mobile phone keypad

SMS phishing for the masses

Phishing remains one of the top threats that affects both consumers and businesses thanks to ever evolving tricks. While ‘classic’ phishing emails remain a problem, they can somewhat be thwarted via spam filters, whereas SMS phishing scams are much more difficult to protect against.

Case in point, here’s a fraudulent text message purporting to be from RBC, a Canadian financial institution, which made it through our phone without getting blocked:

Text message: Activities on your RBC Account is unsual. click  http://www1.royalbank.com.cgi-bin-rbaccess-rbunxcgi.gq to secure

If you followed the instructions and visited the link, you’d be redirected to a decoy site looking almost exactly like the real one. The crooks have designed the template to harvest as many credentials as they can (i.e. driver’s license, phone number, all three security questions) in order to gain illegal access to your account:

It is pretty scary to think that within minutes you could give crooks all the information they need to perform all sorts of illegal activity on your bank account, as well as perpetrate additional identity theft by impersonating you.

Checking the IP address where the phishing page resides (166.62.36.128), we find another phish for Bank Of Montreal (BMO), but also a domain (chatfellow.com) used to host the PHP panel of an application called “Sendroid”.

Sendroid is a framework to help you manage your bulk SMS campaigns and in itself is not malicious. Users are required to have a proper SMS provider in order to actually start sending text messages.

However, some user comments left on Sendroid’s purchase page show how it could be easily abused by spammers:

 I have like 4000 contact to send sms to. And my gateway batch size is set to 200. Does this mean that, the sendroid portal will only allow me to send sms to 200 people out of the 4000?

That’s a lot of contacts, but who knows… could be a popular guy.

It would be interesting to know the success rates of such phishing campaigns. Much like regular spam, it’s all about volume and even getting a small fraction of marks is enough to make it profitable.

Please be on the lookout for such fraudulent SMS text messages. The “intimacy” of receiving a message on a phone makes this scheme even more dangerous because we are more likely to have our guards down and fall for it.

This campaign was reported to RBC and the website has been blacklisted.

ABOUT THE AUTHOR

Jérôme Segura

Sr Director, Research