Unveiling Smishing, the Dark Side of Crypto SMS


In an era
where free messenger apps have almost completely dominated traditional text
messages, it might seem that after over 30 years, popular “texts” have already
become obsolete. Although we do not use them in everyday communication, they
are still willingly used as a common medium for marketing and promotion.
Unfortunately, not only among legitimate businesses but also among scammers.

After conducting
our own analysis and conversations with industry experts Finance Magnates
can clearly confirm that SMS scams are still a common problem, especially in
the cryptocurrency industry. Unscrupulous actors exploit very simple loopholes
in outdated technology by impersonating popular brands, trying to steal user
data. Exchanges, on the other hand, are helpless to stop them and honestly
admit that nothing can be done about it. But, is that really the case?

90% of the
world’s population (over 7 billion people) use mobile phones. And, although the
vast majority of them get some kind of coverage, only half have regular access
to mobile internet.

Statistics
clearly show that in recent years the number of messages exchanged via internet
messengers has outclassed SMS. WhatsApp has 2.4 billion active users every month,
Facebook Messenger 2.1 billion, and WeChat gathers 1.2 billion.

Even with
these huge numbers, traditional texts are still the most common way to reach
the widest possible audience. For the purposes of this article, I specifically
reviewed my SMS history. 90% of them are advertisements or messages with
security codes used for logging into various services and two-factor
authentication (2FA). This is exactly where scammers see their chance. And, as
it turns out, the imperfect technology of sending SMS makes it much easier for
them.

According to the recent “Scam Prevention Survey” by the Finance Magnates Group and FXStreet, nearly 22% of respondents admitted that SMS is one of the most common forms of scam they encounter, more frequent than scams on Twitter. Participate in the survey.

Fraser Edwards, the CEO at cheqd

“Banks and
exchanges still offer SMS for 2FA despite it being one of the worst 2FA options,”
explained Fraser Edwards, the CEO at cheqd, the infrastructure provided for
Trusted Data markets. “It carries a potential of SIM swap fraud or sim hacking
where a fraudster uses stolen identity documents to have a network provider
reassign a phone number to a SIM under the fraudster’s control.”

How Easy It Is to Become a
Victim of Crypto Scammers

The
inspiration to write this article was an SMS I received some time ago,
allegedly from Binance. It informed that a reward was waiting for me to
collect. The message appeared in a thread signed by my phone as
“Binance”, displaying also previous texts from the exchange with
verification codes for logging in.

Fake Binance SMS

Before I
clicked the link full of euphoria, I noticed that the page address
(binance.token-mbox) was far from the official domain used by the world’s
largest crypto exchange by volume. It turned out that at the same time, many
other Binance clients from Poland received a similar SMS. I asked the exchange
itself for comment on this matter, which openly stated that to eliminate texts security loopholes, the entire GSM technology would have to be modified. This,
however, seems unrealistic at the moment.

“To
eliminate this security loophole in SMS, the entire world would have to modify
this technology, which seems unrealistic,” Binance commented.

Two years
earlier, the exchange’s former CEO, Changpeng Zhao, had already warned about
frequent attempts at phishing and data theft via messages impersonating the
platform.

Back in October 2023, 11 Binance’s customers from Hong Kong lost nearly $500,000 due to the SMS scams. The question is, however, why is SMS spoofing possible, and why is it so easy?

How SMS Spoofing Works

The value
of cryptocurrency fraud in 2023 reached $2 billion. Of this, about $300 million
was lost due to phishing scams. A large part of the data was obtained by
scammers thanks to SMS spoofing and extorting sensitive user data via links
contained in text messages. This phenomenon even got its own name and is called
smishing (SMS phishing).

Charlotte Day, the Creative Director at Contentworks Agency

“Social engineering scams are still widely used in crypto which means they do still work,” commented
Charlotte Day, the Creative Director, at Contentworks Agency. “Crypto is the perfect lure for scammers because most people don’t really understand it, and there have been stories of overnight millionaires associated with it.”

When you
send an SMS message from your phone, certain identification information is
included with the message that identifies you as the sender. This includes your
phone number and sometimes your contact name. SMS spoofing involves using
technology to override this sender identification information and replace it
with something else.

Technically,
this works by exploiting weaknesses in the SS7 signaling protocol that is used
to route messages across telecom networks. The spoofer essentially impersonates
the sender by providing false identification credentials.

“The
problem is that operators do not verify whether the sender sending the SMS is
legally authorized to use given name. A scam SMS has the same ‘sender name’ as
legitimate SMS messages from Binance, leading the recipient’s phone to attach
this SMS to the message history from Binance,” Binance Poland representatives
explained.

As a
result, with a little bit of tech skills, it is very easy to impersonate other
companies using SMS. To the point that the phone will not distinguish between
senders and throw them into one bag, as in the Binance case described above. Why, however, are only text messages at risk, and not popular messaging apps? Telegram and WhatsApp use data connections and the internet to send messages, while SMS uses cellular networks. So, they are separate systems that don’t interact with each other to send messages.

James Young, the Head of Compliance at Transak

“Blocking
such scam messages is challenging because scammers constantly adapt their
tactic,” James Young, the Head of Compliance at Transak, commented. “Additionally,
SMS infrastructure lacks robust authentication, making it easier for malicious
actors to manipulate sender information. The biggest safeguard users can employ
to defend themselves is through education and engagement.”

7 Million Crypto Leads

The mere fact that allows for
impersonating someone via SMS is not enough to obtain the phone numbers and
contact details of individuals, such as clients of a particular exchange.

However, as it turns out, the
Internet is full of offers for selling massive packages of leads. The entire
process, from using SMS gateways, through hiding one’s identity, to the
possibility of purchasing 7 million crypto-related phone numbers for only $200,
was described by Security
Boulevard
. The procedure, in brief, goes as follows:

  • Scammers can use low-cost SMS gateways to send
    hundreds of thousands of SMS phishing messages for as little as €0.004
    ($0.0044) per message.
  • SMS gateways provide an interface linked to SIP
    trunks. that enable mass SMS spamming to
    reach people’s phones quickly. SIP trunk is a solution for companies that want
    to replace traditional analog telephony with modern VoIP telephony that enables
    call routing and advanced features.
  • Scammers can remain anonymous by purchasing SIP
    trunk access with cryptocurrency or compromising SIP devices.
  • Some SMS gateways have integrated one-time
    password bots to bypass two-factor authentication used by many online services.
  • Scammers can easily obtain large amounts of
    phone numbers to target and create SMS phishing campaigns.

Source: securityboulevard.com

By planning an entire “campaign” of
fake SMS messages targeted at 7 million people, scammers can achieve much
better results than trying to find vulnerabilities in the software of a given
exchange. They exploit the weakest element of any security system: the human
factor, which is much easier, and cheaper.

Some Countries Introduce
Regulations

SMS
spoofing exploits fundamental weaknesses in the underlying protocols and
networks that mobile communication relies on. Although it is technologically
difficult to block, some countries are trying to introduce appropriate
regulations to counter this dangerous practice.

In January
2024, Hong Kong joined the SMS sender registration scheme. The scheme will see
participating banks use registered SMS sender IDs with the prefix “#”
to send messages to local subscribers of mobile services. Texts with sender IDs
containing “#” but not sent by registered senders will be screened
out by telecom providers. Currently, 28 banks are using this system, which are also often
victims of SMS spoofing.

Similar
regulations were also introduced in Poland in the middle of last year.
Telecommunications companies are now required to block phone numbers and SMS
whose senders impersonate other firms and entities. To enable this, the law
imposes new rules for sending texts by registered companies and public
institutions. Moreover, telecom firms will be able to block suspicious smishing
messages themselves.

Looking at the fact that users from Poland received texts from a fake Binance firm shows that regulations in this area may be working only on paper.

In the
United States, similar ones were introduced back in 2019, allowing the banning of malicious
caller ID spoofing of text messages. However, this did not curb
the problem.

Who Is Most at Risk

According
to a study conducted by the British Office for National Statistics in 2022, the
group most vulnerable to phishing and smishing are older individuals who may be
more trusting of messages and fall for scams offering prizes or rewards.

However, as
it turns out, people aged between 25 and 44 are also highly vulnerable. This is because
they are the ones most often targeted by scammers as the most frequent users of
their mobile devices and, at the same time, hurried or distracted. Sources say
these users are more likely to respond without thinking critically about the
legitimacy of SMS messages.

Vugar Usi Zade, the COO of Bitget

“The
effectiveness of this technique is growing due to the high automation of our
daily processes and the increasing volume of information,” said Vugar Usi Zade, the COO of Bitget. “As a result, users are more reliant on applications and gadgets, leading to a
loss of vigilance when checking links or messages. Criminals exploit this by
altering the sender’s information and using text tricks to deceive victims into
revealing confidential information or transferring money.”

There is
also a large group of those not aware of common SMS phishing tactics and unable
to identify scam messages, making them more likely to respond or click links.
Despite technological shortcomings in this area, the human factor is still the
weakest link enabling the success of smishing.

Therefore, check the domain name it directs to several times before clicking on any link in an SMS message.

In an era
where free messenger apps have almost completely dominated traditional text
messages, it might seem that after over 30 years, popular “texts” have already
become obsolete. Although we do not use them in everyday communication, they
are still willingly used as a common medium for marketing and promotion.
Unfortunately, not only among legitimate businesses but also among scammers.

After conducting
our own analysis and conversations with industry experts Finance Magnates
can clearly confirm that SMS scams are still a common problem, especially in
the cryptocurrency industry. Unscrupulous actors exploit very simple loopholes
in outdated technology by impersonating popular brands, trying to steal user
data. Exchanges, on the other hand, are helpless to stop them and honestly
admit that nothing can be done about it. But, is that really the case?

90% of the
world’s population (over 7 billion people) use mobile phones. And, although the
vast majority of them get some kind of coverage, only half have regular access
to mobile internet.

Statistics
clearly show that in recent years the number of messages exchanged via internet
messengers has outclassed SMS. WhatsApp has 2.4 billion active users every month,
Facebook Messenger 2.1 billion, and WeChat gathers 1.2 billion.

Even with
these huge numbers, traditional texts are still the most common way to reach
the widest possible audience. For the purposes of this article, I specifically
reviewed my SMS history. 90% of them are advertisements or messages with
security codes used for logging into various services and two-factor
authentication (2FA). This is exactly where scammers see their chance. And, as
it turns out, the imperfect technology of sending SMS makes it much easier for
them.

According to the recent “Scam Prevention Survey” by the Finance Magnates Group and FXStreet, nearly 22% of respondents admitted that SMS is one of the most common forms of scam they encounter, more frequent than scams on Twitter. Participate in the survey.

Fraser Edwards, the CEO at cheqd

“Banks and
exchanges still offer SMS for 2FA despite it being one of the worst 2FA options,”
explained Fraser Edwards, the CEO at cheqd, the infrastructure provided for
Trusted Data markets. “It carries a potential of SIM swap fraud or sim hacking
where a fraudster uses stolen identity documents to have a network provider
reassign a phone number to a SIM under the fraudster’s control.”

How Easy It Is to Become a
Victim of Crypto Scammers

The
inspiration to write this article was an SMS I received some time ago,
allegedly from Binance. It informed that a reward was waiting for me to
collect. The message appeared in a thread signed by my phone as
“Binance”, displaying also previous texts from the exchange with
verification codes for logging in.

Fake Binance SMS

Before I
clicked the link full of euphoria, I noticed that the page address
(binance.token-mbox) was far from the official domain used by the world’s
largest crypto exchange by volume. It turned out that at the same time, many
other Binance clients from Poland received a similar SMS. I asked the exchange
itself for comment on this matter, which openly stated that to eliminate texts security loopholes, the entire GSM technology would have to be modified. This,
however, seems unrealistic at the moment.

“To
eliminate this security loophole in SMS, the entire world would have to modify
this technology, which seems unrealistic,” Binance commented.

Two years
earlier, the exchange’s former CEO, Changpeng Zhao, had already warned about
frequent attempts at phishing and data theft via messages impersonating the
platform.

Back in October 2023, 11 Binance’s customers from Hong Kong lost nearly $500,000 due to the SMS scams. The question is, however, why is SMS spoofing possible, and why is it so easy?

How SMS Spoofing Works

The value
of cryptocurrency fraud in 2023 reached $2 billion. Of this, about $300 million
was lost due to phishing scams. A large part of the data was obtained by
scammers thanks to SMS spoofing and extorting sensitive user data via links
contained in text messages. This phenomenon even got its own name and is called
smishing (SMS phishing).

Charlotte Day, the Creative Director at Contentworks Agency

“Social engineering scams are still widely used in crypto which means they do still work,” commented
Charlotte Day, the Creative Director, at Contentworks Agency. “Crypto is the perfect lure for scammers because most people don’t really understand it, and there have been stories of overnight millionaires associated with it.”

When you
send an SMS message from your phone, certain identification information is
included with the message that identifies you as the sender. This includes your
phone number and sometimes your contact name. SMS spoofing involves using
technology to override this sender identification information and replace it
with something else.

Technically,
this works by exploiting weaknesses in the SS7 signaling protocol that is used
to route messages across telecom networks. The spoofer essentially impersonates
the sender by providing false identification credentials.

“The
problem is that operators do not verify whether the sender sending the SMS is
legally authorized to use given name. A scam SMS has the same ‘sender name’ as
legitimate SMS messages from Binance, leading the recipient’s phone to attach
this SMS to the message history from Binance,” Binance Poland representatives
explained.

As a
result, with a little bit of tech skills, it is very easy to impersonate other
companies using SMS. To the point that the phone will not distinguish between
senders and throw them into one bag, as in the Binance case described above. Why, however, are only text messages at risk, and not popular messaging apps? Telegram and WhatsApp use data connections and the internet to send messages, while SMS uses cellular networks. So, they are separate systems that don’t interact with each other to send messages.

James Young, the Head of Compliance at Transak

“Blocking
such scam messages is challenging because scammers constantly adapt their
tactic,” James Young, the Head of Compliance at Transak, commented. “Additionally,
SMS infrastructure lacks robust authentication, making it easier for malicious
actors to manipulate sender information. The biggest safeguard users can employ
to defend themselves is through education and engagement.”

7 Million Crypto Leads

The mere fact that allows for
impersonating someone via SMS is not enough to obtain the phone numbers and
contact details of individuals, such as clients of a particular exchange.

However, as it turns out, the
Internet is full of offers for selling massive packages of leads. The entire
process, from using SMS gateways, through hiding one’s identity, to the
possibility of purchasing 7 million crypto-related phone numbers for only $200,
was described by Security
Boulevard
. The procedure, in brief, goes as follows:

  • Scammers can use low-cost SMS gateways to send
    hundreds of thousands of SMS phishing messages for as little as €0.004
    ($0.0044) per message.
  • SMS gateways provide an interface linked to SIP
    trunks. that enable mass SMS spamming to
    reach people’s phones quickly. SIP trunk is a solution for companies that want
    to replace traditional analog telephony with modern VoIP telephony that enables
    call routing and advanced features.
  • Scammers can remain anonymous by purchasing SIP
    trunk access with cryptocurrency or compromising SIP devices.
  • Some SMS gateways have integrated one-time
    password bots to bypass two-factor authentication used by many online services.
  • Scammers can easily obtain large amounts of
    phone numbers to target and create SMS phishing campaigns.

Source: securityboulevard.com

By planning an entire “campaign” of
fake SMS messages targeted at 7 million people, scammers can achieve much
better results than trying to find vulnerabilities in the software of a given
exchange. They exploit the weakest element of any security system: the human
factor, which is much easier, and cheaper.

Some Countries Introduce
Regulations

SMS
spoofing exploits fundamental weaknesses in the underlying protocols and
networks that mobile communication relies on. Although it is technologically
difficult to block, some countries are trying to introduce appropriate
regulations to counter this dangerous practice.

In January
2024, Hong Kong joined the SMS sender registration scheme. The scheme will see
participating banks use registered SMS sender IDs with the prefix “#”
to send messages to local subscribers of mobile services. Texts with sender IDs
containing “#” but not sent by registered senders will be screened
out by telecom providers. Currently, 28 banks are using this system, which are also often
victims of SMS spoofing.

Similar
regulations were also introduced in Poland in the middle of last year.
Telecommunications companies are now required to block phone numbers and SMS
whose senders impersonate other firms and entities. To enable this, the law
imposes new rules for sending texts by registered companies and public
institutions. Moreover, telecom firms will be able to block suspicious smishing
messages themselves.

Looking at the fact that users from Poland received texts from a fake Binance firm shows that regulations in this area may be working only on paper.

In the
United States, similar ones were introduced back in 2019, allowing the banning of malicious
caller ID spoofing of text messages. However, this did not curb
the problem.

Who Is Most at Risk

According
to a study conducted by the British Office for National Statistics in 2022, the
group most vulnerable to phishing and smishing are older individuals who may be
more trusting of messages and fall for scams offering prizes or rewards.

However, as
it turns out, people aged between 25 and 44 are also highly vulnerable. This is because
they are the ones most often targeted by scammers as the most frequent users of
their mobile devices and, at the same time, hurried or distracted. Sources say
these users are more likely to respond without thinking critically about the
legitimacy of SMS messages.

Vugar Usi Zade, the COO of Bitget

“The
effectiveness of this technique is growing due to the high automation of our
daily processes and the increasing volume of information,” said Vugar Usi Zade, the COO of Bitget. “As a result, users are more reliant on applications and gadgets, leading to a
loss of vigilance when checking links or messages. Criminals exploit this by
altering the sender’s information and using text tricks to deceive victims into
revealing confidential information or transferring money.”

There is
also a large group of those not aware of common SMS phishing tactics and unable
to identify scam messages, making them more likely to respond or click links.
Despite technological shortcomings in this area, the human factor is still the
weakest link enabling the success of smishing.

Therefore, check the domain name it directs to several times before clicking on any link in an SMS message.





Source link

Leave a Reply

Your email address will not be published.