The UK’s Metropolitan Police force has arrested a 20-year-old man from Birmingham for allegedly operating an online service that provided SMS phishing (or smishing) campaigns. Known in the cyber underworld as “SMS Bandit”, the phishing service would involve cybercriminals distributing fake SMS messages in high volumes to unsuspecting victims, pretending to be from reputable brand names including PayPal, telecommunication providers, COVID-19 pandemic services.
Once the scammers gained access to account credentials, these would then be sold across the dark web marketplaces they operated. Having been first reported by Krebs on Security, there are several users associated with this particular phishing service, posting promotional messages on various cybercrime forums under the following alias’: “SMSBandits,” “Gmuni,” “Bamit9,” and “Uncle Minus.”
The UK’s National Crime Agency (NCA) has not released the name of the alleged hacker, but the Metropolitan Police Service’s cybercrime unit has confirmed when they arrested the man, he was also linked to a business that supplied illegal services related to other phishing offenses.
Cybersecurity experts have provided their insights regarding the news:
Burak Agca, security engineer at Lookout:
“The details of this phishing campaign reinforce the fact that threat actors focus on key national and international event when they occur to drive engagement and maximise returns. This particular incident shows how attacker tactics are evolving as the attacker vetted the target ahead of time to ensure detection mechanisms in place by the carriers and SMS gateway providers could be avoided. This type of agile attack amplifies the need for 3rd party mobile threat defence that goes beyond the native carrier and device protections.
This incident should ring alarm bells for IT and security leaders and this phishing campaign shows that many teams are still lagging behind on securing employee mobile devices, which is ever more important with remote working globally. There needs to be a way to audit whether users inadvertently clicked on malicious links within SMS messages, social media apps, personal emails, and any other third-party app with a chat function.”
Javvad Malik, security awareness advocate at KnowBe4:
“SMS phishing, or Smishing has been gaining popularity as a phishing channel to target unsuspecting victims. With the right software, it can be almost as easy to send mass smishing messages as it can to send email phishes.
People receiving links via SMS are often less suspicious when compared to links in emails, and have fewer tools available on their phone to easily validate the authenticity of a message. Therefore, it’s vital that people are made aware of these scams and remain vigilant about them.
It’s great to hear the suspect behind SMS Bandits has been apprehended, but Smishing is here to stay, and will only increase in frequency and sophistication over time.”
