Researchers have collected and analyzed an unprecedented amount of data on SMS phishing attacks, revealing the extensive scope and intricate nature of these operations. Their work not only provides valuable insights into how SMS phishing is conducted but also suggests new techniques for data collection and potential strategies for law enforcement to combat these scams.

SMS Phishing: A Growing Threat
SMS phishing, or "smishing," involves scammers using text messages to trick recipients into sharing private information, such as credit card numbers or passwords, by impersonating trusted entities like banks or government agencies. According to Alex Nahapetyan, first author of the study and a Ph.D. student at North Carolina State University, 2023 saw an unprecedented surge in phishing attacks, yet data on these attacks remains scarce due to privacy concerns from telecommunications companies.

Innovative Data Collection Method
To circumvent these limitations, researchers utilized SMS gateways—online services providing disposable phone numbers—to monitor phishing activity. By observing 2,011 disposable phone numbers over 396 days, they identified 67,991 phishing messages, which were further analyzed to uncover 35,128 unique campaigns associated with 600 distinct phishing operations.

Key Findings and Surprising Insights
The study, presented at the IEEE Symposium on Security and Privacy, uncovered several notable findings:

• Use of Mainstream Infrastructure: Contrary to common perceptions of cybercrime, many phishing operations use mainstream servers, URL-shortening apps, and common web infrastructure.
• Private URL-Shorteners: Some phishers set up their own domains to host URL-shortening services, potentially offering additional protection or being sold as part of a phishing ecosystem.
• Phishing Ecosystem: There exists an established SMS phishing economy where one can purchase a complete phishing operation, including code, URLs, and bulk messaging services.
• Testing Routes: Phishers often include notes like "route 7" or "route 9" in messages, indicating tests to determine the most effective delivery routes.

Testing Telecom Defenses
The researchers also evaluated the robustness of telecom services by sending harmless phishing messages to ten phone numbers. All messages were delivered successfully, though their bulk messaging account was subsequently banned. Despite this, the researchers identified bulk messaging services that repeatedly facilitated phishing, openly advertising on platforms like LinkedIn.

Preventive Measures and Future Research
By monitoring SMS gateways, researchers were able to identify test messages and phishing URLs before attacks were fully deployed, suggesting a method to preemptively block phishing campaigns. Nahapetyan highlights that this proactive approach could significantly mitigate the risk to users.

The paper, titled "On SMS Phishing Tactics and Infrastructure," was co-authored by Brad Reaves, an associate professor of computer science at NC State, along with Ph.D. student Sathvik Prasad, former undergraduate Kevin Childs, associate professor Alexandros Kapravelos, and Adam Oest and Yeganeh Ladwig of PayPal. This collaborative effort underscores the critical need for continued research and innovative solutions to combat the evolving threat of SMS phishing.

More: https://techxplore.com/news/2024-05-shady-world-text-message-phishing.html

You may be interested in:

Discovery of Natural Hydrogen Source in Albanian Mine

A groundbreaking discovery has been made in Albania, where researchers have uncovered a significant reservoir of hydrogen emanating from a deep mine. This finding, detailed in a recent publication in Science,