Police Crack SMS Phishing OperationTwo Men Accused of Sending Messages to Obtain Personal, Bank Information
Federal and New South Wales police in Australia say they've broken up a sophisticated SMS phishing scheme designed to collect personal details and bank login credentials. The investigation took more than a year.
It's a rare success in the fight against unsolicited text messages, which at the most benign end come from aggressive marketers and the more pernicious end from cybercriminals.
Two men are accused of "smishing," which is a portmanteau of SMS and phishing. Police allege the two sent tens of thousands of SMSes in one go, impersonating Australian financial institutions. The links led to phishing sites at which victims would be asked their login credentials and other personal information.
Chris Goldsmid, the Australian Federal Police's commander of cybercrime operations, tells Information Security Media Group that police seized nine SIM "boxes," which are devices that hold dozens of SIM cards and can transmit thousands of messages. The operation had a "significant capability to send SMS phishing text messages at scale," he says.
One telecommunications company, which was not identified, saw 49,000 messages delivered via its network in one week. In another case, the men allegedly sent 10,000 smishing messages over a two-week period. Forty-five customers of one bank, which was not named, were tricked, and one person had 30,000 Australian dollars ($21,100) stolen.
Two search warrants executed in the Sydney area resulted in the seizure of hundreds of SIM cards, fake ID documents, 50,000 Australian dollars, a money counter, mobile phones, hard drives, computers, methamphetamine and drug paraphernalia.
Police arrested A. Smith, 50, of Macquarie Park, who appeared during a brief hearing in Sydney Central Local Court on Wednesday. The other suspect, a 36-year-old from Burwood, is expected to be charged soon, an Australian Federal Police spokeswoman said Thursday.
Smith has been charged with eight counts of false information, abusing a telecommunications network, dealing with identity and financial information and dealing with proceeds from crime and one drug-related count.
The investigation involved major Australian banks - including ANZ, Commonwealth Bank and WestPac - and operator TPG Telecom, according to the AFP.
Goldsmid says he is limited in what he can say about the operation because the court cases are pending, and police did not want to reveal information that would serve as clues to other fraudsters.
"Criminals are always looking to exploit vulnerabilities in technology, vulnerabilities in processes, whether that is registration of SIM cards or bank accounts, and using them for crime," Goldsmid says.
Expert: How Fraudsters Evade
Australian law requires mobile phone customers to provide a name, birth date and home address to activate even a prepaid SIM card. If someone is going to activate more than five devices at once, there's more identification required, according to the Australian Communications and Media Authority.
But there are workarounds that fraudsters can employ, says Alex Tilley, a former AFP senior tech analyst in cybercrime operations who now is a researcher with Secureworks in Australia. For example, they can use stolen identity details or make up the details out of thin air. But it's a fast-moving game.
"The telcos will eventually figure it out," Tilley says. "But you need [the SIM cards] to work for one morning or maybe a week before you move on. The whole idea of this crime is you can churn it over so quickly that you are getting ahead of that detection cycle."
Once fraudsters have acquired SIM cards, those cards are put into SIM boxes. Those devices, which have legitimate uses, are also used for interconnect bypass schemes, which can deprive telecommunication companies of revenue. The SIM boxes are then networked with an operator, either through trunk lines, wireless or in other ways, Tilley says.
One technique fraudsters use to increase the appearance of legitimacy in their messages is to spoof the senderID. So rather than seeing a phone number, the message would say it came from Apple or Australian government services, such as myGov, the government services portal.
Spoofing the senderID makes it even more difficult for people to detect an attack because sometimes the messages end up in the same thread on a person's phone as those that came from the legitimate provider.
Telstra, the largest mobile operator in Australia, said last week it had developed a way to reject messages with a spoofed sender.
Targeting Phone Numbers
Another key question is how the target phone numbers were obtained. Data breaches and marketing databases could help fuel the operations. "It's very easy to get a list of thousands of thousands of Australian phone numbers that are active," Tilley says.
Often, large-scale smishing operations are not very targeted. It's common, for example, for someone to get an SMS impersonating a bank that they do not use, which is easy to dismiss. Tilley says it's a pure numbers game, and if fraudsters get enough of a response for their effort, more targeting isn't necessary.
SMS also offers an edge over phishing emails, which are more likely to be viewed with suspicion, Tilley says.
"SMS has always been the bane of existence for security people," Tilley says. "There's no guarantee of authenticity."