Bank and account phishing has become the top SMS attack in the U.S. in recent months, overtaking spam and other scams targeting mobile devices, according to new research from Cloudmark.
Taking a look at the top U.S. SMS attack types in October, bank and account phishing was number one accounting for about 28 percent of attacks, the research indicated, with scams involving winning free stuff coming in second at roughly 25 percent. Payday loan spam and product promotion spam each hovered around 13 percent, while auction and sale site spam declined to about five percent.
In September, 46 percent of “bad texts” in the U.S. were SMS phishing attacks, a number that jumped up from 15 percent in August, according to the research.
In a Wednesday email correspondence, Tom Landesman, security researcher at Cloudmark, told SCMagazine.com that SMS phishing messages typically aim to scare recipients into clicking a link – Cloudmark noted an increasing use of malicious pages hosted on previously established websites – and is many times carried out using what is known as a SIM farm.
“These are big boxes that plug in dozens if not over a hundred SIM cards at once, allowing the spammer the capability of automated sending from essentially over a hundred phones at once,” Landesman said. “Another primary source is email-to-SMS or web-to-SMS gateways that are provided by various entities. These provide easy forms and email addresses ripe for automated messaging.”
Getting the phone numbers is not all that much of a challenge, Landesman indicated. As opposed to email, the set of phone numbers used in each country is small for computers, he said, explaining spammers could easily send out messages to random phone numbers and just wait for hits.
“More enterprising spammers sometimes buy lists of “hot” phone numbers to use in their campaigns for better results,” Landesman said. “These usually come from other spammers who've used the previous methods, had recipients respond with something like “STOP” back to them, and packaged up the list of numbers for sale.”
At 16.1 percent, Odessa and the Western Texas region tops the list of U.S. cities most prone to receiving SMS phishing, according to the research. Denver fell at 4.0 percent, Seattle at 2.6 percent, Austin at 2.5 percent, Los Angeles at 2.3 percent, Vancouver at 2.1 percent, San Diego at 2.0 percent, Spokane at 1.9 percent, and Toms River, N.J., at 1.8 percent.
Cloudmark noted in the research that, with the exception of Los Angeles, none of the most populated cities in the U.S. made the list.
“This could be due to a number of issues, but it is typically based on where spammers are seeing the greatest financial success for their campaigns,” Landesman said. “We've seen campaigns targeting rural parts of the states NC and SC with debit card phishing attempts meant to steal cards issued by the state solely for Child Support. Similarly, tax return debit cards issued by the IRS for those unable [or] unwilling to cash a check have been phished in areas of the Midwest.”
The top SMS threat for people in New York City as of October, at 37.3 percent, is auction and sale site spam. At 6.6 percent, bank and account phishing fell near the bottom in the city.