SMSmishing Unabated: Best Buy targeted by fake gift card campaign

News of SMS (text) phishing scams are nothing new to readers of this blog.  ESET researcher Cameron Camp recently wrote an article explaining how they work and how to avoid them here on ESET’s Threat Blog: SMSmishing (SMS Text Phishing) – how to spot and avoid scams, And just before Valentine’s Day, my colleague Stephen Cobb performed a two-part investigation into a Victoria’s Secret gift card scam delivered via email.

A Global Enterprise

Bestbuy gift card SMSThe scamming continues unabated, and this time electronics retailing giant Best Buy is the target: Within a period of about three hours, both a coworker and myself received identical messages inviting us to visit what appears at a cursory glance to be a Best Buy’s web site, but instead belongs to a domain registered through Internet.BS, a shadowy domain registrar registered to do business in the Bahamas, and perhaps best known for  its curious relationship to online pharmacies and use of anonymous payment systems favored by Russian cybercriminals. The web site itself is located at a French hosting provider.

Anatomy of a scam:  SMS scammer’s payoff

So, what is the scam here? Visiting the web site and entering the code takes you to a web site which asks you to enter your email address in a prominently displayed, larger form in the center of the page.

Blackberry SMS phishAnd what does this get you? Doing so, entitles you to receive emails from the company behind this scam.  According to the terms and conditions on the web site—which required some magnification for me to view legibly—you must also provide them with all of your contact information so that they may send additional texts to your cell phone, emails and your address. They, in turn, will use this information to send promotional offers your way.  You must make six purchases from their offers, and refer ten friends who must make six purchases as well, in order to receive your “FREE $1,000 Bestbuy Giftcard.”  Oh, and to add insult to injury, the last paragraph of their privacy policy states that they will resell the information you provide them to other marketing companies.

Countermeasures:  Defeating the wily scammer

It should be obvious to regular readers of this blog that this is a scam, and the best thing to do with such things is delete them.  You may (or may not) be able to report them to your carrier, but scams like these are typically paid for through fraudulent means such as stolen credit cards, so your carrier may be almost as much a victim as you were.

Avoiding this type of scam is largely a matter of impulse control: Con artists like the scammers behind this one prey on the naiveté and gullibility of the public, knowing that a certain percentage will click though, expecting to get their gift card rather than spams, telemarketing calls and junk mail. Applying a smidge of common sense and a dash of critical thinking largely alleviates such threats.

Like their email and telephone counterparts, scammers like these rely on an uneducated public, and the best defense is learning to recognize such scams.  ESET has been working for about three years on a free community education program called Securing Our eCity, whose job it is to educate the public about how to recognize and avoid cybercrime.  Initially focused on San Diego, the programs developed by SOeC are achieving national and even international recognition and use.

ESET recognizes that not all threats to your computer come from malware like trojans, viruses and worms.  That’s why we have developed free cybersecurity training for our customers to educate them about the “soft skills” needed to stay safe online.

Lastly, if you are one of the unlucky few who are constantly besieged by such unwanted texts, you might want to consider a installing a program such as ESET Mobile Security on your smartphone, which provides SMS and MMS antispam.

Have you received a SMS or text from a scammer?  If so, please leave a comment and let us know how you handled it.

The author would like to extend thanks to his colleagues Christopher Dale, David Harley and Octavio Vasquez for their assistance in preparing this post.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Author Aryeh Goretsky, ESET

  • jannie

    i get these  things everyday, and  i auto delete them, several months ago i opened one text message  from one of these stores then later on i get extra charges on my phone $9.95/mo. we found out that once you open those text they send you,  you are agreeing to their terms and all s—. my phone company took the charges off.
    i get them almost everyday and i'm tired of auto deleting them. how can i block them from texting me?

    • Aryeh Goretsky

      Hello,

      If your phone or carrier does not have any ability to block unwanted texts than you might want to consider a program like ESET Mobile Security which can do things like block texts except from people in your address book, block them from specific callers and so forth.

      Regards,

      Aryeh Goretsky

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.