police may have been consciously exaggerating the threat of espionage or unwittingly revealing that they do not understand what would be needed to intercept 5G communications.

According to some of the local reports, police also warned that scammers are changing their methods by basing themselves in hotels and resorts instead of offices and residential buildings. This year has seen a surge of news reports about SMS blasters being used around the world, and especially around Asia. SMS blasters and IMSI-catchers are both essentially a type of false base station. One major difference is that an IMSI-catcher may perform a man-in-the-middle attack by also being connected to a genuine mobile network, but SMS blasters are only used to transmit messages, eliminating the need to connect to a genuine network and to overcome all the additional security challenges which would come with that.

Commsrisk is reaching a stage where we seem to be publishing a new story about SMS blaster arrests every few weeks. The vast majority of these stories involve SMS blasters being used by people with Chinese affiliations to send large volumes of smishing SMS messages that impersonate a legitimate organization. Such messages contain a hyperlink to a phishing website. The intention is to collect the personal data, including the banking details, of victims. However, the authorities in the Philippines are bucking the trend because they seemingly keep arresting people with Chinese affiliations for using IMSI-catchers in a way that implies espionage.

There have also been a few cases where some Philippine law enforcement agencies have accused the arrested of engaging in smishing fraud. And there have been many reports of SMS blasters being illegally resold after they were previously used by Philippine Offshore Gaming Operators (POGOs) to send SMS messages that advertise their services. There have even been claims that government-owned SMS blasters, which are only meant to be used in emergencies, are being commandeered for political dirty tricks. This begs a serious question: when the authorities have so much pertinent experience, why would any Philippine law enforcement agency struggle to distinguish between a radio comms device that is configured for espionage and one which is only set up to send fraudulent messages? Why do they keep talking about the interception of data alongside the transmission of messages as if they cannot tell if they are investigating a state-sponsored spy ring or a gang of thieves?

It would suit some political interests to confuse scam activity orchestrated by Chinese organized crime syndicates with espionage sponsored by the Chinese state. This leads me to speculate that political bias is influencing the way these news reports are presented, and that smishing fraud remains the likeliest criminal motivation in cases like these. However, the information shared about this case is not definitive either way, which is why it will be excluded from our global map of fake base stations that send SMS messages until more information becomes available.

The NBI shared the following photograph of staff inspecting equipment found in the arrested men’s hotel room.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email