Apple's iMessage system is a great way to send texts from phone-to-phone without the paying fees to your mobile carrier. But over the past year, it has also become something of a nuisance. iMessage, you see, is yet another communications tool being polluted by spam. It's a cheap and easy way for luxury goods spammers to get their junk messages front-and-center on your phone.
A year ago, Tom Landesman—who works for security and anti-spam company Cloudmark—had never seen an iMessage spam. But he and his company now say that, thanks to one particularly aggressive campaign from a junk mailer, it accounts for more than 30 percent of all mobile spam messages.
These kinds of spam campaigns come and go. Cloudmark spotted its first one late last year, when the scammers were flogging imitation designer handbags. Lately, the spammers have been pushing deals on knock-off Ray-Ban and Oakley sunglasses.
>'It's almost like a spammer's dream. With four lines of code, using Apple scripts, you can tell your Mac machine to send message to whoever they want.'
Apple's iMessage system spans across the iPad, iPhone, and Apple's laptop and desktop systems. That fusion of the desktop and mobile world makes it particularly easy for scammers to write a Mac OS script that can send messages to all types of devices just as fast as Apple will allow. "It's almost like a spammer's dream," says Landesman. "With four lines of code, using Apple scripts, you can tell your Mac machine to send message to whoever they want."
Most of the time, the spammer will need a phone number to deliver the iMessage spam, but if you've added your email address to iMessage, the spammers can get you using that address too. (On your phone, you can see which addresses and phone numbers are associated with your iMessage account by visiting: Settings –> Messages –> Send and Receive),
Apple's desktop client instantly tells you whether or not the number you've entered is registered with the iMessage network, so scammers could use this feature to generate a list of verified iMessages users. As an added bonus, iMessage notifies the scammer whether the message they've sent out has been read or not.
It's very easy for spammers to register an iMessage account. All you need is an email address. We've seen spam sent from accounts registered to Microsoft's hotmail.com system and to Chinese webmail providers such as Yeah.net. "In 10 minutes, if you have a whole bunch of accounts, you'd be able to send a huge volume of messages," Landesman says.
Because the spam is all traveling on Apple's network, your mobile carrier can't do anything about it. That makes the clean-up job an Apple problem. Reached Monday, an Apple spokeswoman didn't have any immediate comment for this story. But the company has taken some steps.
A year ago, Apple didn't appear to limit the velocity at which its users could pump out iMessages. In fact, hackers devised ways of spamming their victims with rapid-fire iMessage attacks that overwhelmed the iMessage app. Now, the company has added rate-limiting to the iMessage network, Landesman says. And there's also a slightly burdensome way to report iMessage spammers and get them banned from Apple's network. You have to email the company a screenshot of the spam, the phone number or email address of the spammer, and the date and time it was sent.
>'In 10 minutes, if you have a whole bunch of accounts, you'd be able to send a huge volume of messages.'
But if Apple is doing anything to take these spammers off the network, it's moving slowly. WIRED reported one spam address to Apple on Wednesday of last week. As of Monday afternoon, it was still active on the iMessage network. We also checked three other email addresses used in spam campaigns over the past few days. They were all still active too. The spammers, by the way, did not respond to our iMessage requests for interviews.
As for the beleaguered users, there's not much they can do. They can report the spam, or in extreme cases, turn off the iMessage service altogether (Settings –> Messages –> iMessage). One other option: You can turn off alerts from iMessage users who aren't in your list of contacts (Settings –>Notification Center –> Messages –> Show Alerts from My Contacts).
That will keep the spam messages from buzzing you and instantly popping up on the screen of your phone. You'll need to go into the message center to see them. But it could also keep you from noticing messages from folks you care about, who just don't happen to be on your list of contacts.
