Text messaging revolutionized the way people communicate. From simple person-to-person communication to comprehensive mobile marketing platforms for businesses, there are more than 15 million texts sent every minute — adding up to a whopping 22 billion a day and growing. In 2019, the global Mobile Marketing Market was measured at $10.5 Billion USD and is expected to grow to $25 Billion USD by 2024. Lured by the growing success of SMS, MMS and RCS mobile marketing platforms, cyber criminals are increasingly taking advantage of user behavior to expand the SMS threat landscape.
The Evolution of Texting: From SMS to MMS to RCS
What started as a novel way to send and receive short, quick communications, has exploded into a mainstream form of global communication. Back in the 1980s, texting began as a Short Message Service (SMS), enabling people to send short messages over cellular networks — neither mobile data nor Wi-Fi are required. While SMS was ideal for a broad range of applications, the 160 character limit hindered communications.
As texting became more mainstream along with the growth of smartphones, the early 2000s advanced the core SMS capabilities to include sending multimedia content pictures and video, termed Multimedia Messaging Service (MMS).
In addition to having technology that delivers SMS and MMS, we then saw Rich Communications Services (RCS) added to the mix. RCS is a next generation SMS protocol that upgrades text messaging to include features like payments, high-res photo and file sharing, location sharing, video calls, and much more.
On average, American adults use a mobile device for nearly 3 hours every day. Since it is assumed that much of this time is spent texting, many believe texting to be one of the most effective channels for businesses to reach new and existing customers. Those assumptions have proven texting to be a highly effective and profitable marketing channel. Recent studies have found that SMS messages have a whopping 98% open rate. Not only that, but 90% of all text messages are read within 3 seconds.
Unfortunately, the same behaviors that make mobile marketing platforms wildly successful engaging their audiences, have also caught the attention of cyber criminals who are quick to take advantage of unsuspecting victims. The quick-start SaaS subscription model combined with obscured URLs are making it easy for attackers to infiltrate mobile marketing platforms and launch malicious campaigns.
Due to the nature of SMS and MMS, dangerous URLs can frequently be disguised as harmless web pages. Texting communications are intended to short, quick communications from one party to the next. The marketing goal is to garner a response through a direct reply or by clicking on a web link to complete a survey, claim a coupon, update account information, pay a bill, etc. Attackers take advantage of the same tools used by legitimate marketers to expand the SMS threat landscape, hoping that unsuspecting users will click without verifying the link first. Unfortunately, many users click without a second thought.
Whether it’s due to the character limitations of SMS or if it’s just easier to read and more ‘user-friendly’ to have a shortened URL rather than the full-path URL included in the message, the end result is that dangerous URLs are easily obscured — and it doesn’t raise any red flags for the users. This leaves mobile marketing platforms in a tough spot. Without a solution to detect malicious or objectionable content, phishing scams or other potentially harmful content before it gets to the end users, these platforms face significant risks to their brand reputation and revenue streams.
Just last week, reports of a new Emotet campaign being spread via SMS messages impersonating victims’ banks made the headlines. This campaign sends messages warning users their bank accounts have been locked, urging them to click on a link which then redirects them to a known Emotet distribution domain. After victims have been duped into entering their credentials, they are persuaded to down a file containing the malicious macros. These types of SMS and SMiShing campaigns are often successful because the phishing page victims see on a mobile device is an accurate replication of the bank’s mobile banking page.
What makes this tactic effective? Everyday, potential victims wade through vast amounts of seemingly benign information. Attackers are aware of this and hide in what appears to genuine traffic about the news of the day. Therefore, it will not be surprising if attackers leverage upcoming high-profile events such as the Olympics in their attempts to snare more victims worldwide.
Based on the feedback and stories we have been hearing from both partners and prospects, this is a growing area of concern. Some of our recent partners are faced with having to come from behind to regain their footing and earn back the trust of their users after public backlash and negative press. Others, have been more proactive in their approach and have put solutions in place after the earliest warning signs were detected. In either case, zvelo partners are well positioned to protect their platforms, brands and revenue streams into the foreseeable future.
While it may seem an impossible task to eradicate undesirable users from popular and easily accessible marketing platforms, there are solutions to reduce your risks as a technology provider.
zvelo recently partnered with an SMS marketing platform to deliver a solution offering real-time URL analysis to mitigate the use of their platform for nefarious purposes, and eliminate as many objectionable and malicious URLs as possible — across base level domains, as well as the page, post or article level. You can read the full case study here.