U.S. SMS Phishing Attacks on the Rise this Fall

SMS Bank and account phishing in the U.S. more than tripled in September and continues as the nation's number one category of reported SMS. However, some very notable cities such as New York City have dodged these malicious attempts at users' financial and account details. [caption id="attachment_5988" align="aligncenter" width="600"]

Top U.S. SMS Attack Types, October 2014[/caption] Over the past two months, we've seen a sharp increase in SMS phishing attacks -- jumping from only 15% of the nation's bad texts in August to just above 46% in September. In terms of raw volumes, this represented a 58 percent increase in the amount of reports for this type of attack. A snapshot of the past six months:

These phishing attacks are continuation of campaigns we've tracked developing over the past several months. The messages use the typical terse alert warnings of account freezes and password resets. However, as we detailed in September, these attacks have begun using landing pages hosted on either disposable or hacked domains rather than asking victims to call a specific phone number. Each landing page is brand with somewhat-passable fake versions of the service being phished:

There’s been a notable shift towards using more and more hacked domains for landing pages in recent months. This hints that the perpetrators are finding a better return on their money from hosting these malicious pages on someone else’s established website. With this move to more hacked domains for better return on investment (ROI) and the substantial uptick in volumes, it’s very likely that the criminals behind these attacks is having solid success with monetizing this approach. Of those areas hit by the attackers, the following cities have been hit with the most phishing in the past two months: Cities Most Prone to Receiving SMS Phishes 1. Odessa and Western Texas, 16.1% 2. Denver, 4.0% 3. Seattle, 2.6% 4. Austin, 2.5% 5. Kirkland, 2.5% 6. Los Angeles, 2.3% 7. Vancouver (Washington), 2.1% 8. San Diego, 2.0% 9. Spokane, 1.9% 10. Toms River, 1.8% [tweet_dis]One such hacked domain unknowingly hosting these bank phishing pages is a center for meditation and wisdom.[/tweet_dis] It's also interesting that many of the largest cities, with their proportionately much larger amount of phone numbers, are seeing relatively very few phishing attacks. Other than Los Angeles, the nation's most populated cities, New York, Chicago, Houston, Philadelphia, Phoenix, San Antonio, are absent from the list of most phished cities. One would expect the largest volume attack to affect the largest cities in equal proportion given a random set of phone numbers. This concentration means that attackers have opted not for random numbers, but instead, they are targeting specific areas for better return. So then, what does the most populated city in the country get on their phones if not phishing attacks? Knock-off designer goods peddled to iPhone users via iMessage still reign king in the big Apple. It makes sense in a way. Designer handbags and sunglasses are more likely to pique interests in areas with more disposable income. Also, it's very possible that New York's presence as a fashion mecca could make it a ripe area for bargain-minded fashionistas. Top Attacks in New York City, October 2014 Auction / Sale Site Spam, 37.3% Win Free Stuff Scam, 21.1% Online Gambling Spam, 10.2% Product Promotion Spam, 6.6% Bank / Account Phishing, 6.6% Don't be be taken in by the cheap prices, the results are lackluster to say the least. We recently conducted an investigation into what exactly came from these bags and found the results to be almost comical. Sloppily cut foam linings, cheap brass button more fitting of jeans, poorly trimmed 'leather,' and a myriad of other tells made the bag seem more like a child's play purse than a passable knock-off. These are far from a convincing fake you could pass off in front of friends.

As a whole, the nation has seen the amount of these knock-off goods drop from above 40% of all U.S. spam SMS to just 5 percent in October. Meanwhile, New York has recently seen a steady stream of these messages - accounting for 30 and up to 60 percent of all reported messages each month. While the rest of the U.S has seen a dramatic decrease in these texts, New York City breaks yet another fashion trend completely and sets it self apart.