44 comments

[ 3.3 ms ] story [ 64.2 ms ] thread
I actually got one of these texts recently. Problem is, I don't drive or own a car. LMAO. I reported the domain they linked in the text to Cloudfare since WHOIS pointed to it.
> Smishing: A social engineering attack using fake text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals. "Smishing" combines "SMS"—or "short message service," and "phishing." "Phishing" generally pertains to attacks on the internet, email, or websites.
Didn't know smishing was that common a term for this enough for its use here
I don't know how well it would scale, but from an ease-of-use perspective it feels like Quishing (eyes roll - QR Phishing) is a plague waiting to explode.

"Just scan this and donate to the red cross!". My kid's afterschool provider had some sign up form for an event they're hosting - with a QR Code to sign up / pay - which was some random third party provider. Legitimate, but _painfully_ easy to spoof...

Also, juvenile shenanigans with links to goatse et al being placed on the local plumber's van feels like an easy win for 17 yo boys everywhere.
> links to goatse

The Email service? why would people link to that? :P

The typical 17 year old hasn't even heard of goatse these days.
The parking here in Nashville got privatized (and made much worse, even 1 minute costs $2 now and no more free times/days) and the pay method uses a QR code. I am amazed no one has gone around putting fake QR codes on the signs. They'd even work better, the non-standard codes they printed don't really scan well.
I used screenshotmachine.com to look at myturnpiketollservices dot com.

It looks like the site is behind Cloudflare and CF has marked it as a phish (w/ an ignore & proceed link).

smishing is such a stupid term -- this is the kind of nonsense they invent and then test for on CompTIA et al cert exams
I found out about smishing and vishing from some mandatory security training at work.

It’s all just phishing to me, I don’t get the need for all the other terms.

> It’s all just phishing to me, I don’t get the need for all the other terms.

A. Someone wants to feel important, and write a book about it. "Read my linkedin post bout vishing... hire me for your workshop"

B. Someone is trying to highten job security. "You cant get rid of me I am the vishing expert"

(comment deleted)
Lucky for all you in US reporting these things.

For the Canadian targeted ones, they generally geo-target the page (Canadian IP = scam, foreign IP = no scam presented) and it’s an ordeal trying to get stuff taken down. I try at domain, SSL, host, Google safe search, netcraft levels and it’s often a waste of time.

Drives me bonkers when it gets assessed as “safe”.

Wild to see the extreme Smishing plus IMSI grabbing to then use an SDR to send the SMS without going through an SMS Gateway. https://commsrisk.com/chinese-arms-dealer-sold-imsi-catchers...
I thought SMS gateways weren’t really used anymore and the way to go was to buy a bunch of prepaid unlimited SIMs and blast out messages at a below-detection rate through thingies that rotate between 64/128/256 SIMs and 8-16 radios.

Like shown here: https://au.finance.yahoo.com/news/how-one-man-allegedly-cost...

The IMSI catching approach, wow!

Many simply get some proportion of their customers to install a malicious app which sends the spam from the victims phone number.
Totally secondary, but we could solve this by not giving the revenue rights for pubic good (parking meters, expressways, etc) to private companies which then have random toll websites. Just saying.
Don't they already scam people by duplicating government websites?
Interesting. I see what you mean. Limiting it to .gov domains would make this hard to do but that cat is out of the bag and, in practice, we're better served with an open bidding process.

However, I did find it painful just now to find who etimspayments.com is since they're using domain privacy even though they are the SF provider https://wmq.etimspayments.com/pbw/include/sanfrancisco/input...

I was just talking to a friend and he put in a CPRA request to find out which LLC provides that service so we'll know soon enough.

Would having an open bidding process preclude the use of .gov TLD?

Why couldn’t the highest bidder handle the payment and processing at e.g. tolls.gov?

I imagine the process of getting a .gov TLD and transferring it is currently arduous - perhaps because that .gov is a heavy hitter TLD. If so, local governments may lack the resources to put into place improvements for their constituents if blocked on that TLD. But if it is the case that the process for that is simple then what you say is reasonable.
He got back to me. It's Conduent State and Local Solutions.
(comment deleted)
The FBI should become a virtual credit card issuer and allow anyone who thinks they are being scammed by a phishing/smishing/etc. scam to generate a fake card (with no balance attached to it) to give to the scammers. Seems like that would give them enough information to track down the bad guys, or at least to track down their enablers.
People would blacklist FBI VCCs
Hard to do if the FBI were to work with several major banks and getting numbers from their ranges. And obviously the numbers would be single/limited use.
If they wanted to trace the transactions, it wouldn't require anything as complex as this. They could trace existing transactions with a warrant, which I assume would be easy to get.

The truth is, LEO don't give a shit about these types of crimes, because the CC companies have the fraud already built into their business models (e.g., they've priced in losses).

Many such scams must work, otherwise they wouldn't keep happening.

I suspect CC companies refund the ones who complain, but enough victims of smaller scams never complain and thus it pays off.

What would help is shared liability, and mandatory full refunds for all victims, not just those that come forward. For example, a consumer protection agency or association could prove that a certain company was scamming, and get a court order forcing the payment companies to reverse all transactions associated with that company.

Suddenly, all those "FREE SUBSCRIPTION *turns into a $49/month, 6 month minimum subscription if not cancelled within 7 days" (with the "free" repeated in huge letters and the subscription terms hidden in the finest fine print) scams would become risky enough that the payment providers would no longer be happy to enable them for a small percentage of the loot.

(comment deleted)
I thought of the same thing with those automated calls asking to make a donation for breast cancer research, or inured fireman.

The whole thing is automated, from asking for a donation, asking you to send it with a credit card vs a letter in the mail, to telling you 'oh I'm a real person' when CLEARLY they're not (or they all talk the same... /s).

This money goes somewhere. It's the same voice. It's the same scammer. Nothing is being done about it. You'd think some breast cancer organization would sue them to make it go away.

Anyone else think the the term smishing is too cute and confusing, and "text message phishing" should be used instead?
I refuse to say smishing aloud.

Tishing would be more easily inferred than Smishing if they want to keep the phishing part for recognition. I can't find or think of any other examples in English where we combine a word with an acronyms first 2 letters pronounced phonetically.

Lollercopter?

> visit https://myturnpiketollservices.com to settle your balance

This is partly the fault of these rent collectors—they all use some shady-sounding but vaguely-related third party to settle fines (something like paymyparkingticket.com or paymyhospitalbill.com). Use your own domain, put a subdomain on it, and CNAME over to the third party so we can have some trust.

Id imagine most of the customers of paymyGENERIC_SERVICE.com would see not having to touch DNS as a useful feature of the payment collection service.
This scam has been going on for a few years and outside the US as well, I just received another two such scam texts overnight. They pretend to send payment demands as local toll operators although links do not look convincing.

I ended up logging a support ticket with my local telco 2-3 years back, and got a phone call back from an engineer who stated that the scam messages are mostly spread by infected (unpatched) Android phones that the malware runs on.

The curious thing the engineer also mentioned was that they were applying mitigations on the telco side – to suspend the infected phones from accessing the mobile network and notifying the user of the problem. Although with many Android phones no longer receiving security updates any more, I am not sure what the recourse could be for an average user Joe.

we're shutting down approx 3,000 phone numbers per week re: SMShing and Vishing scams

apurcell@opsecsecurityonline.com