o2 Germany promotes SMS-Phishing
RedTeam likes to point out that certain text messages ("SMS") recently sent by the cellphone network operator "o2 Germany" to some of its customers might promote SMS-Phishing. RedTeam expects SMS-Phishing to spread even more and become a severe problem.
Security-Risk: Successful SMS-Phishing
German Version: http://www.redteam-pentesting.de/advisories/rt-sa-2005-009-de
The cellphone network operator o2 Germany recently sent text messages ("SMS") to their customers, asking them to reply to these messages to get their mobile phones configured for additional features - in this instance the Multimedia Messaging Service ("MMS").
This makes it very easy for ill-meaning 3rd-parties to send officially looking text messages to o2-customers, making them answer to a number liable with costs, using so-called Premium-SMS numbers.
o2 sent some of its customers the following two text messages:
"Sehr geehrter <customer-name>, Ihr Handy ist zum Versand und Empfang von MMS-Nachrichten (Text und Fotos) geeignet."
"Falls Ihr Handy nicht richtig eingestellt ist, ueberspielen wir Ihnen kostenlos die Einstellungen. Bitte antworten Sie gratis auf diese SMS mit HANDY. o2-Team."
"Dear <customer-name>, your cell-phone is able to send and receive MMS-messages (text and fotos)."
"In case your cell-phone isn't configured properly we will update your phone to the correct settings for free. Please answer to this text message with HANDY. o2-team."
"Premium SMS" is a possibility to pay small amounts of money by sending a text message to the vendor (so-called "Mobile Originated-Billing") quite like Premium-Phonenumbers. In the beginning the german payment-providers agreed on prices from 0.29 - 3.00 Euros per received text message. Currently one text message can cost up to 4.99 Euros. But this may rise, as there are no laws limiting the prices. The money is shared between the network-provider, the payment-provider and the vendor. The latter gets the largest share.
This makes it quite lucrative to send text messages from a Premium-number and trick the receiver into answering to it (so-called SMS-Phishing).
On the internet, eCommerce and online-banking sites have learned the hard way never to send any emails to their customers linked to their websites. But obviously other communities, like cellphone network providers, have missed that lesson.
That's why RedTeam considers it extremely harmful if a network-provider asks its customers to answer to a text message. The customers will get used to it and be easier victims. RedTeam expects SMS-Phishing to spread even more and become a severe problem.
Proof of Concept
Imagine an attacker sending o2-customers a text message saying the following:
"Hello! Due to maintainance an update of your SMS-configuration becomes necessary. To be able to receive text messages in the future, please reply to this message with UPDATE. We will then send you your new configuration for free. o2-team."
The attacker could also include the customer's name to make it seem more credible. Cell-phone-numbers and names can be easily connected through search engines.
Piece of Advice
Network-providers should not request their customers to answer to a text message. Instead they should make public that they never ask their customers to answer to a text message. (This is analogous to what banks do regarding email and PIN-/TAN-numbers.)
If it is necessary for a network-provider that its customers agree to receive something (e.g. a new configuration) RedTeam suggests this course of action:
The provider sends the customer a text message with an individual code. The customer has to enter this code, along with his cell-phone-number, on the provider's website. The provider can then be sure that the customer wants to use the service without making the customer a prominent target for phishing.
According to RedTeam the risk is in the high trust-level a network-provider probably has among its customers. Many of the customers are likely to act on the requests of their provider. Now that o2 Germany has in fact sent its customers a text message asking them to answer, it is very easy for an attacker to pretend to be o2 and abuse o2's trust-level.
2005-03-17 - RedTeam becomes aware of the o2-campaign
2005-03-23 - This Advisory is published
2009-05-08 - Updated Advisory URL and date format
RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at