Security Researchers Warn Verizon Users About an Aggressive Smishing Scam

Verizon Smishing Scam

Phishing has always been one of the cybercrooks' favorites. There are a few good reasons for this. You don't need to have a lot of technical skills to pull off a successful phishing scam, and even large-scale campaigns don't require huge investments in terms of money and time. Meanwhile, despite all the warnings, the social engineering in the emails is still enough to fool users into clicking links and giving away sensitive information.

Smishing is a variation of phishing that is aimed at mobile phone users and is done through text messages. Smishing attacks are nowhere near as common as more traditional scams, but as a recent campaign targeting Verizon users demonstrates, this technique does have some distinct advantages which could tempt quite a few cybercriminals.

Crooks try to trick Verizon customers out of their personal data

The scam was spotted and reported by HowToGeek, and Chris Hoffman, the website's Editor In Chief, described the smishing attack as "the most sophisticated yet." Although this statement may be up for debate, there's little doubt that the criminals did put some thought into the operation.

As you might imagine, the attack starts with an SMS, which tells you that "your Verizon account security needs validation." If you click a link, you will be able "to validate your account and to avoid your access from being disabled." As you can see, the grammar is as awkward as you'd expect from this kind of attack. What is a bit unusual is the fact that the link users are urged to click hasn't been through a URL shortening service. That being said, if you don't look at it too closely, you might be fooled into thinking that it really is coming from the telecommunications provider.

The link HowToGeek described led to a phishing page that was hosted on vwireless[.]xyz (which is down at the time of writing) and was described as "shockingly convincing." Indeed, the screenshots do look pretty close to the original, and there aren't any glaring grammatical mistakes, which suggests that instead of creating the scam pages on their own, the crooks used a readily available phishing kit bought on the underground markets.

The bogus website starts off by requesting your mobile number or User ID and password. After that, you are asked for your account PIN number, and finally, you are told that you need to provide some personal information. The page tells you that if you enter your names, address, and five-digit billing ZIP code, you will help Verizon better protect your account. After you've given out all the details, you are redirected to the real Verizon website.

The phishing page won't let you click through unless you've filled in all the fields, but when HowToGeek's reporters tested it, they used fake information, which shows that the scam website doesn't validate the data in real time.

The potential damage is pretty significant

If all of the above sounds familiar, and if you think that you may have fallen into the trap, you need to call Verizon and rectify the issue immediately because if they successfully take over your account, the crooks can wreak all sorts of havoc. They can order a new smartphone and credit it to your bill, and they can also perform a SIM swapping attack against you. If you've reused the same password on multiple websites, you can fall victim to credential stuffing and lose access to other accounts as well.

All in all, setting their sights on Verizon customers could pay off handsomely for the crooks, and with their choice to go for smishing rather than traditional phishing, they are hoping to maximize the number of victims.

Smishing vs. phishing: Which is best?

Smishing's main advantage is that the victim is inevitably on their phone during the operation. The smaller screen makes spotting the tell-tale signs of a scam more difficult. As we mentioned already, at first glance, the URL in the text message looks semi-legitimate, and because screen space is tight, a mobile browser's address bar can remain hidden for most of the time. As a result of all this, you are more likely to fail to realize that you are at the wrong address.

In this case, picking the text message instead of the traditional phishing email is a particularly good call because, as a telecommunications provider, Verizon is likely to contact you via an SMS. Yet another factor that improves the crooks' chances of success lies with the fact that while email phishing scams have been around for years, smishing is a relatively recent trend, and fewer people know that the scheme has been adapted to work via text messages.

As always, the best defense against attacks like these is caution and awareness. Users must learn that crooks are now using SMSs to trick people into giving away their information, and they must understand that a link in an unexpected text message can be just as dangerous as a link in an email.

February 17, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.