I know everyone is busy with their Holiday preparations but I wanted to get this out there before the Holidays set in on Friday: Yes, you can be Phished by text. This one is clever but has the usual tell-tale signs.
On March 28, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) detected a new SMS-based phishing campaign designed to obtain security PINs associated with mobile carrier accounts when one of their analysts received a text message on her phone instructing her to update her PIN by visiting a URL included in the message.
This particular SMS message masquerades as official correspondence from AT&T, but originates from a suspicious phone number and contains grammatical errors. The URL included in this message, attonline[.]net, was newly registered on March 25 and leads to a phishing page that displays the AT&T logo and provides fields for the victim to enter his or her name, phone number, billing zip code, and current account PIN.
Information submitted through this page will then likely be used by the malicious actor behind the campaign to contact the associated mobile carrier, impersonate the victim, and port the victim’s phone number to a phone or SIM card that is in the actor’s possession. Once the targeted phone number has been successfully ported, the malicious actor can then use it to gain access to any of the victim’s accounts that have SMS-based two-factor authentication (2FA) enabled, such as email, social media, and financial accounts.
Be on the alert for SMS-based phishing attacks and avoid clicking on URLs contained within unexpected and unsolicited text messages. Additionally, never reply to any unsolicited text message that requests personal or sensitive information. If you have questions or concerns regarding your mobile carrier account, we urge you to contact the company directly via their official website or designated customer support number.
Wishing everyone a joyous holiday,
Principal Security Consultant