SMS phishing operations continue to plague the security industry for one very simple reason: It works.

So, to that end, researchers collected and analyzed a huge amount of data on SMS phishing attacks and they are hoping to shed some light on the scope and nature of these attacks. The research also outlines techniques that can collect additional data on phishing activities, and identifies avenues that law enforcement officials can use to address phishing operations.

At issue is SMS phishing, which refers to attacks where attackers use text messages to try to trick people into sharing private information – such as credit card numbers or passwords – by impersonating a trusted party, such as a bank or government agency.

“In 2023, the world saw more phishing attacks than ever before, according to data from the Anti-Phishing Working Group,” said Alex Nahapetyan, first author of a paper on the study and a Ph.D. student at North Carolina State University.

Schneider Bold

Costly Attacks
“These attacks affect online security and privacy for consumers and can be extremely costly, but we have very little data on them,” Nahapetyan said. “That’s because telecommunications companies (have concerns) about customer privacy and are reluctant to comb through the private data shared via text messages.”

To get around this limitation, researchers made use of SMS gateways, which are online websites that allow users to obtain disposable phone numbers. The researchers used SMS gateways to obtain a large number of disposable phone numbers. Because SMS phishing is now so widespread, they were able to simply wait for those disposable phone numbers to begin receiving phishing attacks.

Using this technique, the researchers monitored 2,011 phone numbers and identified 67,991 phishing messages over the course of 396 days.

Using text analysis, researchers determined those phishing messages could divide into 35,128 unique campaigns – meaning they were using virtually identical content. Further analysis found those campaigns ended up associated with 600 distinct SMS phishing operations.

“For example, if we saw multiple campaigns that were directing targets to click on the same URL, those campaigns were part of the same operation,” Nahapetyan said. “By the same token, if we saw a single campaign that used multiple URLs, we were able to determine that those URLs were part of the same operation.”

Some of the findings were surprising.

For example, the researchers found SMS phishers are using mainstream servers, URL-shortening apps and web infrastructure to support their operations.

‘Normal Infrastructure’
“Most people associate cybercrime with some sort of shady infrastructure,” Nahapetyan said. “But these phishing scam operations are run using the same infrastructure as everyone else.”

The researchers also found some phishers are also setting up their own domains, which they are using to host their own URL-shorteners.

“This raises the possibility that the private URL-shortening services provide some additional protection to phishers, or that this is a service sold to phishers as part of the phishing ecosystem,” Nahapetyan said. “That’s an area for future research.”

The researchers also tested the defenses of telecom services by sending their own (harmless) phishing messages to 10 phone numbers. They did this directly from a privately-owned phone, and again from a bulk messaging service. All of the phishing messages delivered successfully. However, the bulk messaging service then banned the researcher’s account.

The researchers also looked for bulk messaging services that phishers would be able to use repeatedly – and they found them. The services that enabled phishing attacks were not hiding in shadowy corners of the Internet, but advertising openly on public social media platforms, such as LinkedIn.

“Altogether, the findings underscore two things,” Nahapetyan said. “First, we already knew that there was an entire email phishing economy, and this work makes clear that this is true for SMS phishing as well. Someone can come in and buy an entire operation ready to go – the code, the URL, the bulk messaging, everything. And if their site gets shut down, or their messaging service gets banned, they don’t care – they’ll just move on to the next one.

Notes to Themselves
“Second, we found that messages from many phishing operations include what appear to be notes to themselves. For example, a text may end with the words ‘route 7’ or ‘route 9’ or whatever. This suggests that phishers are using SMS gateways to test different routes for delivering phishing messages, in order to determine which routes are most likely to let their message through.”

In at least four instances, the researchers identified these “test messages” – including the URL the phishers were using – before the phishers had fully deployed their web infrastructure at the URL.

“This tells us that the messages were sent before the phishing attacks were launched in earnest,” Nahapetyan said. “That’s important because it suggests that, by monitoring SMS gateways, we may be able to identify some phishing URLs before roll their attacks out on a large scale. That would make those phishing campaigns easier to identify and block before any users share private data.”

Click here to view the paper, “On SMS Phishing Tactics and Infrastructure.”


Pin It on Pinterest

Share This