Because blasters operate outside of traditional mobile networks, the messages they send are not subject to the security measures that have been put in place by mobile providers. “None of our security controls apply to the messages that phones receive from them,” says Anton Reynaldo Bonifacio, the chief information security officer and chief AI officer at Philippines communications firm Globe Telecom. “Once phones are connected to these fake cell sites, they can spoof any sender ID or number to send the scam message.”
Back in 2022, Globe Telecom made the decision to stop delivering SMS messages that contain URLs, and Bonifacio says he believes scammers use the blasters to “bypass” these measures. “The technology used to be more niche, but I think sales and assembly of these IMSI catcher devices have become more prevalent for criminal organizations,” he says. Researchers have found SMS blasters being sold openly online for thousands of dollars.
Samantha Kight, the head of industry security at the mobile operator industry group the GSMA, says the Asia-Pacific region has been most impacted by SMS blasters so far, but there are cases appearing in Western Europe and South America. “It might be a problem in one or two regions, but then we tend to see these things pop up in different regions,” Kight says. Reporting from Commsrisk and Risky Business, have highlighted reports of SMS blasters being used in Thailand, Vietnam, Japan, New Zealand, Qatar, Indonesia, Oman, Brazil, Hong Kong, and more in recent months. Law enforcement officials in London say they have so far seized seven SMS blasters, and in June, a student from China was sentenced to jail for more than a year after being caught using one of the devices.
Kight says that tackling SMS blasters involves telecom operators and government regulators being aware of the devices, law enforcement agencies taking actions, as well as people recognizing and reporting scam messages to the relevant authorities. “As the mobile industry, we want to be able to find these, we want people to trust what’s on their device, and we want to be able to protect them,” Kight says.
Yomna Nasser, a software engineer at Android, says people can stop their phones connecting to 2G networks in their settings. “Once enabled, your device will no longer scan for or connect to 2G cell towers,” Nasser says, adding the only exception is if an emergency call is being made and 3G, 4G and 5G are not available. Android’s Advanced Protection mode will also disable 2G automatically on some newer phones. Apple did not answer WIRED’s request for comment by the time of publication, although its Lockdown Mode will disable 2G connections.
Ultimately, you may not know if an SMS blaster is used to send you a scam. Ben Hurley, a detective sergeant with the City of London’s Dedicated Card and Payment Crime Unit, which is investigating cases locally, says that while the delivery is different, the actual scams themselves haven’t changed. Phishing messages are often designed to get you to click on a malicious link and hand over your personal information. “It’s a new way of doing the same thing,” Hurley says. “It’s changed how we have to investigate it, but actually it’s not changed the end result,” he says, adding that people should always be cautious of clicking links in unknown messages and take a moment before acting if the message feels suspicious.
As with all cybercrime, though, there is a chance that those operating the schemes and blasters could evolve their tactics. “The actual SMS blaster devices they use are relatively unsophisticated so far,” Mc Daid says, adding that the type of technology originally came from the world of governments, law enforcement, and militaries. If criminals are able to gain access to more sophisticated technology and expertise, he says, “this could be the beginning of a cat and mouse game.”
