A surge in SMS phishing attacks this week took security experts by surprise and tricked victims into providing credit card and other sensitive information to scammers, a researcher said today.
The phishing onslaught, which targeted customers of the major cellular carriers in the U.S., started on Tuesday, said Mary Landesman, senior security researcher at security provider Cloudmark.
The number of SMS-based phishing attempts observed by security firm Cloudmark based on reports from consumers rose more than 900 percent during the first week of September from what would be expected over that period in a normal month, she said in an interview.
"This is the first example of a truly large-scale campaign for phishing" using text messages, she said "This is pretty much unprecedented."
"Investigation reveals the attackers are using several phone ploys to trick victims into divulging sensitive credentials," she wrote in a blog post today. "These ploys range from claims of Bank of America account suspensions, Macy's credit card collections, and even the U.S. Veteran's Administration health services."
When the SMS recipient calls the number, an automated message asks for account and other data that can be used for bank and credit card fraud. Stolen information can be used in social engineering scams targeting other accounts of the same victim.
For instance, a "561" number used in the scams claiming to belong to Bank of America instructs callers to provide their account credit card number, expiration date, PIN and other information. There are more than 500 different text messages being sent out referring people to at least 20 different phone numbers.
"Currently, phishing is at the No. 1 spot (for SMS threats) just because of this outbreak," Landesman said. And complaints posted in forums and other Web sites reveal that people are indeed getting duped by the scams, she added.
While people are accustomed to e-mail spam, they don't realize that their phone numbers are exposed and can be targeted as well. "People expect their e-mail address to be out there everywhere, but they think their phone number is somehow sacred," Landesman said. They don't know that scammers are "randomly guessing phone numbers and dialers are dialing numbers in sequence."
Consumers can report the phishing text messages to their carrier by texting them to short code "7726." Trusted organizations do not contact customers and ask for information in this manner so people should avoid making calls or providing information based on any unsolicited text messages.
Each carrier provides different instructions for blocking unwanted text messages. Here are the pertinent links: