Beware of these post office, bitcoin text scams.
Welcome to Cyber Security Today. It’s Friday July 3rd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To our American listeners, thanks for tuning in on this long weekend.
Today’s podcast focuses on crooks taking advantage of text messaging services for attacks.
Lots of people love sending and receiving text messages because they’re fast and get immediate responses. But their brief format also means links to web pages have to be shortened so they’ll fit the limitations of text messaging length. However, that takes away a security defence: You don’t know where full link goes. Criminals take advantage of that. They create catchy messages hoping you’ll click on the short link and trust it’s going to a legitimate web site. Over the years lots of people have been stung by text scams. Here’s two of the latest:
Android users in an increasing number of countries are being tricked into downloading what appears to be an app from the government post office. But what they’re really doing is downloading spyware that steals text messages, contact lists, bank app details and more. This isn’t a new scam. What is different, says a cybersecurity firm called Cybereason, is that the scam now targets people in the U.S., the United Kingdom, Germany, France, China and other countries. An attack stars with a person getting a text message pretending to be from U.S. Post or the Royal Mail or whatever the local postal service is. The message may be that a package is waiting or delivery was missed or some sort of excuse, and they have to click on the link. That takes them to a fake post office page where they have to download an app with a very realistic-looking icon. During installation victims are asked to give the app permission to read or change many resources on the smartphone including the phone state, SMS messages, external storage, contacts, battery and network. That’s a big tip-off this is a scam: Why does a post office app need to read your text messages? Or access the battery? This scam is another reason why you should only download an Android app from the Google Store, and that have to pay close attention to the permissions you grant every app you install. This scam relies on people trusting what is supposed to be an official post office app.
Another scam was revealed this week by a cybersecurity company called Group-IB. It’s aimed at greedy investors. Here’s how it works: A target receives a text message claiming a celebrity or financial advisor has a secret investment that’s making people rich. The short link in the message goes to what looks like the real site of a business news service. U.K. victims, for example, are sent to what seems to be a page from Britain’s Sun or Mirror news services. These sites have phony interviews with well-known news hosts or financial promoters. Click on any link in an article and it goes to a bitcoin investment platform website, with colorful headlines urging victims to register and buy bitcoin. Here’s another part of this scam: Targets aren’t chosen at random. The crooks select people whose names, phone numbers and email addresses they have either bought from a data broker or stolen from data breaches. So if the target gets to the bitcoin investment platform page their personal information is automatically filled in to make it easier to open an account. Of course the whole thing has been set up to steal personal information and money. Almost a quarter of a million people in the U.S., the United Kingdom, Australia, Singapore, Spain and other countries were sent messages in this complex scam.
A couple of ways to reduce the odds you’re not victimized. First, be careful clicking on short links in text messages, particularly if you don’t know who the message comes from. And remember even if you know who a message comes from their device may have been hacked and the message is a scam. Second, double-check every website’s name whenever you enter personal or payment data. And third, just delete any quick-rich offers you get in text, email or social media. As for organizations, they have to do a better job of watching for fake websites that try to take advantage of the good reputation of their brands.
Finally, to our American listeners, have a happy Fourth of July tomorrow and a great long weekend.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.