February 24, 2011
Security Alert: Shoot the Bulk Messenger
Executive Summary
With texting the national pastime, text messages are cheap and unlimited plans abound. But what can you do with all of the unused text messages left over from your plan? We’ve uncovered a rascally bulk SMS network, Bazuc, that lures in Android users by promising a ‘free money’ payout if a user allows the network to access their unused SMS messages. The app Bazuc was available in the Google Play Store and downloaded between 10,000 to 50,000 times, but this is likely the tip of the iceberg. The author claims to register 100 downloads of the app per hour, indicating that there may be plenty more third-party store downloads.
Free money is never free though, is it? Once you’ve downloaded the app, Bazuc can be used to send virtually untraceable SMS messages in bulk, which look like they came from your phone. In fact, they did come from your phone. The authors of Bazuc are charging companies to have users send out these cheap SMS messages on their behalf, helping the companies bypass spam detection and automated anti-fraud systems. This operation is putting personally identifiable information at risk, exposing targeted users to phone calls and SMSs from unknown people, and swindling operators out of money.
With so much at risk, Lookout investigated the SMS network and found a coterie of players wittingly and unwittingly involved in the ploy. These include bulk messaging providers, phishers, foreign spammers, American and African banks and smartphone owners. Read more as we dissect Bazuc, its authors, operations, the monetization strategy and the end game. We are rolling out protection to Lookout users as we speak.
What is Bazuc?
Bazuc is a pair of applications: “Bazuc Earn Money” and “Bazuc Free International SMS.” On the face of it, the “Bazuc Earn Money” app offers people an interesting proposition: the chance to sell the surplus of SMS messages that remain in their monthly quota after they have used their normal monthly amount. The “Bazuc Free International SMS” app uses the SMS allowance purchased by “Bazuc Earn Money” to enable users to send free SMS messages internationally.At least that’s what the Bazuc Earn Money website suggests.
“Bazuc earn money” offers users $0.001 per message, and while the math won’t make you rich, many people will see this as “free money.” Bazuc’s FAQ section suggests that you could earn $30. (But that means a person would need to send 30,000 messages from their phone a month.)
“We will pay you $0.001 per SMS that is sent through your phone, so you can earn up to $30 monthly for doing absolutely nothing but installing "Bazuc Earn Money on your Android phone.”Free messages in bundle: 5,000
Normal monthly SMS usage: 2,000
“Surplus” messages to sell: 3,000
Likely potential monthly earnings 3,000 x $0.001 = $3.00
Bazuc also promises on its About page that they “monitor all traffic and guarantee not to allow spam." They highlight certain caveats, making it very clear that the app is only for people with remaining or unlimited free SMS messages. Finally, they point out that since the app uses your phone number when sending messages, you may receive random messages and phone calls in response from people who think it is in fact your number messaging them.
“Bazuc Free International SMS” is quite different from from “Bazuc Earn Money.” When a person attempts to send message to an international number, the app opens the default email, pre-populates the “to” field with the recipient’s phone number appended with @buzac.com. The user is then invited to type the contents of their message in the email body. This can be seen in the screenshots below:
However, if Bazuc.com was once an email-to-SMS gateway, it doesn’t appear to any longer. Throughout our testing we were unable to get a single message through to U.S. or international test phones. Digging into the app reveals code that would allow it to talk to a Bulk messaging gateway, however this code does not appear to be currently in use, and calling it by hand gets you nowhere.
“Bazuc Free International SMS” remained non-functional for the duration of our testing, suggesting that it may be part of a cover for the dodgy SMS network. By establishing a friendly cover like this, it makes users more comfortable with allowing their devices to be used.Bazuc in ActionIt’s difficult to get a handle on the exact number of devices that have Bazuc installed. Before it was pulled from Google Play there were between 10,000-50,000 installations. On the operator’s Facebook page, he claimed 100 installs per hour. Additionally, the app is available for download on the Bazuc website. If you visit the site from a PC, a Bazuc apk will automatically download to your machine (this is also known as a drive-by-download).Despite the operator’s claim that this app is used to provide free messaging to users, out of 200 messages we analyzed, only three times did we see any “ordinary” human to human messages. Instead the vast majority of messages appeared to be “machine to human” in nature, breaking down as follows:
- Service or transaction alerts: 40%
- Registration messages & invites: 18%
- PIN code and password messages: 30%
- Suspected phishing messages: 2.5%
- Advertising SPAM: 8.0%
- Actual Humans: 1.5%
Although all the messages sent through our test devices were aimed at U.S. subscribers, few if any of the messages appeared to be U.S. in origin. Some of the identifiable countries of origin that we saw were Nigeria, Russia, Poland and Mexico. Later in the post, we’ll dive deeper into the types of messages sent and why and from whom they were sent.
Who is behind Bazuc?
On its face, Bazuc and its business offers an appealing revenue model for its users. But we decided to dig deeper into the service and its operators after finding that its sister application, Bazuc Free International SMS has no impact on the thousands of SMS messages being relayed through our test phones.
According to the terms and conditions, Bazuc is owned and operated by “Intichat Com LLC,” a U.S. company registered in the state of Florida.
However all official comments on the website are made by a person called “Russell Loomis” who self-identifies that he belongs to a company called “Cure My Debt.Net LLC”.
Running searches checking this information against various databases including government company registries shows that Loomis also owns “Intichat.com LLC”, “Cure My Debt LLC” and several other companies, all registered in Florida:
- LOOMIS, RUSSELL AMERICAN DEBT CO. LLC: L02000007497
- LOOMIS, RUSSELL CUREMYDEBT.NET LLC: L05000076870
- LOOMIS, RUSSELL AMERICAN DEBT LEADS LLC: L07000055722
- LOOMIS, RUSSELL AMERICAN WEB LEADS LLC: L08000070172
- LOOMIS, RUSSELL INTICHAT.COM LLC: L12000055294
- LOOMIS, RUSSELL VOOM MARKETING: LLC L13000103527
- LOOMIS, RUSSELL G BAZUC LLC: L13000098717
- LOOMIS, RUSSELL G SUN COM LLC: L13000098721
Most of these companies seem to be focused on the area of debt consolidation, and after a check against the Better Business Bureau, we found complaints filed against one of his businesses. We identified a total of 8 complaints in the last 36 months, including a complaint to the ripoff report alleging the embezzlement of debt consolidation funds, which coincides with a relocation of the operator from Florida to Peru.Loomis' last venture, IntiChat LLC (the company that owns Bazuc), had to shut down. It appears to be a precursor service to Bazuc where people were paid to use the IntiChat social network. InitiChat closed after allegations of distributing malware and generating fake advertising leads caused its main advertiser, cj.com, to close IntiChat’s affiliate account.
Using this wealth of information as a starting point, it’s now possible to dig a little deeper, and by taking information such as aliases, known email addresses and places of residence we are able to identify all relevant social networking accounts and ultimately build a timeline for the operation behind Bazuc.
Dissecting a bulk messaging operation
Around 10 months ago, an individual claiming to be named Russell Loomis on a Facebook page, announced that he was creating a new kind of messaging app: Bazuc. A few weeks later Bazuc launched, and around the same time he began to advertise discounted bulk messaging rates.
With the typical price for bulk messages coming in at around $0.03 or $0.04 per message, the price of $0.005 per message is astoundingly cheap. Loomis advertises that his bulk messaging method will allow subscribers to avoid the strict legislation targeting email messages by using a gateway that ends with “a real U.S. phone number.” This suggests that he’s relaying these bulk messages through phones.
Around the same time period, Loomis dusted off one of his other venture websites “Halfcentsms.com,” which provides bulk messaging service to companies that want to send large volumes of SMS messages with no strings attached: “100,000 messages minimum, no contract, no monthly fees and your monthly credits never expire”.
Like his bulk messaging adverts, Halfcent SMS also promises that all bulk messages sent using this service will be sent with “a real mobile phone number,” unlike the majority of most legitimate bulk messages which are generated by a shared messaging gateway connected to an operator’s network (and will either have that gateway or server address instead).
Having a real phone number attached to bulk messages is a big deal. Recipients of messages with a real mobile number are far more likely to open them and read them. Additionally, these messages are far harder for SPAM prevention systems to detect and block. Cyber criminals use these messages for fraudulent purchases or phishing campaigns. It’s likely that Loomis had strong motivation for creating a grey network of SMS relays with dynamic sender addresses. As seen in the screenshot below just before the launch of Bazuc, Loomis’ bulk messaging infrastructure was being blocked by a number of operators for sending spam. Consequently, he was working on a dynamic solution to evade detection:
An analysis of the backend service which drives Halfcent SMS shows it to be the “Ozeki NG SMS Gateway,” a product which Loomis appears to know well. He makes a sideline selling pirated versions of it for $500 a time on his YouTube channel.
Show me the money?
It may all be coincidence, but it is hard to ignore the fact that Bazuc is rewarding users $0.001 for messages that Loomis is advertising elsewhere. $0.005. $0.004 per message is a healthy profit when it appears that most of the usual operating costs are eliminated by convincing ordinary users to send the messages. With a contract minimum of 100,000 messages, and volumes like 1,000,000 messages preferred (seen in the screenshots of his bulk SMS advertising earlier), Loomis could be making anything from $400 to $4000 from each contract he signs.
There’s no such thing as a free lunch, and with the promise of no in-app advertising, Bazuc’s operators are likely looking to other sources of revenue to pay its running costs and ultimately make this operation profitable. Given Loomis’ expertise and the value this network would bring to bulk messaging, it doesn’t take a giant stretch to realize that Buzac was likely built with bulk messaging in mind.
Bazuc also has all the necessary permissions to send other kinds of messages including MMS messages, international messages and even Premium Rate SMS. All of these could provide the operators of Bazuc with another quick and easy source of revenue considering it has the permissions and code necessary to hide any messages it sends.
This sort of grey messaging network will also be highly attractive to criminals. By the very nature of it’s design, Bazuc can be used to send virtually untraceable SMS messages in bulk which look like they came from ordinary users, because they did.
We have seen other apps that behave like this, but only in the world of malware. The ability to relay connections, in such a way that they are laundered to look like ordinary users, is an increasingly valuable service to cybercriminals. It’s particularly useful in helping them bypass SPAM detection systems or automated anti-fraud systems that score connections based on origin as their algorithms try to determine which requests are legitimate and which are suspicious.
This takes us onto the final part of this analysis, the actual traffic being sent through devices with Bazuc installed.
Types of SMS Messages
Transaction messages
We identified several messages that appeared to be sent from well-known American and African banks. At first glance, we thought they were phishing messages, however upon further investigation we suspect these messages may be legitimate.
It appears these banks signed up with the bulk SMS messaging network to send customer transaction information. If that’s true, they aren’t alone. During our examination of the network, we received PIN codes, chat invites, OTP or mobile TAN messages, psychic readings and even a wire transfer.
Do these banks or any of these legitimate organizations using this service realize that these messages they are sending are open for the user of the relay to see? That they are exposing their customers to a significant risk of ID fraud?
Spam
While only a few of the messages currently appear to be what we would classify as “Advertising SPAM,” most of them appear to be bulk messaging SPAM and many of them were concerning in appearance and content. Below are examples the advertising SPAM messages we saw pushed through the Bazuc network.
Finally, we have a selection of other messages of interest which were relayed through our test devices.
In total, over just a few days testing one of our devices sent well over 2,000 SMS messages.
Conclusion
While Bazuc is not outright malware, it poses a risk to people who elect to install it. Those who download Bazuc risk their personal information, name and phone number being shared broadly.
Bazuc is one more in the growing category of grey area threats which operate by finding loopholes in the mobile ecosystem. Rather than Bazuc breaking the Terms of Service, it’s the people who download Bazuc who are violating their operator’s Terms of Service and put themselves at risk of having their cellphone service terminated. It’s the users that are likely to pay the price when operators start to terminate mobile accounts or charge out of bundle rates on those messages. At an average price of $0.10c - $0.15 per out-of-bundle message, these users could be looking at a bill of $300 - $400 for messages. Compare that to the $3 Bazuc paid them.
The user is also likely to be left holding the baby when concerned bank customers come calling. While the vast majority of these are likely to only result in a few harassing phone calls, we can’t discount the possibility that this network could be used to send illegal messages, and in this case the owner of the phone is likely to find themselves in hot water with the authorities.
Sadly facilitating crime is often a difficult and thankless thing to prosecute. The operators of these kinds of services know this, and continue flying under the radar for a significant period of time. They are further helped by fact that services like these are incredibly complex, and often understanding exactly which specific laws (if any) have been broken can be a daunting task. In some cases, they deliberately set themselves up in countries where operations like this are facilitated by the legal situation there. In other countries, they make it as difficult as possible to identify criminality through a lack of transparency and hiding illegal transactions amongst cloud of other legitimate transactions.
As the pace of mobile innovation increases, we will continue to see ploys on mobile that exploit loopholes in the mobile ecosystem, and the widening gap between technology and legislation. The authors of mobile malware will continue to seek out opportunities to take advantage of these gaps, putting sensitive consumer information will be put at risk.
How to stay safe
- If it sounds too good to be true, it probably is.
- Ask yourself, would I be happy giving that level of access to my phone to a complete stranger? For example, in this case, would I be happy allowing a complete stranger off the street to send any SMS they want through my phone?
- Only install apps from trusted stores and make sure that you have read reviews.
- Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs
- Download a mobile security app like Lookout’s app that protects against malware as a first line of defense