Don’t miss future insights from the global anti-abuse community.
Subscribe to the M3AAWG blog for automatic updates on new posts.
While SMS phishing is nothing new, the recent global spread of SMS blasters has caught the attention of M3AAWG members as it brazenly exploits protocol weaknesses across 2G, 4G, and 5G mobile networks.
As shared in our latest M3AAWG members-only Engagement Series webinar, presented by Roger Piqueras Jover, a renowned leader in enterprise and infrastructure security, criminals have increasingly turned to the use of an SMS blaster while abusing the "silent downgrade to 2G" tactic. By leveraging SMS blasters, attackers achieve:
- A drastically higher return on investment.
- A 100% delivery rate to the targeted end-user.
- Messages that cannot be blocked by the network or seen by the carrier.
- Customized payloads that allow criminals to tailor phishing messages with highly specific, authentic-sounding content.
If you are a M3AAWG Member, you can watch the entire presentation here.
SMS Blaster 101
An SMS blaster is a type of international mobile subscriber identity (IMSI) catcher, which is a false base station technology that was originally developed for law enforcement. Roger mentions that many folks may be familiar with a Stingray, which is a specific type of IMSI catcher. He describes the SMS blaster as a low-cost alternative to a Stingray ($5k–$10k USD), specifically tailored for sending SMS and being portable.
The device impersonates a cell tower and features a simple user interface, allowing fraudsters to send phishing messages via a Bluetooth-enabled smartphone app or the blaster itself. Despite a recent uptick in nations looking to ban its import, SMS Blasters can still be purchased legally throughout the world.
A criminal will typically enter a crowded area with the SMS blaster hidden in a backpack or car trunk. Attackers may even hire “runners” to unknowingly carry or transport attack devices that cause harm to their communities. Targeted users in busy locations, such as shopping centers, will have their phones attempt to connect to the fake base station, which has a 5G/LTE and 2G radio.
The Silent Downgrade to 2G
The attack occurs when a phone attempts to connect to 5G/LTE and is silently downgraded to 2G, at which point the lack of mutual authentication in 2G can be abused to disable encryption between the phone and the SMS blaster’s false base station. This is called “no encryption” or “null cipher” connectivity. Regardless of encryption, the messages sent by an SMS blaster are never routed through the carrier’s network and, instead, are sent from the blaster straight into the victim’s device.
“In the targeted area, the SMS blaster often provides a stronger signal than a legitimate base station. It’s very easy to downgrade connectivity to 2G, and there are scenarios—like on New Year’s Eve—when a carrier doesn’t want all its traffic going to 4G or 5G networks because of excessive demand, so devices may be legitimately rerouted to 2G,” Roger said, underscoring the complexity of the issue.
How SMS Blasters Perpetrate Fraud
Throughout the webinar, Roger provides a technical overview of the message flow between the device and the network to explain why SMS blasters can perpetuate fraud so swiftly.
When a cell phone attempts to connect to the network, a complex chain of processes takes place to ensure mutual trust and authentication before any data can be sent. According to Roger, these initial messages between the phone and base station have no protection and can be intercepted and tampered with; he also notes that a subset of these messages has no cryptographic protection of any kind.
“Whenever a phone connects to a tower, whether it’s 2G through 5G, and regardless of the carrier, your phone is essentially behaving as if it were accepting a self‑signed certificate without being able to verify it,” he said.
Roger said the use of SMS blasters was never reported outside of mainland China until 2022, and has exploded worldwide ever since. While the use of an SMS blaster for fraud has never been reported in the United States, he said the U.S. is still susceptible to this attack despite major carriers having sunset 2G.
Mitigating the SMS Blaster Impact
If a device continues to support a 2G connection, sunsetting 2G service will not end these crimes, because the device will attempt to connect with the SMS blaster’s fake base station regardless. However, Roger encourages end users to do the following:
- Use standard precautions with suspicious messages.
- Leverage fraud protection features on all major mobile operating systems.
- Disable 2G on your phone (and be aware of the connectivity impact of this when roaming in a legitimate 2G region).
He also highlights key industry recommendations for addressing SMS blaster threats and encourages organizations to stay informed on evolving mitigation approaches. Roger adds that adopting RCS and other IP-based messaging platforms could eventually reduce reliance on SMS. In the meantime, he suggests keeping the following rules of thumb in mind:
- If you see an SMS with a URL delivered over 2G, it is almost always fraud.
- If you see an SMS with a URL delivered over 2G with null cipher connectivity, it is always fraud.
Keep the Conversation Going
If you are a M3AAWG member, you can watch the recorded webcast here.
We also encourage M3AAWG members to join us for future M3AAWG Engagement Series webinar events. If you have questions or suggestions for future content, please reach out to us at engagement@M3AAWG.org.
Not a M3AAWG Member? Learn about applying for a membership here. You can stay in the loop by following our blog and social media channels (Facebook and LinkedIn).