Hack helped anti-Semitic spammer target four million mobile users

In April, someone tried to send anti-Semitic spam SMS messages to four million mobile customers in the United Arab Emirates (UAE) by using data that had been compromised in a 2013 breach.

The story begins with SMSGlobal, an Australia-based messaging services provider that works with companies such as Dell, Microsoft, IBM, and Samsung.

Spam SMS message

Two years ago, SMSGlobal reported a hack after an unknown intruder managed to infiltrate one of its servers and steal an unknown quantity of data.

Nothing happened at first. But two years later, an unknown hacker conducted what was described by the firm as "a brute force attack" against SMSGlobal.

As reported by The Guardian, this assault specifically targeted weaknesses and instances of oversight in the company's servers, including customer passwords stored in plaintext and code that was no longer supported, in an attempt to reconfigure the entire SMSGlobal system.

Part of The Guardian report

The attacker's plan was to send out anti-Semitic spam SMS messages to four million mobile customers in the UAE. As quoted by Haaretz, the hate message read as follows:

"Our motto forever Death to America, Death to the Jews."

Fortunately, SMSGlobal blocked the bulk of the spam, although approximately 5,000 hateful SMS messages did make it to their intended targets.

The hacker did not stop there, either. According to Softpedia, he tried again in September of this year to send out a different message that referenced the 2,000 Hajj pilgrims who died in a stampede near Mecca, Saudi Arabia.

The spammed-out message read:

"Mismanagement by Saudi officials was the reason for the death of the hajjaj in Mina."

These two separate but related attacks seem to point to the fact that the hacker likely stole only the account credentials of certain SMSGlobal customers during the 2013 breach, logins which were abused via the API, to conduct the attacks some two years later.

This observation is small comfort for the messaging services company, however. In the wake of the two breaches this year, the Dubai telecommunications firm DU decided to suspend SMSGlobal's use of its carrier service to send messages, thereby losing the company money.

In response, SMSGlobal has threatened a lawsuit against DU. It has also introduced a number of new measures, including increased content filtering, that it says will help to remedy breaches in the future.

In a letter seen by The Guardian, SMSGlobal said that risks remain, but that it believed extra security that had been introduced would reduce the threat:

"There is a risk of brute force attacks continuing and more so that other legacy account credentials may have been compromised. That said, SMSGlobal believes that by adding a number of additional security measures we can stop this from happening and/or any SMS from being sent through these attacks."

SMSGlobal website

This incident just goes to show the damage a hacking attack can wreak against a company's reputation.

If a firm is hacked, the popular impression is that the company is at fault for not adequately protecting its networks.

In many situations, this is not the case. Absolute security does not exist.

What does matter, however, is how a company responds to a hack when it happens.

Timely and direct communication with customers goes a long way following an incident. We can only hope that SMSGlobal abided by this logic when responding to the breaches this year.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

One Response

  1. coyote

    December 7, 2015 at 7:19 pm #

    'If a firm is hacked, the popular impression is that the company is at fault for not adequately protecting its networks.'
    Well it often is the case. Everyone can always do more. Then you have Sony (for example) who claims the attacks are unprecedented. But that's only a way to shift blame. I mean, didn't LulzSec use SQL injection on Sony ? That's an unacceptable disregard for security (I don't remember if they said it was unprecedented that time but the last time they were they claimed it) and it shows just how insincere they are.

    'In many situations, this is not the case. Absolute security does not exist.'

    No, it doesn't exist. But still, most of the time successful attacks shouldn't be successful.

    Admitting faults and doing nothing (or little) to fix the faults is just as bad if not worse than not admitting fault. It is even worse when they then play innocent victim. They might not deserve the attack but they aren't necessarily innocent; blatantly disregarding security is guilty of recklessly endangering customers (or employers). Is that better than the attacker? I don't think so.

Leave a Reply