Fraudsters Cash In on China's Fake Basestations
China has fake brands, fake medicines, fake food and even an entire fake Apple store.
It also has fake mobile networks. In fact, they are such a thing in China that the problem now is not the spoofed basestations but that they enable fraud.
In a study of mobile spam in March, Chinese security company 360.com says it identified 200 million yuan (US$30.6 million) in fraud, but believes that is just the tip of the iceberg.
The fake basestation scam is a simple one. You buy a GSM basestation for around RMB50,000 ($7,670) and put it in the back of a van. You can spam as you drive around downtown areas, earning a few thousand yuan a day.
The 360.com survey found that of the 110 million spam messages it intercepted around China, 89% were received by China Mobile Ltd. (NYSE: CHL) customers, most likely because it is China's biggest GSM operator.
Phishing scams were the biggest single segment, accounting for just under 23% of all messages sent, followed by the distinctively Chinese scam of selling fake receipts (21.6%) and financial services -– most likely loans -- (19.6%).
The problems of mobile spam and fake basestations aren't new. Operators and government officials occasionally complain but rarely seem troubled enough to do anything to stop them.
In 2013, a journalist joined one of the scammers as he drove around Beijing sending spam. The journalist even found a store that sold GSM small cells. Yet it seems that while a single reporter can run these to ground without much difficulty, it is beyond the combined resources of the state and the mobile industry.
But the 360.com study reveals this has gone beyond being an irritation. Phishing messages account for nearly a quarter of all spam, putting the fake basestations right in the frame for what is a very hot issue of mobile phone fraud.
For the last year or so fraudsters have worked a staggeringly successful scam on Chinese mobile users. Pretending to be police or government officials, they tell victims they have broken a law and direct them to a tricked-out official-looking website where they have posted fake indictments containing their ID and other personal data.
It's hard to know how much they have gained from these blags, but media reports say they have netted hundreds of millions or even billions of yuan.
The fake basestations are at the center of this. The 360.com report describes a mobile fraud industry with 1.6 million people working in different segments. It identified 15 different skillsets, including web developers, phishing and Trojan developers and database hackers.
360.com says since it set up a real-time location tracking system for fake basestations in partnership with police two years ago the volume of spam texts has reduced, although it does not give any numbers.
The problem is largely enabled by China's weak regulatory enforcement and its culture of counterfeiting, but there could be also be technical reasons. Network security firm AdaptiveMobile Ltd. says it might also be driven by the real-name registration rules that encourage spammers to send via fake basestations, and not via SIM cards.
Adaptive said in a statement that this is a problem that could occur when the radio and core networks relax their policies to connect. One solution could be to try to retain customers on 3G or 4G networks, where both the cell tower and mobile device authenticate themselves to each other.
"In 2G, the handsets authenticate themselves to the network, not the other way around. Some hackers try to circumvent this by forcing phones to 'downgrade' to connect via 2G from higher networks (3G, 4G)," the company said.
— Robert Clark, contributing editor, special to Light Reading