There is currently a new and particularly sophisticated type of cyber fraud establishing itself in Switzerland: the use of so-called SMS blasters. With this technology, criminals can systematically contact smartphones in their immediate vicinity with fraudulent text messages – without knowing any telephone numbers or having to rely on the regular mobile phone network.
Technically, SMS blasters are some kind of mobile transmission antenna. This device broadcasts strong signals inducing smartphones within a range of several hundred meters to automatically connect. At that moment, devices are briefly switched back to the obsolete 2G network. And this is exactly where the vulnerability lies: Exploiting a well-known security loophole, attackers can transmit text messages directly to all devices connected this way, without them being checked by mobile operator filters.
And the text messages transmitted seem deceptively realistic, pretending to originate from the authorities, from banks or courier services, and they usually contain a link to a fake website. Their aim is to induce recipients to enter sensitive information – such as credit card data or e-banking access credentials. The fact their content can be adapted to the relevant situation makes them particularly insidious. In places where many cars are usually parked for instance, you might receive an apparent parking fine.
It is particularly critical that such attacks are not run via any classic channels of communication. While conventional phishing SMS are increasingly recognised by filtering systems as such, SMS blasters completely circumvent these protective mechanisms. At the same time, this technology allows for a very flexible approach: Attackers can move around freely, stage their attacks at local level and repeat them as often as they like. As many smartphones keep on supporting 2G, even modern devices might potentially be affected.
The important thing here is to differentiate this from web-based communication services: This kind of attack exclusively concerns text messages, as they are directly tapping into the mobile infrastructure. Services like WhatsApp, Signal or Telegram are not affected.
Protective measures
To protect yourself against this kind of scam, you should keep the following points in mind:
- Don’t click on any links contained in unexpected or suspicious text messages.
- Always enter website addresses from banks, authorities or service providers manually or use their official apps.
- Never enter any sensitive information such as credit card data or log-in credentials via SMS links.
- If possible, deactivate your smartphone’s 2G function.
- Android: On many devices, you can deactivate the use of 2G in their settings, usually under “mobile networks”.
- iPhone: There is no provision to directly deactivate 2G. Alternatively, you can activate their so-called lockdown mode under “Privacy & Security”. This will disable all connections to 2G networks, but may also limit your device functionality.
- You should consistently delete and report any suspicious text messages (for instance via www.antiphishing.ch).
- In case of doubt, check directly with the purported sender organisation, using their official telephone number.
