Malicious text messages: worrisome development

Macintouch posts a piece regarding
“My own phone number is now spam texting me”

This forebodes rather a new level of the problem.

With email phishing, spoofing, and the like, at least one has
the room/time to view the originating source of the malicious email, and act accordingly.

If phone number spoofing proliferates, this could become a huge problem, especially with regard to potential threats a recipient receives from a familiar number.

In the case of receiving a text from “oneself” the case is pretty clear on how to proceed
… i.e. delete right away.
On the other hand, receiving malicious threats from one’s contact list is a different order of things

A lot of people are reporting this now. Most ultimately linking here:

And a followup from Verizon: Verizon blames ‘bad actors’ for the spam text you got from your own number - The Verge

Ultimately, I don’t think this is anything new. Spammers and telemarketers and other bad actors have been forging e-mail and phone calls and texts for a very very long time.

We’ve all gotten spam that claims to come from our friends and relatives and neighbors (especially if you use social media, which makes it fairly easy for the bad guys to find out who they are).

And we’ve been receiving junk phone calls from forged phone numbers for just as long. Which is why blocking phone numbers doesn’t work - because every call is from a different number and they always belong to innocent bystanders.

So bogus texts that claim to be coming from people in your contact lists seems inevitable. I’m actually surprised we haven’t seen it all over the place already. If you see something unexpected or funny looking, don’t click the link. Reply (to your friend/relative) and ask if they sent it. If they didn’t, you know what to do.

And the nice thing here is that the act of asking won’t alert the spammers because it will be going to your existing contacts. So unless you think their phone number has been compromised, it should be safe. And if you’re not sure, a quick phone call should be enough, since you will probably recognize the correct voice.

2 Likes

This is far, far, far from being a new problem. I’ve been receiving spoofed phone number calls for as long as I can remember and my own phone number used over a year ago now. Another more recent touch is to use the same area code and exchange (first three numbers) as my number in hopes that I’ll think a neighbor is calling.

Since I have paid to have calls that don’t display a callerID blocked for over twenty years now, any call that comes in with callerID of “Unknown name” has to be spoofed and account for fully 99% of the calls received on my landline phone.

Unfortunately I cannot block such calls on my iPhone and they come in showing a city and state.

The only way to put a stop to this is for carriers to implement the technology needed to prevent anybody from being able to fake a number and/or callerID and they have not been incentivized or directed to do so. To them, any phone call is money in their pockets, regardless of whether it shows the true source or not.

2 Likes

I get that, generally, this is an old problem,

robo calls, sure,
calls from similarly familiar phone numbers, sure
spoofed, phishing, and spam emails, sure
spam, or otherwise unsolicited texts, sure.

I guess I have been really fortunate, so far…
never had a direct communication to my phone
with my own number, but that oddity would seem to be easy to
discard, delete or otherwise deflect

However, calls and texts from from exact numbers of known contacts just seems a different
more problematic scenario. Good thing it is not that prolific (I think)
There are so many levels on which that circumstance can have malicious and threatening
results and impacts on privacy, and security

Perhaps I’m missing something, but I think I would rather get a spam from my number. Then I know it’s fake. And I don’t see it as a security risk, because the spammer already knows my number—he or she is sending the spam to it. I assume the spammer doesn’t know who I am (just knows my number, and that could be a guess as part of “carpet bombing” the area code and exchange), but even if the spammer does know who I am, what can I do about it? I just don’t respond.

The biggest drawback is that I have my phone set to ring only for calls from numbers in my contacts, and my number is in my contacts. But that’s a nuisance and inconvenience, not a security risk.

Am I missing something?

I agree on the point of receiving garbage from my own number, seems easy enough
to combat
It’s the to and from from an exact (not just similar) contact numbers that seems to me to raise this issue
to another level when it comes to malicious content and intent

I was receiving a large increase in iMessages/texts messages that had URLs too easy to accidentally open. And one time, the number was my own. ( even got an email from me, that I knew I was visiting porn sites and it took my picture… yeah, ok…no bitcoin for me!)
Searching for resolution for these texts, I found I could contact ATT and request they disable the email to sms gateway for my number. Typically you contact tech support and reference myCSP article *446389
I haven’t receive them since. YMMV.

Warning: if you do this, you will not receive any texts from some services (EMS, Firedept, Public Safety etc) that use the email to SMS for broadcasting a message. Some large companies might use this to send employees an Alert or weather event message.

I think this is an opportunity for Apple to do something with the iOS to prevent this. I mean, you have pay services like HiYa and ATT Protect. But it should be able to offer option to prevent URLs in texts from those not in your contacts, or previous texts. And if its from an email gateway, to option block or flag/mute … incase you are expecting a url in a text. Plus for accessiblity, I find it TOO easy to answer a spam caller or dial when trying to swipe to trash.

Things like what macanix describe only demonstrate how a centralized solution is needed… if it works. If a telcom company were liable for even part of the losses incurred by a customer by these tactics, there might be more incentive for a fix. I do realize that I am over simplifying the issue here a bit, of course.

I have been stunned that Apple does not permit us to filter media content in Messages conversations just as we can in email (ie. “Load Remote Images” before iOS 15 added more controls to Mail). I have no interest in 3rd party Messages apps. This needs to be a core function at the system level by Apple. Put aside the security issue and you still are dealing with a data usage issue for many people on a limited plan or budget.

Any random person can send a text message with media to my phone and it happily auto-downloads it. The “Filter Unknown Senders” does not address the problem, especially for those of us who must accept unknown calls/texts for family or work reasons. Messages should have an option to NOT download and show links, images, audio or video unless we choose to view it. Then allow individual contacts or conversations to toggle this filter on/off, similar to how you can “Hide Alerts”.

There really is no excuse for this missing function.

(OK, advance warning. A bit of a rant coming up. Feel free to skip the rest…)

I completely agree with Al Varnell on this. When clients/friends/family have asked me about this over the years I give a similar answer. The power is (mostly) in the hands of the telcoms and carriers. It is an effort and cost they do not wish to incur and/or there are perhaps other motivations to keep things as they are.

The big U.S. telcoms would prefer to charge us or simply keep requiring customers to manage things themselves. We used to get more detailed Caller ID information until they decided it was a value-added service for an extra charge. I opted out of paying extra as there are too many ways to spoof numbers, names, etc.

Partly this is an old telephone interchange system that has components dating back decades, then was patched and had layers added onto it. The recent deadline for Stir/Shaken compliance was a bit of a joke to me when I read the full text and noticed some exception rules for smaller carriers and other assorted excuses for non-compliance. I have not looked at it recently so perhaps that was changed.

If the intent behind Stir/Shaken or something similar was genuinely enacted, and calls had to authenticate in some real, verifiable way, we might have a chance to tamp down the volume of these calls. Sadly, I have little hope that it will happen any time soon. Although to be fair, I have no real idea how it would be implemented in a way that was effective and did not erode privacy rights or permit more surveillance.

Way beyond my pay grade. :face_with_spiral_eyes:

"I have been stunned that Apple does not permit us to filter media content in Messages conversations just as we can in email "

SMS and other messaging systems are in many ways far less sophisticated than email. SMS is all or nothing and always will be, because carriers. For Messages which is end to end encrypted, how can they block part of it when they have no idea what it is until it’s all downloaded and decoded? I guess they could hide parts once that’s done, but that probably has its own problems.

I’m an old fogey and remember the time when there was instant messaging but no email. When email finally became available, we all cheered at the major improvement in communication power and convenience. I mostly avoid returning to those times…

True. I would like to think with Apple’s Cloud services they could queue media for a while and let you choose when to download it. This would of course count towards your data storage limit, or they would need to impose a time limit on how long media were held for your Messages before deletion.

Just seems like something Apple has the capability to do.

So many of today’s digital services and software are designed as if everything is always-on and connected to unlimited, high-speed networks. Start interrupting that assumption and I have found things can quickly begin glitching or breaking.

It seems that Apple could try something like Bayesian spam filtering for SMS messages without worrying about iMessage content. Or of course it could be client side and work with iMessage content as well right from iPhones, iPads, and Macs.

I’ve been getting tons of sms spam in the last few days and none of it was iMessage - it’s all SMS messages only.

I was all set to comment, but then you did it for me.

True, and it appears to me that Apple embraces that assumption fully.

I do not recall ever getting an unsolicited commercial iMessage. (I imagine a large part of the reason is that spammers are less likely to work with iMessage, because then they would be working with both SMS and iMessage.)

They would have to have an iCloudID in order to send iMessages, which would make them easier to track down and even easier to quickly revoke their ID.

1 Like

Agreed. Still, I think the main reason spammers don’t use iMessage is that they would also want to send SMS, and it’s easier to work with one platform, and the ID requirement also means that @ddmiller’s suggestion to filter SMS messages “without worrying about iMessage content” just makes more sense, as does @macguyver’s suggestion that “Messages should have an option to NOT download and show links, images, audio or video unless we choose to view it.”

1 Like

There’s really a lot that Apple could do for Messages. Allow “Mark as unread” as you can with e-mail so you can go back to a message that you want to act on later. Create a “Deleted Messages” folder so you can undo a deletion of either individual messages or entire conversations. Create folders for different conversation threads (work, family, friends, etc.) And, of course, spam filtering. But perhaps this is really another discussion…

There’s an even more critical reason for this than data cap limits: there have been zero-click zero-day attacks (notably used by the NSO Group Pegasus spyware) against Messages that are caused by the app rendering malicious content in the background without even looking at the messages. Apple patches an NSO zero-day flaw affecting all devices – TechCrunch

If Messages had an option to prevent content download until authorized, it would help not only people with data caps but also people vulnerable to targeted attacks like that.

2 Likes