The Dangerous World of SMS Phishing Scams

image provided by pixabay

This post is also available in: עברית (Hebrew)

New research looks into SMS phishing operations, outlines the techniques used to collect additional data and identifies the actions law enforcement officials can take to address such scams and cyber operations.

SMS phishing is a cyberattack method in which scammers use text messages to try to trick people into sharing private information (like credit card numbers or passwords) by impersonating a trusted party (like a bank or government agency).

First author of the study, Ph.D. Alex Nahapetyan from North Carolina State University, states: “In 2023 the world saw more phishing attacks than ever before, according to data from the Anti-Phishing Working Group. These attacks affect online security and privacy for consumers and can be extremely costly, but we have very little data on them.” He explains that this is because telecommunications companies are concerned about customer privacy and are reluctant to comb through the private data shared in text messages.

According to Techxplore, to bypass this limitation, the researchers got a large amount of disposable phone numbers from SMS gateways (online websites that provide disposable phone numbers), and simply waited for these numbers to begin receiving phishing attacks, which did not take long.

Using this technique, the researchers monitored 2,011 phone numbers and identified 67,991 phishing messages over the course of 396 days. They then used text analysis to divide those messages into 35,128 unique campaigns—meaning that they were using content that was virtually identical. Further analysis found that those campaigns were associated with 600 distinct SMS phishing operations.

Nahapetyan concluded that the findings underscore two things: “First, we already knew that there was an entire email phishing economy, and this work makes clear that this is true for SMS phishing as well. Someone can come in and buy an entire operation ready to go—the code, the URL, the bulk messaging, everything. And if their site gets shut down, or their messaging service gets banned, they don’t care—they’ll simply move on to the next one.

“Second, we found that messages from many phishing operations include what appear to be notes to themselves. For example, a text may end with the words ‘route 7’ or ‘route 9’ or whatever. This suggests that phishers are using SMS gateways to test different routes for delivering phishing messages, in order to determine which routes are most likely to let their message through.”

Interestingly enough, the researchers identified several cases of these “test messages” before the scammers had fully deployed their web infrastructure at the URL, which shows that the messages were sent before the phishing attacks were launched in earnest.

“That’s important because it suggests that, by monitoring SMS gateways, we may be able to identify some phishing URLs before their attacks roll out on a large scale. That would make those phishing campaigns easier to identify and block before any users share private data,” concludes Nahapetyan.