News of SMS (text) phishing scams are nothing new to readers of this blog. ESET researcher Cameron Camp recently wrote an article explaining how they work and how to avoid them here on ESET’s Threat Blog: SMSmishing (SMS Text Phishing) – how to spot and avoid scams, And just before Valentine’s Day, my colleague Stephen Cobb performed a two-part investigation into a Victoria’s Secret gift card scam delivered via email.
The scamming continues unabated, and this time electronics retailing giant Best Buy is the target: Within a period of about three hours, both a coworker and myself received identical messages inviting us to visit what appears at a cursory glance to be a Best Buy’s web site, but instead belongs to a domain registered through Internet.BS, a shadowy domain registrar registered to do business in the Bahamas, and perhaps best known for its curious relationship to online pharmacies and use of anonymous payment systems favored by Russian cybercriminals. The web site itself is located at a French hosting provider.
So, what is the scam here? Visiting the web site and entering the code takes you to a web site which asks you to enter your email address in a prominently displayed, larger form in the center of the page.
It should be obvious to regular readers of this blog that this is a scam, and the best thing to do with such things is delete them. You may (or may not) be able to report them to your carrier, but scams like these are typically paid for through fraudulent means such as stolen credit cards, so your carrier may be almost as much a victim as you were.
Avoiding this type of scam is largely a matter of impulse control: Con artists like the scammers behind this one prey on the naiveté and gullibility of the public, knowing that a certain percentage will click though, expecting to get their gift card rather than spams, telemarketing calls and junk mail. Applying a smidge of common sense and a dash of critical thinking largely alleviates such threats.
Like their email and telephone counterparts, scammers like these rely on an uneducated public, and the best defense is learning to recognize such scams. ESET has been working for about three years on a free community education program called Securing Our eCity, whose job it is to educate the public about how to recognize and avoid cybercrime. Initially focused on San Diego, the programs developed by SOeC are achieving national and even international recognition and use.
ESET recognizes that not all threats to your computer come from malware like trojans, viruses and worms. That’s why we have developed free cybersecurity training for our customers to educate them about the “soft skills” needed to stay safe online.
Lastly, if you are one of the unlucky few who are constantly besieged by such unwanted texts, you might want to consider a installing a program such as ESET Mobile Security on your smartphone, which provides SMS and MMS antispam.
Have you received a SMS or text from a scammer? If so, please leave a comment and let us know how you handled it.
The author would like to extend thanks to his colleagues Christopher Dale, David Harley and Octavio Vasquez for their assistance in preparing this post.
Aryeh Goretsky, MVP, ZCSE