iMessage Spam Shows How Smartphones Are Dumber Than We Think

Man uses an Apple iPhone in Tokyo, Japan on July 16, 2014

Atsushi Tomura/ Getty Images

Spammers whose messages previously just filled up your Gmail spam folder have found a way to infiltrate a new frontier: text messages, particularly those sent through Apple’s iMessage network. Wired’s Robert McMillan spoke with Tom Landesman of security and anti-spam company Cloudmark. Landesman said that a year ago, he’d never seen an iMessage spam. But now, iMessage spam accounts for 30 percent of all mobile spam messages, thanks to aggressive campaigns by scammers pushing deals on luxury goods — designer handbags late last year, and knock-off Ray-Ban and Oakley sunglasses more recently.

A recent blog post by Cloudmark reported that 34 percent of all reported SMS spam in the U.S. in the previous two months was from a single campaign advertising discounted goods allegedly by — but more than likely knockoffs of — brands including Louis Vuitton, Hermes, Gucci, Prada, Celine, Oakley, Ray-Ban, Michael Kors, and Tiffany & Co Jewelry. “What is clear is that the authenticity of these shanty-like online stores for designer bags is very questionable,” the post notes. “Names, URLs, and domain registration info all raise red flags. It’s unlikely that a URL like ‘sunglassesstore-us.com’ is a reputable domain. Also, the product images are of noticeably low quality and appear to have been ripped from third-party sites such as eBay.”

Landesman explained to Wired that because the iMessage system spans the iPhone, iPad, and Apple’s laptops and desktops, spammers can easily write a Mac script that will quickly send messages to all of those devices. “It’s almost like a spammer’s dream. With four lines of code, using Apple scripts, you can tell your Mac machine to send message to whoever they want.” They’ll use either your phone number or even an email address that you’ve associated with your iMessage account. To check which email addresses and phone numbers are associated with your iMessage account, on your iPhone you can go to Settings, then Messages, then Send & Receive.

Since the desktop client tells you whether a number you’ve entered is registered with iMessage, spammers can generate a list of verified users, and also see whether the message that they’ve sent has been read or not. They can also register an iMessage account with only an email address, and use a large number of accounts to send, as Landesman puts it, “a huge volume of messages.”