Telstra taps Australian cyber cops to block SMS spoofing attacks

As COVID-19’s digital-services surge drives increased fraud, Defence Ministry helps government services agency identify legitimate communications.

whitelisting computer security security oversight admin lockout control by metamorworks getty images
metamorworks / Getty Images

Spoofed SMS messages will be automatically identified and blocked from reaching customers on Australia’s largest mobile network, after dominant carrier Telstra kicked off a pilot program with social-services agency Services Australia that will eventually be extended across the government.

Telstra has been working with the Australian Cyber Security Centre (ACSC) to test and refine the technology, which analyses metadata around SMS messages to detect manipulation of sender ID data.

An ongoing proof of concept has successfully been able to identify and block messages from unapproved senders “almost immediately”, said “really pleased” Telstra CEO Andrew Penn in kicking off the pilot program—which, he said, partners the telecommunications carrier with “key organisations” to identify the legitimate sources of citizen communications, then “block out the malicious relative to the legitimate”.

The Services Australia effort may expand to other agencies

By working with Services Australia to identify certain servers known to be sending legitimate communications, Telstra is able to block other, spoofed messages going to its 16 million mobile customers “with absolute certainty,” said Minister for Government Services Stuart Robert.

The new system “will not completely eliminate the risk, but it does eliminate a lot of the activity,” Penn said, noting that the program grew out of the DNS-level Cleaner Pipes initiative that Telstra announced in May to help block botnets and other malicious activity on its network. “One of the advantages of cleaning up all this malicious activity on the networks is that it makes the really hard stuff a little bit easier to find,” Penn said, noting that the company is blocking about 1 million scam calls per month and 20 million “suspicious” emails per month.

The ACSC “really does provide very unique insights into the tradecraft of cyber criminals who are looking to exploit Australians,” Minister for Defence Linda Reynolds said in highlighting the role of the government’s cyber security centre of expertise.

If the pilot program is successful, ACSC will engage with other Australian government agencies to explore ways of extending the system to protect other common targets of SMS scams. “This is a very collaborative relationship with Telstra and other telcos,” Reynolds added, noting that the scams are “a national problem that requires a truly collaborative national approach.”

Penn agreed, calling the ACSC “a tremendous government resource” in the collaborative fight against cyber criminals. “We both look at the world through a different lens and have access to information that the other party doesn’t have, and it’s by having the good guys in this game working together that we are increasing the changes of mitigating the chance of being subject to attack.”

Services Australia is a sitting duck for spoofers

The broad reach of Services Australia—a cornerstone agency that administers over one-third of government expenditure through programs including Centrelink social-support and unemployment services, and the Medicare healthcare benefits system—means that its brands are both recognised and trusted by nearly every Australian.

Its myGov online portal has been cyber criminals’ popular choice for spoofing SMS message headers to trick recipients into clicking on an embedded link—which actually directs them to a malicious landing page designed to steal personal and login information from victims.

Stuart Robert, Minister for Government Services, said the agency had received nearly 920 reports from customers that had lost more than $6.4 million during fiscal year 2019-2020—up $500,000 from the previous year.

“In terms of the globalised nature of comms, the challenge online is that you don’t know who is behind an assault or who has sent the scam email, the phishing SMS, the malicious email trying to attack your firmware,” Robert said in calling the new service “superb” in stopping “people trying to emulate us.”

The agency and its partners “will look to do as much as we can” including blocking overseas access based on IP addresses or domain names, he said. “We need to spend a lot more time, effort and money on protecting citizens in the back technical areas, as well as giving them information so they know not to go to a malicious link—but to go to the source and log in themselves.”

Increased use of online services have primed Australians for spoofing scams

Increased interaction with government agencies during the COVID-19 pandemic—particularly through digital channels such as the 18 million-strong myGov portal—has primed the population for spoofing scams, with the Australian Consumer and Competition Commission (ACCC) ScamWatch service recently reporting losses of $1.3 million to 7,100 reported government-impersonation scams such as fake government threats and phishing scams.

Medicare has been a perennial favourite for SMS scammers and SMS scams are the third most-common form of scam—behind phone calls and emails—and ScamWatch has received more than 15,350 reports of SMS-based scams so far in 2020, with losses of about $1.1 million through July 2020. In all of 2019, Australians lost $3 million to a reported 27,893 SMS scams. During the same time, the ACSC received an average of 164 cyber crime reports per day through its ReportCyber portal, including 23,841 reports of fraud and scams over the course of the year.

“The level of activity that we’re experiencing in relation to cyber crime is very, very significant,” Robert added—flagging expanding identity-related investments such as voice authentication and the “next great move” of digital identity—“so this is going to be very important.”

Related:

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)