Blog article
See all stories »

Phexting and I aint got stupid written on my forehead!

Identity Theft Speaker Robert Siciliano Article here; Text Message Scam

Interviewed for this article the victims states “I ain’t got stupid written on my forehead” I’m sure she is a lovely woman who must be smarter than her quote. She received a scam text and didnt get taken.

Most of us are somewhat aware of text messaging scams. Ive never received one. But I’m seeing a flood of local news reports on the issue. I’ve yet to see a national story on what I predict will become as bad as phishing in emails.

The problem stems from criminal hackers who are using technology to generate cell phone numbers based on area code first, plugging in the cell carriers given extension then generating the last 4 numbers.

Do a search on mass sms software and you will find lots and lots of vendors providing free and small fee programs to send mass texting.

Sexting is when teens send sex pics to one another. Robert Siciliano (me) says “Phexting” is the new phish.

Whats happening is browsers and email clients are doing a better job of protecting the naive. Phexting is the path of least resistance to get to the victim.

Most web based email providers do a pretty good job of recognizing that an email is a phish. First they send it right to spam or they might display a red banner along top of the email in the preview pane.

Up to date browsers have phish filters that recognized a spoofed website. This feature works if you dont turn it off.

While all these tools are helpful, nothing will fix the problem better than simple common sense. I aint got stupid written on my forehead either. But too many people do. And snake oil salesman can smell them from 10,000 miles away.

Heres a video on Phishing


Comments: (2)

A Finextra member
A Finextra member 06 February, 2009, 21:09Be the first to give this comment the thumbs up 0 likes

Hello Robert,

I haven't checked but maybe some of the folks at Vodafone should have stupid written on their foreheads. It would appear that Vodafone are training their customers to respond to phishing texts. Perhaps they think their customers are also stupid. They obviously have little idea of security and disregard the welfare of their customers.

Vodafone must be very desperate to abbreviate words in order to save the minute cost of a second text to their customers. Alarm bells, which usually means sell those shares!

With the Russian economy evaporating we can only expect a resurgence in scams coming from there, and in fact everywhere. With the public image of banks never worse and religious leaders announcing fatwa's encouraging the cyber-attack of western commerce, I expect 2009 will see new records for fraud exploits. Perhaps not in value, because of diminished wealth of the victims, but certainly in the number of attacks.

Internet banking is down around 12% in some quaters so far and I am only surprised that it isn't even lower. I predict an almost total collapse in online trust to occur sometime this year. There are just too many factors likely to have a negative effect on online trust and the only ones with a plan and a budget appear to be the fraudsters.

With the telco's contributing to the mess, where will that leave us for 'secure' communications, smoke signals or drums perhaps?

For the snake-oil salesman waiting in the wings, sorry, snake-oil tends to get pushed down the shopping list in tough economic times and I think people are starting to wake up to the truth.

A Finextra member
A Finextra member 09 February, 2009, 06:50Be the first to give this comment the thumbs up 0 likes

How is this Phexting supposed to work? You give you credentials, lose some money and the cops have the easy task of picking up whoever sent the text message or happens to own the number you have to call.

Oh yes, you can use prepaid SIM cards and such, but now that the authorities are demanding those to be registered as well, where's the beef for the crook?  Buying a prepaid SIM, punching in 300 messages, buying another SIM or recharging the previous to send out another 300 messages?  Sounds pretty complicated to me.

And risky. The first complaint that comes in to the operator about this activity triggers a search whereby not only the phone number of the prepaid is known, but also the IMEI, make and model of the phone, and exact location are immediately shown. Cjanging SIMs does not help any more, since the IMEI can be traced and/or blocked.

So, a phexting rallye is not worth it, since you get caught.

That's unless you manage to hack yourself into your carriers network and spoof your caller ID, receiver ID nd possible IMEIs. 

Now hiring