A joint investigation involving the Australian Federal Police (AFP) and New South Wales (NSW) police has culminated in the dismantling of a sophisticated smishing operation. The operation aimed to steal the identities and banking credentials of thousands of Australians.
The Smishing Operation
After a year-long investigation, Australian police were able to dismantle a smishing campaign being conducted by two men from Sydney. Smishing is phishing conducted via SMS messages rather than via emails. The investigation was conducted by AFP’s Cybercrime Operations teams located in Sydney and Melbourne, in collaboration with NSW Police. A press release was issued by the AFP yesterday providing information regarding the arrests and the smishing operation.
During a raid on premises in Sydney, police seized nine SIM boxes with hundreds of SIM cards. Also seized were mobile phones, laptops, hard drives, fake IDs, at least AUD 50,000 (USD 36,000) and a money counter. Police identified the SIM boxes as the key source of the large-scale smishing attacks. The SIM boxes, which can hold hundreds of SIM cards, were allegedly used to send bulk SMS messages to thousands of recipients at once. The messages sent by the cybercriminals purported to be from Australian banks and telecommunication companies. They were sent to mislead victims into providing personal or financial account information. This information was then used by the cybercriminals to steal victims’ identities as well as their money via their online banking accounts. AFP Commander Cybercrime Operations Chris Goldsmid said “the sophistication of the equipment used and scale of the attacks in this investigation was extreme.”
One unnamed telecommunication company saw an unprecedented 49,000 messages delivered by its network in one week. In another instance, the men allegedly sent 10,000 smishing messages over a two-week period. So far it is known that 45 people from one bank were tricked into providing their banking credentials. Of these, one person had AUD 30,000 (USD 21,000) stolen from their account. Moreover, the press release states that “Further investigations remain ongoing with financial industry partners to determine the exact extent of the fraudulent activity.”
A 50-year old man from Macquarie Park, Sydney, was charged with a range of offences. These included eight counts of false or misleading information and one count of using a telecommunications network with intention to commit a serious offence. The man was denied bail and will need to reappear in court in November.
The other individual, a 36-year old man from Burwood, Sydney, was also arrested but has not yet been charged. He is scheduled to be charged with similar offences at a later date.
With smishing campaigns cybercriminals are not going for a targeted attack, they are going for volume. If cybercriminals get enough of a response for their effort, targeting is not necessary. Therefore, the fact that SMS messages can be received by any phone is an advantage. Text messages can be sent to the fanciest smartphone or to the cheapest pre-paid mobile. Furthermore, since text messages only have a maximum of 160 characters, it is easier for cybercriminals to avoid grammatical errors.
The other advantage of using smishing is that SMSs generally use URL shorteners to save space. Consequently, when cybercriminals use shortened URLs that connect to malicious websites rather than companies’ legitimate websites, they do not look unusual. Thus, SMS messages that contain short, clipped sentences, and disguised links that would not look right in an email look surprisingly natural in an SMS.
To further increase the SMS messages’ appearance of legitimacy, cybercriminals also often spoof the senderID. In this way, instead of displaying a phone number, the SMS shows the name of the company the cybercriminals are impersonating. Moreover, these messages sometimes end up in the same thread on a person’s phone as those from the legitimate company. Thus, the use of this technique makes it even more difficult for individuals to detect an attack. Consequently, recipients of smishing scams are likely to be more easily fooled than recipients of phishing emails.