Study Sheds Light on Shady World of Text Message Phishing Scams

“Most people associate cybercrime with some sort of shady infrastructure,” Nahapetyan says. “But these phishing scam operations are being run using the same infrastructure as everyone else.”

The researchers also found that some phishers are also setting up their own domains, which they are using to host their own URL-shorteners.

“This raises the possibility that the private URL-shortening services provide some additional protection to phishers, or that this is a service being sold to phishers as part of the phishing ecosystem,” says Nahapetyan. “That’s an area for future research.”

The researchers also tested the defenses of telecom services by sending their own (harmless) phishing messages to 10 phone numbers. They did this directly from a privately-owned phone, and again from a bulk messaging service. All of the phishing messages were delivered successfully. However, the bulk messaging service then banned the researcher’s account.

The researchers also looked for bulk messaging services that phishers would be able to use repeatedly – and they found them. The services that enabled phishing attacks were not hiding in shadowy corners of the internet, but advertising openly on public social media platforms, such as LinkedIn.

“Altogether, the findings underscore two things,” says Nahapetyan. “First, we already knew that there was an entire email phishing economy, and this work makes clear that this is true for SMS phishing as well. Someone can come in and buy an entire operation ready to go – the code, the URL, the bulk messaging, everything. And if their site gets shut down, or their messaging service gets banned, they don’t care – they’ll just move on to the next one.

“Second, we found that messages from many phishing operations include what appear to be notes to themselves. For example, a text may end with the words ‘route 7’ or ‘route 9’ or whatever. This suggests that phishers are using SMS gateways to test different routes for delivering phishing messages, in order to determine which routes are most likely to let their message through.”

In at least four instances, the researchers identified these “test messages” – including the URL the phishers were using – before the phishers had fully deployed their web infrastructure at the URL.

“This tells us that the messages were sent before the phishing attacks were launched in earnest,” says Nahapetyan. “That’s important because it suggests that, by monitoring SMS gateways, we may be able to identify some phishing URLs before roll their attacks out on a large scale. That would make those phishing campaigns easier to identify and block before any users share private data.”

The paper, “On SMS Phishing Tactics and Infrastructure,” was presented May 20 at the IEEE Symposium on Security and Privacy, which was held in San Francisco, Calif.

Matt Shipman is a science writer and research communications lead at North Carolina State University. The article was originally posted to the website of North Carolina State University.