The Metropolitan Police Service’s cyber crime unit has arrested a 20-year-old man who reportedly ran high-volume phishing campaigns as part of a service called SMS Bandits that involved the spoofing of well-known brands to lure people into handing over their account credentials.
Known in cyber crime circles as SMS Bandits, the phishing campaign involved fraudsters sending out fake SMS messages in bulk by spoofing organisations like PayPal, telecommunications providers, tax revenue agencies, and organisations involved in COVID-19 pandemic relief efforts.
By sending out fraudulent SMSs by the millions, the operators of SMS Bandits, including the man who was arrested, gained access to account credentials for various popular websites which they sold on dark web marketplaces they controlled. Operators of the fraudulent service also used other pseudonyms such as Bamit9, Gmuni, and Uncle Munis on dark web forums.
Though NCA did not confirm the name of the alleged fraudster, the Metropolitan Police Service’s cyber crime unit confirmed that they arrested an individual from Birmingham who was related to a business that supplied illegal services related to phishing offenses.
Sasha Angus, a partner at cyber intelligence firm Scylla Intel, told KrebsonSecurity that the phishing messages sent by SMS Bandits were free from grammatical and spelling errors, which made it difficult for people to identify them as fake or fraudulent.
“Just by virtue of these guys being native English speakers, the quality of their phishing kits and lures were considerably better than most. They were launching fairly high-volume smishing campaigns from SMS gateways, but overall their opsec was fairly lousy. But on the telecom front they were using fairly sophisticated tactics,” Angus said.
After validating stolen email addresses and passwords on real websites operated by companies which they spoofed, the operators of SMS Bandits sold the credentials on dark web marketplaces they controlled. On these marketplaces, they also advertised a bulletproof hosting service where online fraudsters stored content about sites designed to phish credentials from users of various online services.
According to KrebsOnSecurity, SMS Bandits is also related to another dark web criminal service called OTP Agency, “a service designed to help intercept one-time passwords needed to log in to various websites. The customer enters the target’s phone number and name, and OTP Agency will initiate an automated phone call to the target that alerts them about unauthorized activity on their account.”
Commenting on the scale at which SMS Bandits operated, Javvad Malik, security awareness advocate at KnowBe4, said that SMS phishing has been gaining popularity as a phishing channel to target unsuspecting victims as with the right software, it can be almost as easy to send mass smishing messages as it can be to send email phishes.
“People receiving links via SMS are often less suspicious when compared to links in emails, and have fewer tools available on their phone to easily validate the authenticity of a message. Therefore, it’s vital that people are made aware of these scams and remain vigilant about them.
“Organisations also need to be mindful of how they communicate with their customers and if they do use SMS, to not include links. Rather, invite people to navigate to their site directly. It’s great to hear the suspect behind SMS Bandits has been apprehended, but Smishing is here to stay, and will only increase in frequency and sophistication over time,” he added.