Earlier on, I tweeted about this but I had to take down the twitpic because I realized that it had my phone number on it (^_^). I received this message a while back and I couldn’t help but think: WTF. O_O
The real WTF was finding out that this is 99% likely a legitimate message although there is nothing AT ALL in these two messages that these are legitimate Singtel services.
With all the phishing attacks that’s been happening for years, the IT Savvy-er of the netizens are doing their best to tell their friends and family not do download stuff from unknown sources and always check the domains of the sites you are accessing, etc. With the advent of 3G/mobile internet connectivity, people doing mobile banking, and so on, malicious attacks have been spreading to the mobile platform as well, as we’ve seen happening with the iPhone’s PDF vulnerability. We all have a part to play in helping each other keep our guards up against these issues, the Telco’s more so.
By doing something like this, they are basically saying “Yeah, we sometimes send you recommendations of services from a number that anyone can own” or “Yes, sometimes we offer free apps for download from website addresses with gibberish numbers and not even bother with a domain name” or “Yep, as long as there’s singtel in the web address that’s us!”. It’s very ironic how this is for a security & privacy application. No offense to WaveSecure, I know for a fact they’re a great product, McAfee does too. This was all good intention but sadly, poor execution.
How ugly can this get? If I were a malicious person who’s intelligent enough hack together an mobile app I could upload it to a domain like http://singtel.aimeegurl.com and send text messages to all the phone numbers I find, and say it’s an update to the software they’ve downloaded previously. The app can practically ask the user anything it wants since to the user, it’s their Telco’s app so of course they could trust them with their private information if they asked for it (Phishing++?) or if I were even more intelligent, I’d hack up an app that just straight away does nasty stuff without the users knowledge. Needless to say, possibilities are endless.
What’s done is done though. I’m sure investments were made on this project. Let’s hope no one exploits this. Meanwhile, the message still stands, NEVER download stuff from site domains that you don’t know for sure are legitimate, and just like in real life, there HAS to be proof of identity before complying to a request from someone who claims to be someone.