IMDA Is Vulnerable to SMS Phishing & The Protection Registry Does Not Work

This is a follow up to the previous article. Many other organisations, including IMDA is vulnerable to potential SMS phishing attacks. Even worse, the protection registry does not appear to work.
Demo of SMS Phishing Scam Multiple Lesser Potential Names Outside of Black List
IMDA announced that there was a protection scheme against SMS phishing. More information is detailed here.
Basically, it requires organisations to register the names of SMS senders that they want to restrict. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.
This is a good step. But it’s still not the best solution. And obviously, it did not work during the OCBC scam attack.
Two reasons why this is insufficient:
  1. Companies might not have registered certain names which are vulnerable for phishing.
  2. Scammers are still able to creatively come up with other fake names to scam victims.
  3. And most importantly... It doesn't even appear to be working! [19th Jan 2022]
There’s also a solution which would better protect Singaporeans from such potential scams.

1. Companies might not have registered certain names which are vulnerable for phishing.

The first problem is that this is a voluntary process. Companies need to register to restrict specific sender names.
What if they did not register? Scammers can still spoof their identity in the SMS.
This is a blacklist approach. We are counting on companies to register names for blocking. But not all companies would do so. And once the scam has happened, it would be too late. Which is what happened in the OCBC attack.
I tested and found out that GRAB, for example, is still vulnerable. NETFLIX and GOOGLE are also possible to be spoofed. The findings are available on Mothership here.
As I was testing these, I asked myself, what about IMDA itself? Can a hacker pretend to be from IMDA.
Turns out a hacker can. I managed to send a spoof text as IMDA.
Imagine if you received a POFMA from this sender. Will you believe? Victims might. Nobody expects hackers to have the ability to do this.
POFMA SMS Phishing scam
If IMDA themselves can be spoofed, this solution is definitely not the most foolproof.
Adding on to the point, that companies might not register for this. At the point of IMDA's response in the forum letter, only 6 organisations have signed up for the registry. So any organisation not part of the 6 could have been spoofed. Source

2. Scammers are still able to creatively come up with other fake names to scam victims.

Scammers are always on the lookout for new ways to scam us.
They could always come up with new names that seems authentic to attempt a phishing attack.
Think of all the legit names they could come up with. GRABPAY, SGPAYNOW, POLIS, MMTF, MINSHAN, JOTEO, SMARTNATION, CYBERSEC, SKILSFUTURE, the list goes on.
I tried some of the names and most if not all, worked.
This registry program means we are always on the back foot, only adding sender names restrictions after a potential scam has happened.
Obviously this is not as convincing as the OCBC scam. But still, scammers might be able to dupe unsuspecting Singaporeans with this:
Example SMS Phishing Scam With Minshan
Example SMS Phishing Scam With JoTeo
Example SMS Phishing Scam With MMTF
Example SMS Phishing Scam With Lazada

3. Worst of all, the protection registry does not work at the moment [19th Jan 2022]

On 19th Jan, u/kimmyganny posted a screenshot on reddit that DBS has also been spoofed in a new SMS attack.
According to news report, DBS was already registered on the list. How on earth could scammers still do it?
Well the reason is, quite plainly put, this registry did not work. I went about testing and sure enough, company names listed in the registry could still be spoofed.
Does The IMDA Protection Registry Work
I have notified the relevant parties on this here.

So what can be done?

We are suggesting a different approach, where we restrict all sender names by default.
i.e. No one can modify the sender names in the SMS message. Only when companies register for certain names, then IMDA (or relevant authorities) can allow them to change SMS to that specific name.
Example, Grab has to apply to have their SMS be sent with the name “GRAB”. Upon verification by authorities, the company now has the ability to do it. No one else is allowed to send SMS with that name.
This will definitely require significant engineering work on top of the current SMS network. A layer needs to be build to authorise the sender names. And it's a herculean effort.
Indeed, 51 other countries require such a registration process. Many countries even go a step further and restrict custom sender names altogether.

We are still vulnerable to SMS Phishing attacks

As long as hackers have this loophole to use, we are still very vulnerable to SMS phishing attacks.
The next attack might not happen on OCBC anymore. But customers of other platforms, business and organisations are still vulnerable to be phished.
One Singaporean scammed is one too many. We must work together to stop the scams from happening.
There is a petition on change.org here to bring more awareness of this issue to the government. Kindly sign it if you agree and help to spread more awareness on this issue.
Subscribe to my telegram channel (anonymously) to get updates when I post.
How the OCBC SMS Phishing Scam Works and Who Else is Vulnerable
Previous
OCBC Scam: Exposing the Roles of Third Party SMS Aggregators in SMS Phishing
Next