From Cradle to Grave: Targeting Child Support and Social Security with Area Codes

In 2013, we've seen spammers up the SMS spam ante using a potent combination of older methods. One of the techniques is to focus on specific area codes for a better return on investment (ROI). Honing in on specific area codes is by no means a new technique, but there are some interesting twists this year. The chart below details the 25 area codes that have received the most SMS spam to date in 2013.

  Three of the most targeted area codes are in South Florida. Comprising roughly 84% of South Florida's August SMS spam are "We Buy Junk Car" texts that residents of the area are all too familiar with. The messages have been flooding mobile phones for over a year now. The senders, looking to tow off junk vehicles, are relatively locked in to their immediate area. After a certain distance, potential leads are no longer economically viable due to the cost of towing. So, the spammers are targeting only these accessible areas, hoping to squeeze out every last possible lead.

"The trust of the innocent is the liar's most useful tool." - Stephen King

Trust is the cornerstone of any happy phishing attempt. Through misdirection they're able to convince you that they're a trustworthy official from any number of organizations, banks, or sites that you are a member of. While the form of misdirection varies, we often see SMS phishing (SMiShing) attempts target a set of recipients with detailed guesses. Some SMS spam and phishing campaigns have blanketed mobile users with messages that include randomly chosen first names in the hopes of hitting a matching recipient. Others have used detailed contact information from popular social media sites to custom tailor their unsolicited messages with your exact name and number. Similar techniques are used with bank names and warnings of fraudulent activity to lull the victim into a false sense of ironic security. Even more precise, phishers will sometimes include the first four to six digits of a banks' credit/debit cards since these publicly available numbers are potent and easy to fetch. The following is a breakdown of the top area codes receiving such phishing attempts in 2013.

Percent Volume of Received SMS Bank Phishing by Area Code, 2013 (To Date)

A quick dive into the specific phishing messages plaguing each individual area code revealed a combination weaving in these older ploys with the geographic targeting of area codes. Upon further investigation, it seemed that almost every single phishing message sent to 210 (servicing the greater San Antonio area) posed as Generations Federal Credit Union. 'Coincidentally' Generations FCU just so happens to be based in San Antonio. Phishers also claimed that 'Your card starting with [the first six digits of all Generations FCU cards]' had been compromised. Such attacks were not isolated to San Antonio. In Cincinnati, spam targeting area code 513 were tailored to Fifth Third Bank customers. Guess where Fifth Third Bank has its headquarters? You got it: Cincinnati, OH. Our number four spot, 216 in Cleveland, was inundated with Key Bank phishing attempts. Key Bank just so happens to be headquartered in Cleveland. Live in northern Alabama with a 256 area code? You might have seen a few fake messages from WinSouth Credit Union that is based in your area. Central PA's 717 received texts impersonating Susquehanna Valley Federal Credit Union of Camp Hill, PA (just outside of Harrisburg). OmniAmerican was impersonated in their own 817 backyard of Forth Worth. Hailing from California, the ninth most popular area code, 310, saw imposter Harbor Federal Credit Union and California Credit Union texts. Curiously, the other three area codes in the top ten were for North Carolina. Phishing texts aimed at 828, 910, and 919 masqueraded as prepaid card provider smiONE. Charlotte, a major banking capital for the eastern seaboard and the most densely populated city in the state, is not encompassed by any of the three. But, why just in this single state across multiple, less-populated area codes? It turns out that in North Carolina, smiONE provides a means for paying child support via prepaid debit card called the NCKIDSCARD. Kids Card. Phishers - now they swipe child support money from kids. Moving westward, attackers even sought social security benefits issued via prepaid debit card. This year, residents of Cleveland’s 216 were met with a second, disparate phishing campaign. Attempts were made via SMS to procure the details of their Direct Express MasterCard:

“The Direct Express® card is a prepaid debit card offered to Social Security and Supplemental Security Income check recipients...”

If their victims weren't already in a less-than-wonderful spot, nefarious minds are always up to correct that. From cradle to grave, child support to social security, smishing continues to be morally blind and unnervingly perceptive.