Study sheds light on shady world of text message phishing scams

Researchers have collected and analyzed an unprecedented amount of data on SMS phishing attacks, shedding light on both the scope and nature of SMS phishing operations. The work also outlines techniques that can be used to collect additional data on phishing activities and identifies avenues that law enforcement officials can use to address phishing operations.

At issue is SMS phishing, which refers to attacks where scammers use text messages to try to trick people into sharing private information – such as credit card numbers or passwords – by impersonating a trusted party, such as a bank or government agency.

What the researchers say: “In 2023 the world saw more phishing attacks than ever before, according to data from the Anti-Phishing Working Group,” said the paper’s first author. “These attacks affect online security and privacy for consumers and can be extremely costly, but we have very little data on them. That’s because telecommunications companies are concerned about customer privacy and are reluctant to comb through the private data shared via text messages.”

To get around this limitation, the researchers made use of SMS gateways, which are online websites that allow users to obtain disposable phone numbers. The researchers used SMS gateways to obtain a large number of disposable phone numbers. Because SMS phishing is now so widespread, they were able to simply wait for those disposable phone numbers to begin receiving phishing attacks.

Using this technique, the researchers monitored 2,011 phone numbers and identified 67,991 phishing messages over the course of 396 days.

Using text analysis, the researchers determined that those phishing messages could be divided into 35,128 unique campaigns – meaning that they were using virtually identical content. Further analysis found that those campaigns were associated with 600 distinct SMS phishing operations.

“For example, if we saw multiple campaigns that were directing targets to click on the same URL, those campaigns were part of the same operation,” the researchers explained. “By the same token, if we saw a single campaign that used multiple URLs, we were able to determine that those URLs were part of the same operation.”

Some of the findings were surprising. For example, the researchers found that SMS phishers are using mainstream servers, URL-shortening apps and web infrastructure to support their operations.

“Most people associate cybercrime with some sort of shady infrastructure,” the first author said. “But these phishing scam operations are being run using the same infrastructure as everyone else.”

The researchers also found that some phishers are also setting up their own domains, which they are using to host their own URL-shorteners.

“This raises the possibility that the private URL-shortening services provide some additional protection to phishers, or that this is a service being sold to phishers as part of the phishing ecosystem,” he noted. “That’s an area for future research.”

The researchers also tested the defenses of telecom services by sending their own (harmless) phishing messages to 10 phone numbers. They did this directly from a privately-owned phone, and again from a bulk messaging service. All of the phishing messages were delivered successfully. However, the bulk messaging service then banned the researcher’s account.

The researchers also looked for bulk messaging services that phishers would be able to use repeatedly – and they found them. The services that enabled phishing attacks were not hiding in shadowy corners of the internet, but advertising openly on public social media platforms, such as LinkedIn.

“Altogether, the findings underscore two things,” the researchers said. “First, we already knew that there was an entire email phishing economy, and this work makes clear that this is true for SMS phishing as well. Someone can come in and buy an entire operation ready to go – the code, the URL, the bulk messaging, everything. And if their site gets shut down, or their messaging service gets banned, they don’t care – they’ll just move on to the next one.

“Second, we found that messages from many phishing operations include what appear to be notes to themselves. For example, a text may end with the words ‘route 7’ or ‘route 9’ or whatever. This suggests that phishers are using SMS gateways to test different routes for delivering phishing messages, in order to determine which routes are most likely to let their message through.”

In at least four instances, the researchers identified these “test messages” – including the URL the phishers were using – before the phishers had fully deployed their web infrastructure at the URL.

“This tells us that the messages were sent before the phishing attacks were launched in earnest,” they concluded. “That’s important because it suggests that, by monitoring SMS gateways, we may be able to identify some phishing URLs before they roll their attacks out on a large scale. That would make those phishing campaigns easier to identify and block before any users share private data.”

So, what? I am not sure that anyone with real authority is sufficiently motivated to do much about this nuisance. Change will only come when we earnestly take charge of technology, because at the moment it is increasingly in charge of us.

Humans are designed to communicate in person, face to face. It’s only through the use of all our senses during the interaction that we can establish trust and know who to trust. The more remote the connection—and text is about as remote as you can get—the more confused people are going to be about the trustworthiness of the person or entity reaching out to them. The brain’s path of least resistance will often be to respond to the text as if it were genuine—especially if we are lonely, depressed, anxious, discriminated against or isolated, as the majority of present-day humans are.

Phishers play on our sense of fear or greed and thus tap into the deepest and oldest parts of our neurogenetic “design-specs.” These areas are not up to dealing with modern technology.