Spam Invades a Last Refuge, the Cellphone
Text message spam has started waking Bob Dunnell in the middle of the night, promising cheap mortgages, credit cards and drugs. Some messages offer gift cards to, say, Wal-Mart Stores, if he clicks on a website and enters his Social Security number.
Once the scourge of email providers and the Postal Service, spammers have infiltrated the last refuge of spam-free communication: cellphones. In the U.S., consumers received roughly 4.5 billion spam texts last year, more than double the 2.2 billion received in 2009, according to Ferris Research, a market research firm that tracks spam.
Spread over 250 million text message-enabled phones, the problem is not as commonplace as email spam. But it is a growing menace, with the potential for significant damage.
“Unsolicited text messaging is a pervasive problem,” said Christine Todaro, a lawyer with the Federal Trade Commission, the consumer watchdog agency, which is turning to the courts for help. “It is becoming very difficult to track down who is sending the spam. We encourage consumers to file complaints, which helps us track down the spammers, but even then it is a little bit like peeling back an onion.”
Although some text spam is of the harmless, if annoying, marketing variety, a vast majority is more insidious, experts say. With one mobile tap, smartphone users risk signing up for a bogus, impossible-to-cancel service.
Or they may succumb to that offer for a Wal-Mart gift card or a free iPhone in exchange for taking a survey and divulging all sorts of personal information, like their addresses or their transaction history — which can then be sold to digital marketers or even used to crack their bank accounts.
And, so far, it is hard to stop it. Even replying to unwanted messages with “NO” or “STOP” — the usual method for unsubscribing from an unwanted text message list — may only verify to spammers that you have a working number that can then be resold.
Scrambling to get a better grasp on the problem, the mobile industry last month joined with a maker of antispam software, Cloudmark, on a new reporting service that lets users forward mobile spam to “7726,” a number that spells SPAM on most keypads. Carriers will then use that information to block numbers.
Mobile spam is illegal under two federal laws — the 2003 Can Spam Act and the Telephone Consumer Protection Act, which set up the Do Not Call Registry in 2003. Smartphone users can report numbers that spam comes from on both the websites of the FTC and the Federal Communications Commission. The major wireless carriers — AT&T, Sprint Nextel, T-Mobile, Bell Mobility, and Verizon Wireless — all also offer ways to report the numbers on their websites and can block numbers. A number of apps for Android phones also promise enhanced spam text filtering.
Spammers, though, are endlessly inventive. Mobile carriers and filtering software can detect when a large volume of spam is sent from one phone number, and when the texts try to get someone to click on a website.
So spammers are turning to large banks of phone numbers, regularly changing the websites they try to get consumers to click, and blasting their messages from the Internet using “over the top messaging systems,” which let them send millions of messages cheaply. The minute a carrier blocks one number, spammers simply start using another.
“It seems this is all coming from different sources,” said Mr. Dunnell, a financial security consultant in St. Louis, who reported some texts he received on the FTC’s website and signed up for the Do Not Call list — to no avail. “I don’t know what good blocking one number will do.”
Spam on social media and instant-messaging services is also a problem, and there is more of it than of mobile spam, experts say, although security firms do not keep comprehensive figures. But the filtering technologies are more sophisticated.
As of last October, Facebook said it had blocked 220 million malicious links from a total of a trillion links clicked on Facebook a day.
Mobile spam, a more recent trend, is growing faster partly because spammers can blast their messages across providers, which share technologies; they have to customize for each instant-messaging provider and social media platform.
Legal remedies may provide some help against mobile spam. Verizon has brought 20 lawsuits against wireless telemarketers and spammers, most of which have been settled.
The FTC tried its first mobile spam case in February 2011 against Phillip A. Flora of Huntington Beach, Calif., accusing him of sending more than five million text messages over a 40-day period at a “mind-boggling” rate of 85 a minute, according to court documents.
Prosecutors said Mr. Flora was draining users’ allotted text message limits, which cost them money, and blasting messages at all hours of the night. The number of anyone who verified it by replying to the text message was sold to marketers.
The federal complaint against Mr. Flora said he charged $300 for every 100,000 text messages he sent — on top of what he made from selling cellphone numbers to third parties.
Mr. Flora settled the charges for $32,000 and agreed to cease sending spam texts. His lawyer, Michael A. Thurman, said his client “did not realize what he was doing was in violation of the law.”
Text spam that tries to get consumers to reveal their personal information is similar to the email frauds known as “phishing.” In the mobile context, these spams are known as “smishing.”
One of the two most common mobile spam messages last month, according to Cloudmark, the antispam software maker, was the “Need Cash Now” spam, in which users were promised quick cash if they disclosed personal and financial tidbits about themselves, which could be used to gain access to a bank account. The other was a gift card swindle, which lured users into taking a survey, in many cases on a spoofed website, and answering questions about their salary, debt levels, marital status, and health history.
“Attackers gain multiple layers of revenue from that information,” said Rachel Kinoshita, Cloudmark’s head of security operations. “They amass a 360-degree view of their target and can sell that information to marketers or just phish their bank accounts.”
Spammers can make a tidy profit blasting tens of thousands of messages at once. They use computers to generate millions of possible number combinations and then send messages to those addresses without knowing whether they have dialed a working number.
“If there weren’t so much money to be made here, spammers would simply go away,” Ms. Kinoshita said.
And of course smishing costs victims who do not have unlimited text message plans. Getting as few as 10 a month at 20 cents each would cost $24 more a year.
Mr. Dunnell has considered changing his cellphone number but concluded it would be too disruptive. “I just wish there was a better way to deal with this,” he said.