GSMA Spam Reporting Service Solutions Guide

GSMA Spam Reporting Service Solutions Guide

October 2012


Proprietary & Confidential Page 1 of 19

Contents

Executive Summary ............................................................................................................ 2

How Can Cloudmark Help You? ......................................................................................... 2

Your Network is burdened with Unwanted SMS Spam, Generating Support Calls and Increasing Your Operating Costs ......................................................................... 2

Mobile Operator Challenges ............................................................................................... 3

Mobile Phones are Personal ........................................................................................ 3

Mobile Apps and Trojan Malware................................................................................. 4

SMS Fraud is Eroding Subscriber Trust and Operator Profits .................................. 4

Current Mobile Threat Landscape ...................................................................................... 5

SMS Spam ...................................................................................................................... 6

Financial Fraud .............................................................................................................. 6

Smishing Scams............................................................................................................ 6

Premium Rate Fraud ..................................................................................................... 7

Mobile Malware .............................................................................................................. 7

Changing Attack Techniques ....................................................................................... 8

Quality of Service Degradation .................................................................................... 9

Regional Variations ....................................................................................................... 9

North America ..................................................................................................................................... 9

EMEA ................................................................................................................................................ 9

Asia ................................................................................................................................................ 9

Latin America ...................................................................................................................................... 9 Russia ................................................................................................................................................ 9

GSMA Spam Reporting Service Overview....................................................................... 10

Subscriber Experience ................................................................................................10

Reporting Spam Messages to the GSMA SRS Service .................................................................... 11

SDK for Spam Reporting Apps.......................................................................................................... 12

Integration with Existing Spam Reporting Services .......................................................................... 12

Operator Features and Benefits ..................................................................................13

Main Dashboard ................................................................................................................................ 13

Senders Dashboard .......................................................................................................................... 14 Reporters Dashboard ........................................................................................................................ 15

Attacks Dashboard ............................................................................................................................ 15

Customizable Search ........................................................................................................................ 16

From Visibility and Intelligence to Action ....................................................................... 17

Summary ............................................................................................................................ 19



Executive Summary Increasingly, mobile subscribers are using their always-on, always-at-hand mobile phones as their primary means of communication. Exponential growth in mobile messaging has created important revenue opportunities for operators and, alarmingly, for fraudsters rapidly shifting focus to SMS/MMS and away from less profitable email-based spam and scams. In fact, recent estimates suggest that up to 70% of unwanted text messages are attempts at financial fraud.

The implications for unabated mobile spam and mobile threats are in many ways more severe than in the email world. Mobile phones play a more personal role in subscribers’ lives than PCs or tablet computers. Subscribers regard SMS spam as an invasion of personal space and expect their operator to provide protection. If an operator fails to protect customers, permanent damage to trust and brand loyalty can result. As SMS/MMS spam and attacks increase globally, operators can expect further cost increases and revenue erosion due to subscriber complaint calls, unwillingness to adopt new services, and even defections.

Since SMS/MMS spam and attacks are still relatively new, many operators have yet to develop or deploy effective protections. In many cases, mobile network operators lack even the most basic monitoring tools, relying instead on subscriber support calls to alert them to SMS spam and attacks. Powered by Cloudmark, the undisputed leader in mobile messaging security, the GSMA Spam Reporting Service (SRS) provides operators with automatic global visibility, intelligence and insight into spam and mobile messaging attacks. By forwarding unwanted SMS/MMS messages to 7726 (SPAM), or other designated short code, subscribers are empowered to fight back, without calling customer support. GSMA SRS analyzes all customer spam reports and provides operators with actionable information including:

• Top Messaging Abusers – Primary senders of spam and other unwanted messages on operator networks, categorized by sender (MSISDN, short code, etc.), source operator and country.

• Top Attacks – Categorized by attack name and group (attacks are identified even though the exact message text can vary significantly from message to message).

• Top Reporters of Messaging Abuse – Allows operators to acknowledge subscribers receiving large amounts of spam.

Because GSMA SRS is a fully hosted service, it can usually be deployed within several weeks - significantly reducing integration costs and effort. Many operators running GSMA SRS have realized an immediate payback by integrating their new visibility into spam attack sources with existing workflows. For example, rather than waiting for subscribers to make costly complaint calls, fraud prevention and customer experience teams now have the information needed to proactively identify and block spam senders. In addition, the global insight into mobile messaging trends provided by GSMA SRS greatly increases the accuracy of all SMS/MMS spam and threat filtering solutions.

How Can Cloudmark Help You? The Cloudmark Mobile Security Platform solves a wide variety of problems facing operators today. Some typical applications are listed below:

Your Network is burdened with Unwanted SMS Spam, Generating Support Calls and Increasing Your Operating Costs Attackers seeking access to your mobile subscribers can clog your network with unwanted spam and fraudulent messages. This can increase your customer support and operating costs, devalue your brand, and drive mobile subscribers away.

The GSMA Spam Reporting Service provides detailed visibility into mobile messaging threats and attacks, whether they originate from within or outside of your mobile network. By delivering real-time feedback for effective message filtering, the GSMA SRS solution provides the first critical step needed to address mobile messaging abuse.

For complete messaging security, the Cloudmark Security Platform provides operators with the technology, tools, and expertise to automatically block the latest mobile messaging attacks, threats and spam - before they can impact networks and subscribers. Cloudmark stops abusive traffic



before it enters your network; freeing up bandwidth, improving stability and reducing operational costs and overhead. Your subscribers will enjoy a secure experience, improving their brand loyalty and acceptance of value-added services.

Mobile Operator Challenges Mobile phones provide the most personal and convenient way for people to communicate with each other anytime and from anywhere around the globe. Billions of consumers and corporate subscribers have come to rely on their mobile phones for a myriad of both critical and routine tasks including the secure exchange of critical business information, driving directions, and personal banking transactions. Broadband connectivity offers subscribers real-time access to the vast resources of the Internet, whilst smartphone platforms, applications and services bring desktop processing power and flexibility to mobile devices. Smartphone users can now easily manage personal and corporate email, edit photos, and even participate in a video conference - all tasks that used to require a personal computer.

Figure 1: Typical Mobile Operator Network

As mobile and fixed networks converge, along with social networking applications they support, the inevitable commoditization of mobile device platforms and services will erode certain advantages now enjoyed by service providers. Mobile network operators (MNOs) will have to work harder to maintain a competitive edge. Those who listen to customers and understand their needs and decision points at a deep level will be able to provide the value necessary to attract and retain subscribers. One of the most important differentiators that operators can offer is trust. Closely associated with brand, trust can take years to develop but can be lost in a moment. Subscribers have learned to place a high degree of trust in their service providers, especially in the content they receive such as SMS and MMS messages. Recent scams and malware outbreaks targeting mobile users have begun to erode subscriber trust and established brands, prompting users to consider alternatives.

Mobile Phones are Personal Personal computers have evolved in a relatively open and hostile environment, where new operating systems and applications are immediately tested by hackers seeking to prove their skills or criminals seeking monetary profit. Over the years, this ongoing game of cat of mouse between cyber criminals and security experts has conditioned PC users to a continuous cycle of infection,



patching and updating. Likewise, the widespread use of email has conditioned users to floods of spam and an endless variety of malware and online scams.

By contrast, mobile devices and operator networks have evolved in a far more closed and safer environment, where operators guard their infrastructure and control which subscriber devices are allowed to access it. For years, this ‘walled garden’ approach has allowed service providers to largely shield customers from attackers and outside forces, and has allowed mobile subscribers to develop a more trusting and personal relationship with their mobile devices and the content they receive on them. Users have learned to take the security and privacy for granted, and to trust that the SMS and MMS messages they receive are from legitimate sources.

Mobile Apps and Trojan Malware Each new generation of mobile devices incorporates faster processors, more memory, better displays and more powerful operating systems. This allows developers to create increasingly dynamic ‘apps’ to improve productivity for business users and enhance consumer’s personal lives. Analysts predict that downloads of mobile apps will increase 470%, from 39 billion in 2011 to 183 billion in 20151, while the average number of installed apps per smartphone rose from 32 in 2010 to 41 in 2011, an increase of 28%2.

Unfortunately, an alarming number of subscribers remain unaware that many mobile apps are sharing their personal information with ‘other third parties’. Information collected by apps can include personal address books, location data, usage patterns and internet search history. Advertisers frequently collect personal information for use in legitimate ad campaigns, but may also resell user data to less scrupulous spammers and phishers.

Even worse, malware is increasingly finding its way onto mobile phones by masquerading as legitimate apps. Once installed on a subscriber’s mobile phone, these malicious apps can steal contacts, passwords and device information such as the IMEI number without authorization. The malware can even send SMS messages to premium rate numbers resulting in unexpected and costly charges to subscribers. Mobile malware now generates millions of costly service calls for operators every year and tidy profits for attackers.

SMS Fraud is Eroding Subscriber Trust and Operator Profits SMS and MMS messaging provide an easy way for subscribers to exchange information when voice conversation is not desired, or to share pictures and other multimedia files. In addition, SMS is increasingly being used by businesses for a variety of useful and legitimate reasons including:

• Bank account status and alerts • Payments by financial institutions • Coupons and loyalty programs for brands and retailers • Information for transportation providers • Opt-in marketing campaigns run by mobile marketing firms

According to the International Telecommunications Union, a United Nations agency, 6.1 trillion SMS messages were sent in 2010, with an expected CAGR of 53% through 2015. In parallel, global SMS revenue for operators is expected to grow from $105.5 billion in 2010 up to $136.9 billion in 20123.

1 IDC, 2012 2 Nielsen, 2012 3 Informa Telecoms and Media, 2011

Figure 2: Legitimate Mobile App or Malware?



Criminals are also attracted to this large and growing opportunity, albeit for fraud and theft. Abusive SMS traffic wastes valuable network resources and drives up customer support costs. Malicious SMS messages received though a ‘trusted’ mobile operator can permanently damage subscriber loyalty, increase customer churn and threaten subscriber adoption of future mobile services. As mobile operators continue to expand revenue through value added services, it becomes increasingly important to provide a secure experience for subscribers. SMS spam and fraud are now affecting the entire mobile ecosystem resulting in degradation of service, operational problems, unnecessary support calls, and loss of revenue for operators. In addition, should operators prove unwilling or unable to control spam and threats, frustrated subscribers may hasten their migration to OTT messaging services such as iMessenger, WhatsApp and Pinger.

Current Mobile Threat Landscape Unlimited texting plans offer a new level of freedom for mobile subscribers. Unfortunately, they have also lowered the cost of doing business for attackers while increasing their return on investment.

Figure 3: Increasing Profitability of SMS Fraud (USD)

Due to the closed nature of mobile networks, subscribers have learned to place a high level of trust in communications received on their mobile phones. It’s no wonder that 2011 saw unprecedented growth of mobile malware attacks, with a 155% increase across all platforms4. Most notable was a dramatic growth in malware for the Android platform to more than 13,000 samples by the end of 20114.

Attackers typically send SMS texts to randomly generated phone numbers, or to lists of numbers obtained through other scams or purchased on the black market. Attacks can vary from merely annoying to malicious, with some attackers using social engineering techniques to lure users into calling premium rate numbers or texting premium rate short codes. Attackers might also send texts with links to phishing sites that trick subscribers into divulging personal information. Some of the more prevalent SMS messaging attack types are detailed below:

4 Unprecedented Mobile Threat Growth, Mobile Security Report 2011; Daniel Hoffman, February 2012



SMS Spam SMS spam is generally defined as any unwanted or unsolicited text message that is sent to a mobile device. SMS spam frequently masquerades as correspondence from a legitimate but spoofed entity. Most SMS spam includes a ‘call to action’ that entices subscribers to do something such as click on a link that leads to offensive material or allows the sender to collect a click-through commission. Some messages contain a social engineering hoax that encourages subscribers to forward the message to all of their contacts in return for a reward. Increasingly, SMS spam is engaged in smishing – an attempt to trick the recipient into divulging financial or other sensitive information then used for criminal profit.

Financial Fraud It is estimated that 70% of unwanted SMS text messages contain some sort of attempt at financial fraud. Mobile banking and payments are very popular in Japan and South Korea, with tens of millions of subscribers participating. This shift from bank tellers to mobile phones is being driven by banks seeking more cost-effective and real time ways to deliver services. Financial institutions around the world have begun to offer account access via SMS as well as transaction and overdraft SMS alerts. Some widely received financial fraud scams entice users with a rewards card, insurance claim or lottery winnings. The subscriber is directed to contact a fraudulent call center that requires their bank account or credit card information to pay a small ‘shipping fee’ before delivering their prize.

According to Gartner, mobile payment services are expected to reach US$245 billion in value worldwide by 2014. Mobile payments products and services include:

• Mobile Payments - such as paying for retail goods and services, internet shopping, low value items and business expenses

• Mobile Money Transfers - transferring money from one mobile phone to another and from mobile phones to banks

• Mobile Banking Services - such as bill and salary payments

Many of these services may have vulnerabilities that criminals will attempt to exploit and all are subject to various message-driven fraud and phishing attacks. Additional threats are coming through Extended Short Message Entities, or ESMEs, which send messages to a mobile operator network from an outside service, such as email, automated short code marketing messages, or voting systems that process SMS messages. The high volume of messages sent from ESMEs can expose subscribers and operator networks to uncontrolled attacks.

Smishing Scams Like its email predecessor, smishing messages are typically crafted to appear genuine, even copying content and URLs directly from authorized business communications. Smishing messages typically spoof a legitimate entity, often masquerading as a gift card or other ‘free’ giveaway offer. Recipients who follow the link and comply with the instructions risk having their personal details used for illicit purpose, or encounter unexpected charges, or have their account credentials stolen for financial fraud and possible identity theft.

Figure 6: Smishing SMS

Figure 5: Financial Fraud SMS

Figure 4: SMS Spam



In some cases, extortion or fear is used as the hook. In Japan, for example, mobile users have received messages threatening to expose their participation in a dating club, unless they immediately visit a certain website to ‘unsubscribe’. Of course the website is a phishing site that collects personal information from victims. Studies have shown that up to 50% of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing messages being sent. The ‘always on’ nature of mobile subscribers makes recipients particularly vulnerable to smishing (derived from ‘SMS phishing’) scams.

Premium Rate Fraud Premium rate fraud results in unexpected charges to mobile subscribers. Depending on the mobile plan and region, recipients can be victimized by either inbound or outbound toll fraud messaging. In the case of outbound toll fraud, recipients may unwittingly follow instructions contained in an SMS message to inadvertently text a premium rate number. In other instances of toll fraud, mobile subscribers may unwittingly install a malicious app that unbeknownst to them sends SMS messages to premium rate numbers for which the victim will then be charged.

In December 2011, for example, attackers seeded the Android Market with dozens of malicious apps disguised as installers for popular free games and horoscope apps. Subscribers who installed these ‘free’ games unwittingly agreed to Terms of Service which allowed these apps to send premium rate texts from their phones. Dubbed RuFraud, the scam affected subscribers in at least 18 different countries

GGTracker is another example of a premium rate scam. Clicking on an in-app advertisement directs users to a malicious website resembling Google Play's installation screen. Subscribers are then persuaded to download and install an app which contains the malicious GGTracker code. GGTracker then subscribes users to premium SMS subscription services that charge their accounts $9.99 per month.

The popularity of the photo sharing app Instagram prompted attackers to post a rogue version of the app on a fake website that mimics Instagram's legitimate download page. The fake site distributed a malicious app that, once installed on a mobile phone, sends SMS messages to premium rate numbers with no explicit authorization from the subscriber.

Mobile Malware Fraudulent messages typically prompt users to download and install seemingly legitimate apps that contain malware. Once the malware is installed on a mobile phone, hackers can steal login details, transact calls, text premium rate numbers, and send SMS spam or smishing messages to all of a subscriber’s contacts.

Figure 7: Premium Rate Fraud SMS

Figure 8: Fake Instagram App

Figure 9: Mobile Malware Site



The financial impact ranges from unauthorized items appearing on a subscriber’s bill, to thousands of dollars being transferred from bank accounts.

Droid Dream is an example of a malicious app that has been distributed widely inside of otherwise legitimate apps. Once installed, the modified app doesn’t even need to be launched as it simply activates itself when the user receives a call. It then sends sensitive information about the subscriber’s phone to a remote server, including the model number, the International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI), and software development kit version. This information can then be used be the attackers to target the subscriber for a wide range of fraudulent activity or sold on the black market to other scammers.

As malware writers discover new ways to exploit vulnerabilities, attacks on mobile devices and users are achieving new levels of sophistication. Discovered in the wild in 2011, a Trojan known as Droid KungFu uses encrypted payloads to avoid detection. A significant number of malware strains are leveraging social engineering techniques to dupe users. A type of malware known as ‘fake installers’ trick victims into unknowingly paying for pirated ‘free’ applications. Victims are tricked into agreeing to terms of service that allow the pirated applications to send profits to the scammers via premium SMS messages.

Changing Attack Techniques As in the PC world, attacks in the mobile space have settled into an arms race with attackers morphing their techniques to counter each new defense that operators put in place.

Figure 11: Mobile Attack Progression

Attackers have even begun to use ‘canary accounts’, which are attacker-controlled destination numbers, to verify that new attacks are reaching their intended targets prior to ramping up the attack volume. This ensures maximum attack effectiveness before the operator spots the attack and deploys a defense. When the attack no longer reaches the canary account, the fraudsters will begin to morph the attack through multiple progressions. They might change the sending number, the message content, the call to action number, the URL and other parameters in order to keep the attack going for as long as possible.

Figure 10: Fake App with Droid Dream



Quality of Service Degradation An unchecked flood of SMS spam can seriously degrade the quality of service that an operator is able to deliver. SMS messages are transmitted over the same channel as voice calls, so spikes of SMS spam can overload the network, leading to denial of voice services. While some next-generation SMSCs can rate-limit traffic sent over their SMS network, few legacy SMSCs have that capability. In addition, very few controls exist to limit the rate of reception of traffic from external networks, since externally originated SMS traffic is usually sent directly to subscriber MSCs.

Regional Variations Types of attacks and scams can vary dramatically by region and change rapidly according to the effectiveness of security measures deployed by carriers and service providers. Attack types can also migrate across regions as new security vulnerabilities are discovered and patched, and as new attack kits propagate around the globe.

SMS spam does not respect national boundaries and even benefits when crossing continents, exacerbating the law enforcement challenge of identifying and detaining attackers. For example, some western subscribers have recently experienced toll fraud attacks that evade detection by calling Russian premium rate numbers in the middle of the night. In other incidents, banking customers have had their login details stolen and their SMS payment authorizations forwarded to attackers in distant countries.

SMS scams often involve a high degree of social engineering. As a result, the hook used to entice the recipient will vary by country and is dependent on breaking news events, timely legislations, and other locally popular occurrences. As an example, within the UK, accident compensation spam and PPI compensation spam are the two most ubiquitous SMS spam campaigns. Some additional common scams are listed below by region:

North America

The North American market has been relatively safe until recently. The introduction of unlimited texting plans has helped to unleash a wave of spam SMS messages. Currently, some of the more common SMS spam being used to propagate attacks in North America revolve around’ Need cash now’, ‘Quick cash’, ‘Receive a gift card’, and ‘Secret shopper’ scams.

EMEA

In Europe, SMS spam is dominated by premium rate number scams such as ‘You’ve won cash’, ‘Someone called you – Find out who’, and ‘My battery is dying – Call me quickly’. In addition, SMS/MMS video spam has had a significant impact on operators and subscribers.

Asia

In Asian markets, more than 20% SMS messages sent over operator networks are malicious in nature. Spam related to loans, gambling and pharmacy scams are currently prevalent.

Latin America

In 2011, 62% of SMS spam in Latin America originated from Brazil, followed by Argentina, Columbia, Chile and Peru. By contrast, subscribers in Mexico are most likely to be attacked by security threats, followed by Brazil, Colombia, Chile and Argentina5.

Russia

Mobile users in Russia have been receiving SMS spam since 2004. Subscribers have recently been experiencing a dramatic increase in SMS Trojans such as fake installers and ‘scare-ware’ programs which masquerade as legitimate downloads, but send premium rate text messages once installed.

5 Frost & Sullivan, 2011



GSMA Spam Reporting Service Overview The GSMA Spam Reporting Service uses Cloudmark technology to provide a clearinghouse of messaging spam and attack reports from mobile subscribers across an operator’s network. On-network and off-network data provides operators with insight into the extent of messaging attacks within, entering, and leaving their networks from other operators. Using a specific short code, subscribers forward SMS/MMS spam messages directly to GSMA SRS for detailed analysis. The GSMA and Cloudmark recommend using ‘7726’ (SPAM) for reporting purposes, although operators may choose any short code.

Through automated collection and analysis of subscriber-reported attacks, the service provides individual operators with detailed information on threats: content, spam senders, and reporters of attacks. The service also provides aggregated mobile threat data across mobile operator networks, providing enhanced visibility into high volume, fast evolving, and emerging threats. Operators access these reports through a web interface and use this visibility to target enforcement action against abusive traffic only, without impacting legitimate users and content.

Figure 12: Overview of the GSMA Spam Reporting Service

Implementation of the GSMA Spam Reporting Service is very light-touch for the operator, and in many cases, an operator can be up and running with the service in as little as two weeks. The service is fully hosted, managed and run by Cloudmark on behalf of the GSMA. Once an operator provisions the reporting short code, all data is sent to the service for aggregation, analysis, and reporting through the web interface. GSMA SRS supports virtually any character set, including double-byte languages like Chinese and Cyrillic.

Subscriber Experience Subscribers currently have limited options when receiving unwanted messages on their phone. Calling customer service to report the issue can be time-consuming for the subscriber and expensive for the operator. Subscribers become frustrated and operators are left with little insight into the scope and scale of spam on their networks. By providing a simple solution for subscribers to report spam directly from their mobile phones, operators can reduce call center costs while improving their ability to monitor and block mobile spam. In order to maximize adoption and usage, the end-user experience keeps subscriber interaction simple, enabling the operator to provide the service at no-charge.



Reporting Spam Messages to the GSMA SRS Service

In support of the objective of broad reach and adoption, the GSMA SRS provides a complete end-to-end user experience over SMS. Through the use of a well-publicized short code to which messages can be forwarded, subscribers can easily report incidents of spam to their service providers:

1. Subscriber determines that they have received an unwanted/abusive SMS message.

2. Subscriber forwards the message directly to GSMA SRS via 7726, or an alternate designated short code.

3. Subscriber receives an automated SMS response from GSMA SRS thanking them for their submission, and requesting the MSISDN of the unwanted message sender.

4. Subscriber replies with the MSISDN (or short code) of the unwanted message sender.

5. Depending on classification of the submitted sender information (MSISDN, short code, e-mail, or invalid), subscriber receives a customized message from GSMA SRS thanking them for the information and requesting type-specific suggestions. For example, if the subscriber reports a short code as the sender, they might be encouraged to send a “STOP” in response to the original message. This response is optional and can be customized for each participating operator, or omitted altogether.

This reporting flow is shown in the following diagram:

Figure 13: SMS reporting flow

The operator can customize each of the message replies sent to the user in the above scenario. The operator can also define the criteria for classifying senders (MSISDN, short code, email, or invalid).

In order to compensate for the lack of metadata included in an SMS while simultaneously minimizing complication for the subscriber, the interaction is initiated by forwarding nothing more than the initial SMS message. The requirement for additional information is explained to the subscriber in the reply to the first message. Cloudmark’s data has shown than more than 70% of reporters follow through with this second step.



Figure 14: Mobile Spam Reports Sent to GSMA SRS by Subscribers

SDK for Spam Reporting Apps

Cloudmark offers an SDK which enables third-party mobile application developers to integrate a library into their mobile messaging apps, over the top messaging apps, and mobile security apps. The spam reporting library functionality will soon be extended to include handset-side mobile messaging spam detection capabilities for Android. Support for additional mobile OS platforms will follow.

Reporting abuse directly from a messaging app enables one-step reporting for subscribers. Within the messaging app, the subscriber merely chooses a menu option, such as ‘mark as spam,’ similar to traditional email. The spam reporting library will automatically handle the reporting to GSMA SRS.

Integration with Existing Spam Reporting Services

Operators with existing standalone spam reporting solutions can easily gain access to GSMA SRS analytics without interrupting the subscriber experience. Spam reports can be forwarded directly to GSMA SRS over any supported interface including HTTPS, MMS, SFTP and SMTP. For batch submissions, GSMA SRS offers a standardized JSON format.



Operator Features and Benefits Table 1: GSMA SRS Features and Benefits Summary:

GSMA SRS Feature Operator Benefit

Fully Hosted Service No capital costs, minimal up-front investment to deploy the service.

SMS-based Reporting for Subscribers

Little to no set-up cost, service can be enabled immediately for virtually all existing subscribers.

Web-based Interface with At-a-glance Dashboards

Little staff training required to realize immediate benefits; “double-click” to the needed level of detail.

Powerful Query Language Enables customized analytics to quickly identify and terminate spammers.

Customizable Dashboards Tailor information views to suit operator workflows.

Optional Android Reporting Library

Allows for integration with operator-branded messaging app; enhances carrier brand by demonstrating focus on subscriber privacy and security.

SRS has an intuitive web-based interface which allows administrators to begin monitoring SMS spam and messaging abuse immediately. The interface is highly customizable, allowing quick creation of drill-down queries to pinpoint specific mobile attacks.

A collection of standard dashboards provides operators with an at-a-glance view of spam and threat reports on their network. GSMA SRS also allows operators to customize dashboards to suit different workflows. Operators can also have GSMA SRS send automated email alerts when attack reports exceed defined thresholds.

Main Dashboard

The main dashboard shows current spam reporting statistics at a glance. Green boxes show typical spam reporting activity, yellow boxes show increased activity, and red boxes display abnormally high activity. The number of complaints during the past hour, day and month are also listed.

The main dashboard also displays the top spam offenders over the past month broken down as; internal (on-network) senders, short code senders and external (off-network) senders. All user interface elements are clickable, enabling fast drill-down for additional messaging statistics and details.

Figure 15: GSMA SRS Main Dashboard



Senders Dashboard

The Senders Dashboard contains several graphs showing a three month view of attacker data. The first graph shows a stacked area graph with information about attack report origination; internal (on- network), external (off-network), or unknown.

Figure 16: Spam Senders Graph - Internal vs. External

The next graph on this dashboard gives more detail about externally sourced attacks, broken down by originating operator. In a live system, the graph shows the true names of source mobile operators. With this information, an operator can identify attack sources on their network and determine where to focus additional spam-fighting resources.

Figure 17: Spam Sources by Network

The Senders Dashboard includes a sample of top spam senders/attackers, as well as an example of the spam message text. With this information, an operator can start to link senders to multiple attacks. If the sender is on-network (internal), the operator can take immediate corrective action such as notification or account deactivation.



Figure 18: Top Spam Senders

Reporters Dashboard

The Reporters Dashboard shows the most active reporters of mobile spam and threats. This information is useful in identifying subscribers particularly affected by SMS spam, or those who are particularly vocal about receiving it. In either case, operators could improve customer satisfaction by reaching out to top reporters and thanking them for helping to eradicate spam.

Figure 19: Most Frequent Spam Reporters

Attacks Dashboard

The Attacks Dashboard shows an overview of the most prevalent SMS attacks, as reported by subscribers. The overview of attacks is automatically grouped by name, with the help of Cloudmark’s Advanced Fingerprinting Technology. The grouping of attacks by name is a convenient method of identifying SMS spam, particularly since attackers frequently alter the source number and spelling of the message to evade static filtering mechanisms.

Figure 20 Top Attacks Bubble Graph



The bubble graph above shows information about the frequency of attacks by name. The size of the bubble indicates the number of unique reports of the attack. The position of the bubble along the X-axis shows the number of unique texts related to the attack. This uniqueness could come from variations in spelling, differing call-to-action URLs, or even message content. GSMA SRS uses Cloudmark technology to group similar messages automatically. Finally, the position of the bubble along the Y-axis shows the number of unique mobile spammers. A common technique for spammers is to send the same attack across a large number of source MSISDNs to evade blacklisting.

Figure 21: Top Attacks by Name

The Attacks Dashboard also shows a stacked graph that gives information on the volume of reported attacks, again grouped by attack name. This view allows operators to track the rise and fall of different attacks. In the example above, the yellow area represents the rise and fall of the “Need Cash Now” scam.

Customizable Search

GSMA SRS also provides a powerful customizable query language, allowing operators to isolate specific instances of spam, based on a variety of factors such as attack name, originating network, country of origin, and more.

Figure 22: Custom Search Interface



For example, the following search query finds all spam reports sent from the MISDN “14152608648”:

Figure 23: Custom Search for a Specific Spam Sender

The following search narrows the parameters even further to show the attacks from the same sender, but displayed over time.

Figure 24: List of Attacks from a Specific Sender Over Time

From Visibility and Intelligence to Action The GSMA Spam Reporting Service provides operators with immediately actionable information about SMS/MMS spam and threats on their mobile networks. This unique visibility, insight and intelligence allows operators to quickly notify or deactivate spammers and attackers, incorporating information from GSMA SRS into current fraud prevention or customer experience workflows.

Cloudmark Sender Intelligence (CSI) offers additional layers of protection to reduce mobile attacks and secure mobile messaging traffic. CSI delivers up-to-date, comprehensive sender reputation information, allowing operators to permanently block disreputable senders.



The next layer of defence is Cloudmark Mobile Platform (CMP), which allows operators to define sophisticated filtering rules using an advanced workflow-based policy framework. Operators can create and enforce rules based on traffic analysis, regular expression matching, and more – either globally or on a per-subscriber basis. Protection is available for any messaging format, including SMS, MMS, RCS, social networking (“over the top”), email, and binary attachments.

Figure 25: Cloudmark Layered Messaging Security for Mobile Operators

Finally, Cloudmark Authority provides content filtering and protection against all categories of mobile messaging threats. An additional layer of defence against evasive attacks, Cloudmark Authority combines Advanced Message Fingerprinting technology, high-performance algorithms, and Cloudmark’s Global Threat Network, with more than 2 billion trusted sources located in 165 countries.

Figure 26: GSMA SRS Integrated with the Cloudmark Global Threat Network



Summary Several key factors ensure that operators around the globe will continue to see a rise in the volume and sophistication of SMS-based spam and attacks. The widespread introduction of unlimited texting plans has finally made mobile scams profitable for attackers. In addition, the SMS channel is well trusted by subscribers, there is a billing mechanism in place, and subscribers frequently access sensitive information and conduct financial transactions on their handsets.

At a minimum, mobile network operators should have the ability to monitor the volume and impact of SMS attacks within their network and be prepared to deploy effective countermeasures as required. The GSMA Spam Reporting Service provides detailed visibility into mobile messaging threats and attacks, whether they originate from within or outside of an operator’s network. By delivering real-time feedback for effective message filtering, the GSMA SRS solution provides the first critical step needed to address mobile messaging abuse.

For complete messaging security, the Cloudmark Security Platform provides operators with the technology, tools, and expertise to automatically block the latest mobile messaging attacks, threats and spam - before they can impact networks and subscribers. The Cloudmark Security Platform receives real-time threat intelligence from the Cloudmark Global Threat Network, content filtering information from Cloudmark Authority, reputation data from Cloudmark Sender Intelligence, and spam reports from the GSMA Spam Reporting Service. This comprehensive information provides broad visibility into the latest messaging threats, trends and traffic patterns, enabling rapid creation and deployment of effective security policies.

GSMA Spam Reporting Service Solutions Guide

Documents

Transcript of GSMA Spam Reporting Service Solutions Guide