iMessage Spam Shows How Smartphones Are Dumber Than We Think
Spammers whose messages previously just filled up your Gmail spam folder have found a way to infiltrate a new frontier: text messages, particularly those sent through Apple’s iMessage network. Wired’s Robert McMillan spoke with Tom Landesman of security and anti-spam company Cloudmark. Landesman said that a year ago, he’d never seen an iMessage spam. But now, iMessage spam accounts for 30 percent of all mobile spam messages, thanks to aggressive campaigns by scammers pushing deals on luxury goods — designer handbags late last year, and knock-off Ray-Ban and Oakley sunglasses more recently.
A recent blog post by Cloudmark reported that 34 percent of all reported SMS spam in the U.S. in the previous two months was from a single campaign advertising discounted goods allegedly by — but more than likely knockoffs of — brands including Louis Vuitton, Hermes, Gucci, Prada, Celine, Oakley, Ray-Ban, Michael Kors, and Tiffany & Co Jewelry. “What is clear is that the authenticity of these shanty-like online stores for designer bags is very questionable,” the post notes. “Names, URLs, and domain registration info all raise red flags. It’s unlikely that a URL like ‘sunglassesstore-us.com’ is a reputable domain. Also, the product images are of noticeably low quality and appear to have been ripped from third-party sites such as eBay.”
Landesman explained to Wired that because the iMessage system spans the iPhone, iPad, and Apple’s laptops and desktops, spammers can easily write a Mac script that will quickly send messages to all of those devices. “It’s almost like a spammer’s dream. With four lines of code, using Apple scripts, you can tell your Mac machine to send message to whoever they want.” They’ll use either your phone number or even an email address that you’ve associated with your iMessage account. To check which email addresses and phone numbers are associated with your iMessage account, on your iPhone you can go to Settings, then Messages, then Send & Receive.
Since the desktop client tells you whether a number you’ve entered is registered with iMessage, spammers can generate a list of verified users, and also see whether the message that they’ve sent has been read or not. They can also register an iMessage account with only an email address, and use a large number of accounts to send, as Landesman puts it, “a huge volume of messages.”
Since all of these spam messages are traveling over Apple’s network, the responsibility to eradicate — or at least control — them rests with Apple, not with a user’s wireless carrier. Apple has limited the rate at which users can send iMessages, and has also put into place a method for reporting iMessage spammers. Users can email Apple with a screenshot of the message, the full email address or phone number that sent the message, and the date and time that they received the message.
With that information, Apple will supposedly get spammers off the iMessage network, but Wired notes that it reported a spam address on a Wednesday, and it was still active on the iMessage network the following Monday. Three email addresses used in spam campaigns were also still active. (McMillan notes that the spammers didn’t respond to iMessage requests for interviews.) Beyond reporting spam, users can turn off alerts from iMessage users who aren’t in their contacts by going to Settings, Notification Center, Messages, and then selecting Show Alerts from My Contacts. You can also turn off iMessage altogether by going to Settings, Messages, then toggling iMessage off, though hopefully there are few cases extreme enough to warrant that.
The problem is that since iMessages are free to send, they’re an attractive advertising avenue for the likes of the virtual pill-peddling pharmacists, Nigerian princes, and other unsavory characters who’ve been contacting you since the rise of email and the Internet. Kaspersky Lab’s SecureList reported that in the second-quarter of the year, spam messages accounted for 68.6 percent of all email traffic. But with email, companies have developed intelligent features like spam detection, or the filters created with Google’s Priority Inbox, using contextual information to make sure you’re easily able to access the messages that are actually important to you. But our smartphones aren’t smart enough to do that — at least not yet.
It’s a problem that Farhad Manjoo discussed in a recent piece for The New York Times aptly titled, “Smartphones Overstate Their Social Intelligence.” Manjoo explains the problem simply, giving the example of push notifications. To cut down on the large number of push notifications that demand your attention, why can’t your smartphone prioritize notifications from your spouse or your boss over notifications from high school friends Manjoo wants to know. Despite having access to a range of useful information on you, your contacts, and your life, your smartphone’s operating system ignores it.
“Once you begin thinking about your phone’s stupidity, it’s hard to stop,” Manjoo notes. Instead of arranging your contacts by the frequency with which you interact with them, or by which ones you’re likely to interact with on a given day, your phone simply alphabetizes them. Instead of using your calendar information to suggest when you should tackle each item on your to-do list, your phone just ignores that information and keeps to-dos in a simple list.
Contextual apps — the Humin contact manager, for example — look to replace the unintelligent utilities on your phone with smarter, more aware solutions. But that just begs the question: if third-party app developers can do it, why can’t Apple, Google, or Microsoft? Humin, as an example, pulls in the data that’s already on your phone and on your social networks in order to determine how you know each of your contacts, where you met each of them, where they live, and can even detect information they’re visiting your city. If that kind of functionality were built into the actual operating system of your phone, it could gather and make sense of all of the data on your phone. That could be applied to the push notifications that the phone sends you, and notifications could be intelligently prioritized and presented.
Especially considering Google’s proclivity to sort information, and Google Now’s significance as the beginning of a contextually aware system, it seems that operating system manufacturers may slowly build more intelligence into their smartphones. In an interview with Manjoo, Google’s director of engineering for Android, David Singleton, said that Google is working on ways to give app developers access to contextual information. But Singleton notes that sorting notifications could be more difficult than filtering out email spam, and users would need to be able to depend on algorithms to get the notification filtering right.
While spam iMessages aren’t the only problem that more intelligent smartphones could solve, they’re a sign that the technology has to change. Email didn’t get smarter until the volume of messages — both spam and legitimate — got unmanageable. As push notifications and text message spam multiply and start to go the same way, smartphone makers will need to respond by making mobile operating systems more intelligent. Dumb smartphones have already demonstrated that they’re ill-equipped to make connections between pieces of data and figure out what information is useful — and what is just spam.