I actually got one of these texts recently. Problem is, I don't drive or own a car. LMAO. I reported the domain they linked in the text to Cloudfare since WHOIS pointed to it.
> Smishing: A social engineering attack using fake text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals. "Smishing" combines "SMS"—or "short message service," and "phishing." "Phishing" generally pertains to attacks on the internet, email, or websites.
I don't know how well it would scale, but from an ease-of-use perspective it feels like Quishing (eyes roll - QR Phishing) is a plague waiting to explode.
"Just scan this and donate to the red cross!". My kid's afterschool provider had some sign up form for an event they're hosting - with a QR Code to sign up / pay - which was some random third party provider. Legitimate, but _painfully_ easy to spoof...
There was an explosion about 6-7 months ago reported on Reddit in the amount of phishing emails with QR codes in them. Because they have no URLs in them and the actual phishing happens off-device with no endpoint security, they seem to be bypassing a lot of filters.
The parking here in Nashville got privatized (and made much worse, even 1 minute costs $2 now and no more free times/days) and the pay method uses a QR code. I am amazed no one has gone around putting fake QR codes on the signs. They'd even work better, the non-standard codes they printed don't really scan well.
For the Canadian targeted ones, they generally geo-target the page (Canadian IP = scam, foreign IP = no scam presented) and it’s an ordeal trying to get stuff taken down. I try at domain, SSL, host, Google safe search, netcraft levels and it’s often a waste of time.
Drives me bonkers when it gets assessed as “safe”.
I thought SMS gateways weren’t really used anymore and the way to go was to buy a bunch of prepaid unlimited SIMs and blast out messages at a below-detection rate through thingies that rotate between 64/128/256 SIMs and 8-16 radios.
Totally secondary, but we could solve this by not giving the revenue rights for pubic good (parking meters, expressways, etc) to private companies which then have random toll websites. Just saying.
Interesting. I see what you mean. Limiting it to .gov domains would make this hard to do but that cat is out of the bag and, in practice, we're better served with an open bidding process.
I imagine the process of getting a .gov TLD and transferring it is currently arduous - perhaps because that .gov is a heavy hitter TLD. If so, local governments may lack the resources to put into place improvements for their constituents if blocked on that TLD. But if it is the case that the process for that is simple then what you say is reasonable.
The FBI should become a virtual credit card issuer and allow anyone who thinks they are being scammed by a phishing/smishing/etc. scam to generate a fake card (with no balance attached to it) to give to the scammers. Seems like that would give them enough information to track down the bad guys, or at least to track down their enablers.
Hard to do if the FBI were to work with several major banks and getting numbers from their ranges. And obviously the numbers would be single/limited use.
If they wanted to trace the transactions, it wouldn't require anything as complex as this. They could trace existing transactions with a warrant, which I assume would be easy to get.
The truth is, LEO don't give a shit about these types of crimes, because the CC companies have the fraud already built into their business models (e.g., they've priced in losses).
Many such scams must work, otherwise they wouldn't keep happening.
I suspect CC companies refund the ones who complain, but enough victims of smaller scams never complain and thus it pays off.
What would help is shared liability, and mandatory full refunds for all victims, not just those that come forward. For example, a consumer protection agency or association could prove that a certain company was scamming, and get a court order forcing the payment companies to reverse all transactions associated with that company.
Suddenly, all those "FREE SUBSCRIPTION *turns into a $49/month, 6 month minimum subscription if not cancelled within 7 days" (with the "free" repeated in huge letters and the subscription terms hidden in the finest fine print) scams would become risky enough that the payment providers would no longer be happy to enable them for a small percentage of the loot.
I thought of the same thing with those automated calls asking to make a donation for breast cancer research, or inured fireman.
The whole thing is automated, from asking for a donation, asking you to send it with a credit card vs a letter in the mail, to telling you 'oh I'm a real person' when CLEARLY they're not (or they all talk the same... /s).
This money goes somewhere. It's the same voice. It's the same scammer. Nothing is being done about it. You'd think some breast cancer organization would sue them to make it go away.
Tishing would be more easily inferred than Smishing if they want to keep the phishing part for recognition. I can't find or think of any other examples in English where we combine a word with an acronyms first 2 letters pronounced phonetically.
This is partly the fault of these rent collectors—they all use some shady-sounding but vaguely-related third party to settle fines (something like paymyparkingticket.com or paymyhospitalbill.com). Use your own domain, put a subdomain on it, and CNAME over to the third party so we can have some trust.
This scam has been going on for a few years and outside the US as well, I just received another two such scam texts overnight. They pretend to send payment demands as local toll operators although links do not look convincing.
I ended up logging a support ticket with my local telco 2-3 years back, and got a phone call back from an engineer who stated that the scam messages are mostly spread by infected (unpatched) Android phones that the malware runs on.
The curious thing the engineer also mentioned was that they were applying mitigations on the telco side – to suspend the infected phones from accessing the mobile network and notifying the user of the problem. Although with many Android phones no longer receiving security updates any more, I am not sure what the recourse could be for an average user Joe.
44 comments
[ 3.3 ms ] story [ 64.2 ms ] thread"Just scan this and donate to the red cross!". My kid's afterschool provider had some sign up form for an event they're hosting - with a QR Code to sign up / pay - which was some random third party provider. Legitimate, but _painfully_ easy to spoof...
The Email service? why would people link to that? :P
https://www.reddit.com/r/sysadmin/comments/16oh8ar/how_is_ev...
https://www.reddit.com/r/cybersecurity/comments/16mn6ve/how_...
It looks like the site is behind Cloudflare and CF has marked it as a phish (w/ an ignore & proceed link).
It’s all just phishing to me, I don’t get the need for all the other terms.
A. Someone wants to feel important, and write a book about it. "Read my linkedin post bout vishing... hire me for your workshop"
B. Someone is trying to highten job security. "You cant get rid of me I am the vishing expert"
For the Canadian targeted ones, they generally geo-target the page (Canadian IP = scam, foreign IP = no scam presented) and it’s an ordeal trying to get stuff taken down. I try at domain, SSL, host, Google safe search, netcraft levels and it’s often a waste of time.
Drives me bonkers when it gets assessed as “safe”.
Like shown here: https://au.finance.yahoo.com/news/how-one-man-allegedly-cost...
The IMSI catching approach, wow!
However, I did find it painful just now to find who etimspayments.com is since they're using domain privacy even though they are the SF provider https://wmq.etimspayments.com/pbw/include/sanfrancisco/input...
I was just talking to a friend and he put in a CPRA request to find out which LLC provides that service so we'll know soon enough.
Why couldn’t the highest bidder handle the payment and processing at e.g. tolls.gov?
The truth is, LEO don't give a shit about these types of crimes, because the CC companies have the fraud already built into their business models (e.g., they've priced in losses).
I suspect CC companies refund the ones who complain, but enough victims of smaller scams never complain and thus it pays off.
What would help is shared liability, and mandatory full refunds for all victims, not just those that come forward. For example, a consumer protection agency or association could prove that a certain company was scamming, and get a court order forcing the payment companies to reverse all transactions associated with that company.
Suddenly, all those "FREE SUBSCRIPTION *turns into a $49/month, 6 month minimum subscription if not cancelled within 7 days" (with the "free" repeated in huge letters and the subscription terms hidden in the finest fine print) scams would become risky enough that the payment providers would no longer be happy to enable them for a small percentage of the loot.
The whole thing is automated, from asking for a donation, asking you to send it with a credit card vs a letter in the mail, to telling you 'oh I'm a real person' when CLEARLY they're not (or they all talk the same... /s).
This money goes somewhere. It's the same voice. It's the same scammer. Nothing is being done about it. You'd think some breast cancer organization would sue them to make it go away.
Tishing would be more easily inferred than Smishing if they want to keep the phishing part for recognition. I can't find or think of any other examples in English where we combine a word with an acronyms first 2 letters pronounced phonetically.
Lollercopter?
This is partly the fault of these rent collectors—they all use some shady-sounding but vaguely-related third party to settle fines (something like paymyparkingticket.com or paymyhospitalbill.com). Use your own domain, put a subdomain on it, and CNAME over to the third party so we can have some trust.
I ended up logging a support ticket with my local telco 2-3 years back, and got a phone call back from an engineer who stated that the scam messages are mostly spread by infected (unpatched) Android phones that the malware runs on.
The curious thing the engineer also mentioned was that they were applying mitigations on the telco side – to suspend the infected phones from accessing the mobile network and notifying the user of the problem. Although with many Android phones no longer receiving security updates any more, I am not sure what the recourse could be for an average user Joe.
apurcell@opsecsecurityonline.com