The holidays are always a busy time—sending holiday cards, cooking, present shopping and giving, and spending time with family and friends. It’s also an opportune and busy time for scammers too.
A new report by KrebsonSecurity reminds us that fraudsters use the holidays to launch new campaigns, in this case, SMS phishing scams. According to Krebs, phishing groups out of China are promoting phishing kits designed to create “fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.”
To illustrate the point, Krebs notes that “Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.” The phishing websites load when the recipient visits it with a mobile device, and the scammers ask the user for their name, address, telephone number and payment card data to claim the points.
Once the card data is provided, the malicious site then asks the user to share a one-time code sent via SMS text by their bank. When the user provides the code, the fraudster can then enroll the card details in a mobile wallet and link the card to a mobile device they control. In fact, the SMS text is sent to the user from the bank because the scammers attempted to enroll the credit card details into a mobile wallet and the bank is alerting the user. It’s a very clever way to get around multi-factor authentication. This scam is targeting both T-Mobile and AT&T customers.
In addition to the points scam, the fraudsters are also spoofing tax authorities, “telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code.”
They are also targeting e-commerce sites. In this case using a similar scam to set up a fake e-commerce storefront and advertise it through Google and Facebook, offering consumers deals on certain items. When the user “purchases” an item from the fake website, they provide their personal information and payment card information during checkout. The shopping site then requests a one-time code from their bank “to verify the transaction,” when in fact the scammers send it so they can enroll the card data in a mobile wallet. Customers don’t know they have been victimized until weeks later when they have not received the purchased item.
Krebs also offers tips for the holiday season.
To brush up on more holiday shopping tips, check out these previous posts (Privacy Tips 12, 166, 261, 262, 264, 308, 382, and 425) which are still applicable.