The threat is worse than the headlines suggest.
Republished on June 23 with the latest warnings for smartphone users and further information on the attackers behind this campaign.
A raft of news stories over the last week (1,2,3) report on the FBI warning 150 million Apple users to delete texts on their iPhones. Unfortunately the reality is even worse than those headlines suggest. Here’s what you need to know and what you should do.
Right now, your cell phone is vulnerable to an ongoing attack that will come to you by way of text messages warning of dire consequences if you don’t respond right away. Text messages that include links to pay outstanding bills or fines.
All of this is made up, of course, but you pay nonetheless because you’re worried — that’s the idea. These messages include unpaid tolls and newer DMV traffic offenses, but will soon widen the net to mimic texts from your bank or credit card company.
It’s against this backdrop that we have seen headlines urging America’s iPhone users to delete the latest raft of DMV texts as soon as they’re received. But that warning applies equally to iPhone and Android users — in this instance, iPhones aren’t special.
The malicious texts are sent courtesy of organized Chinese criminal gangs that operate beyond the reach of U.S. law enforcement. They harness countless phone numbers from multiple countries and domains from multiple providers.
Check Point warns “attribution is tentative but compelling. The use of Chinese SOA contacts, Chinese DNS providers, Chinese-language comments in source code, and uniform hosting behavior all point toward a threat actor operating out of China. The infrastructure aligns with known patterns of low-cost, high-volume phishing-as-a-service operations often advertised on Chinese-language cyber crime forums.”
Despite network filtering and iOS and Android spam detection, the tidal wave of texts seemingly can’t be stopped. Google has confirmed new AI-powered scam detection on its phones, and we await to see if this filters the threat or can be worked around.
The FBI’s warning to delete all these so-called smishing texts came in an advisory last year, issued in the wake of the original unpaid toll scam that has now swept across America from state to state. Any such texts, it said, should be deleted from phones.
There is no threat from texts left unopened or ignored on your phone. But knowing it’s from a cybercriminal’s number and contains a malicious link, the strong advice from the FBI and other agencies is to remove it from your phone.
But that applies to all smartphone users. There are some iPhone specifics — the OCGs prefer iMessage to SMS, albeit they like RCS as well, and the texts often include instructions to “Please reply with ‘Y’” to get around iPhone’s link blocking from unknown senders. But the the attack targets all users indiscriminately.
As I reported a week ago, the FBI has confirmed it is now investigating the latest plague of DMV-themed texts, which is unsurprising. The volume of those texts in particular surged almost 800% in the first week of June alone, and has not slowed down since.
A single bad actor armed with numbers and domains can send as many as “60,000,000 texts a per month, or 720,000,000 per year,” if that helps explain why there’s almost no one in America who hasn’t yet received these texts or knows someone who has.
We have just seen Florida warn that “a fresh wave of text message scams targeting motorists is surging,” with “the FBI reporting a significant increase in these attacks, [which are] now more refined and convincing than in the past.”
Whether it’s an iPhone or an Android phone in your pocket, don’t leave these texts undeleted and never ever click on any of these links.
Over the weekend, there have been new DMV text warnings come from Georgia, Virgina and Iowa, “As expected,” says Iowa’s DOT, “the scammers are up to their old tricks again. And finding new people to target each time. If you get a DMV ticket payment text, it’s a scam. Even if you have a recent ticket, Iowa DOT will never contact you by text for fee collection or ask you for financial info.”
According to Check Point, the DMV scam campaigns “leverage widespread SMS phishing and deceptive web infrastructure” and utilize “infrastructure, consistent domain naming conventions, reused frontend assets, and strong indicators pointing to a China-based threat actor. The widespread impact and impersonation of trusted state agencies underscore the urgency of awareness and proactive defense.”
The security researchers claim the campaign is “highly structured,” which is unsurprising given how similar all the example texts have been. “While this attack appears to be vast, spreading over many IP addresses, with thousands of newly registered phishing domains, a significant portion of the domains were hosted on a known malicious IP address: 49.51.75[.]162.”
With that in place, “HTML files linked to this IP mapped each file to a different state: Pennsylvania, Georgia, Texas, California, New Jersey, New York, and Florida. The cloned DMV pages used predictable TLDs such as [.cfd] and [.win], chosen for their low cost and ease of registration.”
The industrialized scripting behind such attacks can be expanded to a wide range of lures. And it can be more targeted than we’ve seen with the DMV texts. Impersonating a DMV is bad enough, but the FBI also warns that cybercriminals are impersonating its own agents, demanding payment for fines or missed court appearances to avoid arrest.
Over the weekend, a new FBI warning as attackers again message or call foreign students in the U.S., demanding a fee to continue uninterrupted. Yet again, scammers are impersonating law enforcement agencies in this atack, which has become a widespread theme across state and local as well as federal law enforcement.
The bureau’s advice in the latest attacks in Washington State could apply to all these attacks: “Scammers always prey on people’s fears. They’re always opportunistic.” And that opportunism pays off. ”They try to ratchet up that sense of urgency so that you don’t think about what you’re doing and then they just send the money.”
