SMS phishing tactics are becoming more sophisticated as the year comes to an end, targeting mobile wallet connections by posing as points acquisition or tax office notifications
Security expert Brian Krebs warns that SMS phishing scammers are evolving beyond traditional 'missing package' and 'unpaid toll' scams to target mobile wallets in the run-up to the holiday season, posing as reward points or tax payment information.
SMS Phishers Pivot to Points, Taxes, Fake Retailers – Krebs on Security
Traditional phishing scams have focused on making users feel unsafe in order to get them to click on a link, but the tactics that Krebs is warning about now are more directly baiting them with financial gain.
Specifically, fraudsters have begun using SMS messages promising unclaimed tax refunds and reward points. For example, fake websites promising large amounts of points are registered in large numbers and advertised through fraudulent messages to customers of specific carriers.
What's new in this scheme is that the fraudulent payment information is used to link the victim's mobile wallet. After the victim enters their payment card details, they request a one-time code from the bank. This one-time code is itself legitimate, issued by the bank as part of the process of registering payment card details with Apple or Google's mobile wallet. However, once entered into the site, the fraudsters can link the victim's card to the smartphone or other device that controls it.
In one case, a scam impersonating a US state tax authority claimed the recipient had an unclaimed tax refund, again with the goal of tricking the user into providing payment card information and a one-time code.
Fake shopping sites are less likely to be flagged as malicious as traditional phishing domains immediately, and because they only retrieve malicious code during the checkout process, they are difficult to spot through mass web scans. Many users don't realize they've been tricked until weeks later when their purchases haven't arrived.
In addition to receiving links via SMS, fake websites may also pose as genuine sites and openly advertise discounts on specific products. These ads also appear on Google and Facebook, and users may find them through search results.
Furthermore, fraud groups are selling phishing kits that can be used to create a large number of fake online shopping sites. No matter how many times we try to block them, new fake online shopping sites keep popping up like bamboo shoots after the rain.
Is the surge in SMS phishing spam due to new features in China's popular phishing kit?
According to security researcher Ford Merrill, many people rush to do their online shopping around the end of the year, which can result in distracted attention and increased susceptibility to phishing scams. As a first step, it's important to be suspicious of sweet offers like unclaimed tax refunds or high-value reward points. Even if you receive an SMS warning that there's a problem with your order or delivery, don't click on any links or attachments in the message. Always visit the official online shopping site or delivery service page directly to check the situation.
Other measures include checking the domain creation date of the site you visit using a WHOIS search , checking whether shipping and handling fees are too high, whether the return policy is understandable, and whether there are any hidden additional fees. Additionally, Krebs said, 'The most important measure is to carefully monitor your credit card statement each month and promptly dispute any charges you don't recognize.'
Related Posts:
in Security, Posted by log1i_yk