IMSI ‘spoofing’ gadgets

“Spoofing” is when someone disguises an email address, sender name, phone number or website URL, or uniform resource locator.

Often, spoofing just changes one letter, symbol or number to convince you that you are interacting with a trusted source. But it is a cybercrime technique where someone or something impersonates a trusted source to gain access to personal information, money or data.

A surge of “spoofing” cases last week prompted the Cybercrime Investigation and Coordinating Center (CICC) to issue an alert cum warning. CICC executive director and concurrently Undersecretary of the Department of Information and Communications Technology (DICT) Alexander Ramos issued immediately the alert/warning following detection of a sudden surge of this particular cybercrime activity. Ramos disclosed the latest victims were account holders of GCash and Maya, the two biggest electronic money (e-money) service providers in our country.

“We are seeing more and more scam texts inserting itself into legitimate GCash or Maya SMS,” the CICC chief announced.

The CICC chief warned that this latest cybercrime technique illegally captures the short message service (SMS) of mobile phones, whether it has post-paid or pre-paid SIM (subscriber identification module) card. In simple terms, it’s a form of text scam in which these scammers are capable of creeping into legitimate message threads like those issued by GCash and Maya.

According to Ramos, both GCash and Maya have already been bombarding their respective account holders and other customers with advisories and alerts/warnings. The two biggest e-wallet service providers are operated by the two giant telecommunications companies (telcos), Globe and Smart, respectively.

“GCash will never send links via SMS, email and messaging apps,” the e-wallet posted on its Facebook page. Smart and Maya have been regularly sending this message to their customers: “Never open links sent by text, even those from ‘Maya’.” Scammers are now using illegal gadgets that can mimic the signal from telco towers to send texts that appear to be from trusted brands.

Actually, no less than Ramos fell victim to such “spoofing” while he joined Jocel de Guzman of ScamWatch Pilipinas during our Kapihan sa Manila Bay weekly breakfast news forum last Sept. 11. Ramos, along with three other people sitting next to each other inside Café Adriatico in Malate, Manila that day, simultaneously received the same message supposedly from “Maya” as indicated in its header: “Your account has been logged in from a different location. Please verify your account at https://payrmaya.com if not you.”

At a quick glance, you might panic after reading such message that might prompt you to click that site. But wait. If you read carefully, it has a wrong spelling – “payr.”

The last SMS is more tricky: “A deposit of PHP 2,850.00 is on its way. Please visit https://paypmaya.com to verify your account and accept it.”

Masking these SMS with seeming legitimacy, it makes account holders vulnerable to mis-identify the scam as legitimate. But the fraudulent messages contain links to a fake site that will capture the account holders’ details, including the One Time Password, or OTP, and other personal details.

Ramos admitted he has at least four mobile android phones. Phone number one is for public use; phone no. 2 is for official use; phone no. 3 is for his family and phone no. 4 is for finance, banking monitoring of CICC. And he has Apple iPhone 5 that he uses for his Pokemon games, he wisecracked. He got the Maya text scam in his public mobile phone.

A certified high-tech guy, Ramos advised the public to be keenly aware on the red flags to detect “spoofing” that comes through SMS. This is the first line of defense against these cybercriminals, he pointed out.

“We are appealing to the public to be more vigilant and never click links sent through text messages. We should always be suspicious when we receive such links through text messages,” Ramos exhorted.

The CICC chief reiterated his public appeal to immediately report cybercrime incidents to the Inter-Agency Response Center (IARC) Hotline 1326.

But how are these scammers able to sneak messages in bulk in legitimate threads through the use of a web portal or application?

From their initial investigations, Ramos found out these cybercriminals were using smuggled portable gadgets called IMSI, or International Mobile Subscriber Identity. The IMSI is a unique number automatically generated and stored in the SIM. It identifies every mobile phone subscriber.

The number is stored on the SIM card and is not moved or changed when that mobile number (MSISDN) is ported to a different SIM card. MSISDN stands for Mobile Station International Subscriber Directory Number and is a unique identifier for a mobile device on a cellular network. It’s the phone number that you use to make calls and send texts to a mobile device.

Ramos explained the IMSI operates like a text blaster that was widely used during the past elections by unscrupulous candidates that sent their “Vote for…” campaign messages. Since it is portable, he added, it becomes a “moving” gadget that can be operated inside a vehicle. The IMSI is capable of imitating the telco signals that enables it to copy and capture the mobile numbers within its range in proximity, Ramos added.

Speaking for the DICT and the CICC, Ramos cited they have the capability to detect IMSI. But given the limited resources of the government, he conceded, authorities can only do so much. However, Ramos counts on the inter-agency body aided by other law enforcement authorities that are steps ahead of the modus operandi of these scammers.

Other than technology-aided gadgets, Ramos takes pride in the human intelligence resources in the government to put a lid on these nefarious cybercriminal activities. Ramos underscored fighting cybercrime begins with each individual.

“The government cannot do it alone. We need the support of everyone in the community,” he urged. One such support group is the ScamWatch Pilipinas that has joined forces with the CICC.

Amid the IMSI “spoofing” cases, there was another apparent organized attack on GCash accounts. Fortunately, it was quickly nipped in the bud.