https://www.wired.com/story/usps-scam-text-smishing-triad/
The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.
Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she'd inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.
Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people's cards to be protected from fraudulent activity.
In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States—California, the state with the most, had 141,000 entries—with more than 1.2 million pieces of information being entered in total.
[...] Chasing down the group didn't take long. Smith started investigating the smishing text message he received by the dodgy domain and intercepting traffic from the website. A path traversal vulnerability, coupled with a SQL injection, he says, allowed him to grab files from the website's server and read data from the database being used.
"I thought there was just one standard site that they all were using," Smith says. Diving into the data from that initial website, he found the name of a Chinese-language Telegram account and channel, which appeared to be selling a smishing kit scammers could use to easily create the fake websites.
[...] "I started reverse engineering it, figured out how everything was being encrypted, how I could decrypt it, and figured out a more efficient way of grabbing the data," Smith says. From there, he says, he was able to break administrator passwords on the websites—many had not been changed from the default "admin" username and "123456" password—and began pulling victim data from the network of smishing websites in a faster, automated way.
[...] The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).
[...] The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity's research. Its scam messages are sent using SMS or Apple's iMessage, the latter being encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)
[...] As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email you don't recognize, if it contains a link to click on, or if it wants you to do something urgently, you should be suspicious.
(Score: 3, Insightful) by looorg on Wednesday August 14 2024, @10:01AM (6 children)
in some regard I find these fascinating. That people fall for them. It doesn't matter how many times they get told it's a scam, in papers or television or whatnot. They even sent postcards here from the police to people of a certain age group (old people) telling them about the scams and that they never ask for this information. I guess it's stress or they just don't think about it. A lot of computer interactivity have become so normal that people just don't stop and think they just do. Click here, fill in there and badabing it worked or you just got scammed.
After all if they just stopped for a moment to think, how many Nigerian princes do I know, or how many times have the Police, Bank, Postal service etc asked for my credit card and bank# in an email or over the phone. Zero. Not a single time. Have never happened. Yet here it is ... First time for everything right?
It just doesn't seem like this is a problem that information campaigns are going to solve. At least this guy took it upon himself to do something, which most people won't be able to. So when is he getting charged with hacking?
Clearly the reward for this kind of crime is way better and higher then any risks involve. But this isn't a crime ordinary people will stop. Banks, or however the money are transferred, have to stop this. But they don't want to. Cause it cost money. But they are the once with the capabilities and the means to do anything about it. But they won't. Unless forced to act.
(Score: -1, Offtopic) by Anonymous Coward on Wednesday August 14 2024, @10:57AM
Personal responsibility is dead, long live corporate responsibility. Ummm... what can go wrong?
(Score: 5, Insightful) by Ox0000 on Wednesday August 14 2024, @11:51AM (1 child)
I think it is unfair to squarely put the blame on the end-user. As a field, we've conditioned them to always accept what the computer says, and not to question it. We've acted exclusionary in whom we allow inside our field; this started from in the beginning, when you needed Maths (capital M) and a lab coat to be allowed to touch the Big Iron and were told off if you lacked any of those but still wanted to do interesting and legit things with it. This has lead to people being 'afraid' (for a lack of a better term) of computers and anything to do with them because for some, it's literally(*) magic. This sense of fear or apprehension predisposes/primes people to being fruitful victims for anything that involves computers.
A lot of these scams work exactly because they position people in a situation of "you gotta act now, don't think, just do or else you'll miss out on ...". That's how phishing, smishing, and even most off-line scams (and car purchasing) work.
The point is not "if only they stopped to think for a moment", the point is that the scam specifically socially engineers the marks to NOT do that, that is exactly what the scam does!
The day I exclaim "such idiots, why did they fall for this obvious scam, couldn't they just have ${whatevered}, then they would have seen it for what it was, aren't I smart for pointing out their weakness", will be the day that I fall for one of these scams myself. While some have better defenses, no-one has full immunity to this.
(*) I mean this very, very literally. I have met people who have told me that they think it's Magic, as in actual, literal magic (that they believe in magic is a different issue but here we are)
(Score: 1, Touché) by Anonymous Coward on Wednesday August 14 2024, @02:15PM
I think it's fair.
Wanna know how many scams I've fallen for in ~45 years?
Zero.
Wanna know how many credit card numbers I've had compromised?
Zero.
Wanna know how many times my personal information has been exposed in breaches?
Zero.
Why do you think my dentist complains the only information he has in his system about me is my first name, last name, and phone number?
I refuse to give out information all the time.
I pay for nearly everything in cash. For online stuff I use privacy.com's virtual card service.
My biggest risk is actually government. There are all sorts of stupid legal things that require government to hold on to ridiculously stupid amounts of personal information...and you know government doesn't give a shit about you or your data. They don't have to. And you have no recourse if they fuck up. *cough*OPM breach*cough*
(Score: 3, Interesting) by Ox0000 on Wednesday August 14 2024, @12:03PM (1 child)
Wanted to add to this the following:
BanksCredit Card companies do want to stop it, because fraud also costs money.It just happens to be the case that just eating the cost of fraud is cheaper than fixing the issue, including through technical means. And so they do the cheap thing.
If you want evidence of this: how hard is it to dispute a charge on your card, how much hassle do they really give you? Last time I disputed a charge, the only info I provided was "this is the charge, for this amount, I dispute it", no further questions asked, money refunded within 24 hours.
To some large degree the resistance to fixing the root cause is because these mitigation strategies (might) make CC transactions .5 of a second longer and risk that the person would think before purchasing/spending coin, and we can't have that, can we? This is one of the reasons why chip or chip+PIN has been commonplace in the entire developed (and much of the less-developed) world, but took so long to get rolled out in the US: "completing the transaction would take a split second longer, and we can't have that." The rest of the world went "so what if they take longer", whereas in the US, they went "you don't understand, we have these unique things in the world called grocery stores where the checkout lines would stretch for miiiiilllleeeessssss if transactions take longer; don't try to make me explain to you what these are because you couldn't possibly comprehend it anyway, that's how much more advanced we are than you".
(Score: 0) by Anonymous Coward on Wednesday August 14 2024, @03:32PM
Eating the cost of fraud is cheaper (for the credit card systems) because for the most part nobody involved with the credit card systems is responsible for paying for fraud.
They don't give a shit because when you dispute a transaction they just credit your account and debit the merchant account. The merchant is the one left holding the bag in the case of credit card fraud, meanwhile the fraudster gets to keep his new big screen TV. In some cases they might be able to successfully dispute the reversal but the process is not nearly as easy for the merchants.
The process is smooth for the cardholders because if they stopped using their credit cards that would be a real problem for the card issuers. It's all about those sweet sweet transaction fees.
(Score: 2) by Goghit on Wednesday August 14 2024, @05:35PM
I recently received an email from my local bank branch with a "click here to see all our new, exciting changes" link in it. AFAICT the link was legitimate but the problem is a new and clueless branch manager who thinks it's a good idea to train clients to click on email links.
I'm pulling my money out of that branch. Probably a pointless exercise because stupidity seems to be highly contagious.
A couple of years ago my dentist started using an SMS click-here-to-confirm-your-appointment service. Link resolves to some service agency they've rented the package from, not their office. And now the vet is doing the same thing. I'm going to keep a stripped down Android phone with no network connections for dealing with these people in future. Eventually they'll get me.
(Score: 2) by JoeMerchant on Wednesday August 14 2024, @12:44PM (1 child)
>selling a smishing kit scammers could use to easily create the fake websites.
That explains a lot. This reminds me of the ads that used to run in the classifieds: "Send $20 for a list of..." whatever people are willing to pay for. The sellers would sell "kits" for $100 or more, telling you how to advertise the hook, and giving you an outdated list of just enough of what the rubes are hoping for to give you a fig leaf of fraud protection. So, then, kit buyers would go out and advertise the info lists and people would mail them money. If the advertising hit a wide enough audience of the right kind of people, they'd easily make back their kit price - but it was questionable due to the costs of advertising whether the kit buyers would ever clear a profit. Of course, the list buyers would get those outdated lists... I hope at least some of them were happy....
I see this whole scenario (people willing to give up their personal info in exchange for a fabricated story based on nothing) as a real problem for any kind of "strong ID" system. Whatever ID you give people, millions of them will be giving it away in exchange for nothing. I suppose you could inject an RFID chip with a hidden secret that can be used to authenticate ID - as long as people don't allow others to dig the chip out of their body and hack the embedded secret out of it... I'm sure at least thousands, if not millions, would...
🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday August 14 2024, @09:33PM
I am sure you could find an ( embalmer | mortician | undertaker | cremator ) that will get some for you.
(Score: 3, Touché) by VLM on Wednesday August 14 2024, @03:20PM (1 child)
All push marketing, maybe all push media, is a scam. If you haven't figured out the scam yet, that just means its a better than average scam. Its kind of like door to door sales, if it wasn't a scam they wouldn't be selling it door to door, LOL. Ditto anything sold by telemarketer or anything sold as part of a customer service interaction.
Anything pushed to you on a phone is a scam, for example, doesn't matter what format or anything like that.
In the long run I think this will push away from "services" and toward "apps". I would NEVER trust anything pushed to me over a service from my credit union, for example. But info from inside the app is probably legit. The problem with relying on apps is the companies find spam notifications irresistible, so I generally block notifications from almost all apps on my phone, so its hard to send legit push notifications to customers. (For example I have no interest in marketing spam from my CU, but it would have been nice to know when deposits are made, thankfully their app lets me filter... for now...)
The future, unfortunately, is web search is dead replaced by AI due to AI generated webspam, and infinite free connectivity means infinite spam and scams so you'll only be able to usefully interact with organizations via apps. Its interesting to think the multi-decade dominance of the web browser or the texting-app or even social media in general might be coming to an end for technological reasons.
(Score: 3, Funny) by janrinok on Wednesday August 14 2024, @03:37PM
Makes me wonder about an SN app....? /joke
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.