FTC crackdown on text spammers highlights business threat

The Federal Trade Commission’s recent crackdown on organizations suspected of sending millions of spam text messages puts a dent in an illicit activity that threatens businesses and consumers.

The FTC reported on Thursday that it was charging 29 individuals with collectively sending more than 180 million spam text to consumers. Through the lure of gifts and prizes, including a $1,000 gift card for major retailers, the alleged spammers tricked people into clicking on links that led to sites used to gather personal information.

“Today’s announcement says game over to the major league scam artists behind millions of spam texts,” Charles A. Harwood, acting director of the FTC’s Bureau of Consumer Protection, said in a statement. 

Spam text messages pose a significant threat to businesses because they are sent directly to mobile workers, bypassing filters and firewalls. While the operations busted by the FTC focused on gathering personal information, the links could have easily pointed to a site that downloaded malware.

Because many businesses have yet to deploy mobile security technology, the field of potential victims is still fairly open.

“Very few mobile devices are hardened and secured as most organizations have not deployed MDM (mobile device management),” Jonathan Thompson, founder and managing partner of Rook Consulting, said on Friday. “This exposes the devices to compromises with malware, where any and all communications can be monitored by hackers.”

In the past, MDM technology was used primarily to configure settings and to distribute applications on mobile devices. Today, many vendors have added malware detection and the ability to restrict access to corporate data.

“Most mobile devices have access to company IP (intellectual property) through email, so mobile devices will be hot targets for attackers in 2013,” Thompson said.

Fortunately, tools for hacking mobile devices are still relatively immature when compared with those available in the underground for breaking into personal computers. Nevertheless, the mobile threat is increasing as the number of malware and variants soars. Malicious apps that secretly bill victims through premium text services are popular among cybercriminals.

In the FTC case, people who went to the bogus gift sites were asked for personal information under the guise of needing shipping information for the gift cards. Once that information was collected, the victims were sent to another site where they ware asked to sign up for as many as 13 “offers” in order to get the gift cards. The offers sometimes required credit card numbers and submitting credit applications.

The information collected was sold to third parties for marketing purposes, the FTC said. In addition, site operators were paid by businesses that gained customers or subscribers through the offer process.

To protect against spam texts, companies should formulate a formal mobile device policy and guidelines that promote best security practices for employees, Thompson said. In addition, businesses should consider MDM software.

Other approaches to mobile security include building a separate workspace on the mobile phone, so corporate data and applications operate in an encrypted environment that cannot be affected by the personal side of the device.

Fixmo is one company that has such technology, and is working with Lockheed Martin and the Institute for Infocomm Research in Singapore on new methodologies for uncovering operating system vulnerabilities and potential attack vectors.

“We do not yet have products in market for this, but it is one of the key areas of R&D at Fixmo Labs,” said Tyler Lessard, chief marketing officer for Fixmo.