In this guest post, Stuart McBride, Head of Threat Intelligence at AdaptiveMobile Security shares their assessment of the recent rash of Covid-19-themed SMS spam campaigns, and offer practical steps for how consumers can spot such scams.
We recently documented the “outbreak” of Covid-19-themed SMS spam campaigns; spammers exploiting the fear around the pandemic to sell fake preventions and cures, push false offers and sell payday loans.
As the public adapts to the pandemic as part of daily life and grows accustomed to unusual restrictions, rules and public announcements, scammers are continuing to vary their tactics to take maximum advantage of the current reality and capitalise on continuously evolving news cycles.
Many Governments across the English-speaking world are announcing various reliefs and benefits to individuals and businesses financially affected by the Covid-19 pandemic. Such programmes are an attractive new vector for scammers.
AdaptiveMobile Security’s Threat Intelligence analysts have observed similar SMS Spam being sent to subscribers in the US, Canada and the UK.
As an illustrative example, on March 18th, Canada announced it would be making one-time special payments by May 2020 for qualifying individuals. This week, we have observed messages like the example below being sent to some Canadian mobile phone subscribers:
To an ordinary recipient, growing accustomed to unexpected announcements, this may seem like a genuine public service message in extraordinary times.
The message isn’t entirely implausible. It’s fairly clearly laid out, and other than the incongruous French abbreviation of “Gouvernment,” is spelled correctly and signed as if from the real Canada Revenue Agency.
Let’s see what happens to the unsuspecting subscriber who clicks the link.
The first thing the subscriber will see on their handset is an authentic-looking website with the real Government of Canada logo, and in both official languages:
Choosing English, the subscriber is now asked for their name and social security number. The subscriber may enter their real details at this point, but regardless of the input, another convincing “Searching…” message is animated for a few seconds, before presenting the good news. The subscriber is eligible for a random amount of Canadian dollars:
Proceeding with the application, we now reach the key and indeed only intention of the scam – to steal the subscriber’s credit/debit card details. The subscriber is invited to choose their bank from a list of real Canadian banks. Choosing BMO (Bank of Montreal) leads to a login page with genuine logos and convincing looking links to register, change language and reset password:
In fact, as an entirely fake mock-up of BMO’s login page, the site has no way to authenticate the login, and will accept any correctly formatted card number and password.
The follow-up page asks for the remaining card details and even the security questions and answers – providing the attacker with enough information to potentially hijack the subscriber’s bank account.
Assuming the subscriber entered their details correctly, they can now expect unauthorised purchases, payments or transactions on their account.
Spotting a scam
How could a regular subscriber have avoided falling victim to this SMS Spam?
1. The message
From the initial message, there were some tell-tale signs that this a scam. First of all, there’s the awkward language in the initial line of the message, with an unnecessary capitalization, and the French spelling of “Gouv.” However, this might not be immediately obvious to a non-native speaker of English.
The next and bigger red flag is the link offered. All Canadian government websites use the top-level domain for Canada, “.ca”, for example https://www.canada.ca/ and https://www.gc.ca. As anyone in the world can register any .com domain name, the random format of the web address should give pause to an astute subscriber.
2. The website
It would be unusual, if not entirely impossible, that in 2020 an official website would be unencrypted. The “Not Secure” warning in the phone’s web browser should be an immediate red flag. If any doubt still remains whether this site is a scam, it should be removed on seeing the online banking login page.
Under no circumstances will an online banking login ever show (1) a “Not Secure” message in the browser or (2) a domain name in the address bar that does not belong to the bank.
Three steps to protect yourself
1. Stop and think: does this organization or agency usually contact me this way? Was I expecting this message? Do I recognize this website? If in doubt, ignore the message and visit the real website of the agency in question to determine genuine entitlements and procedures to follow.
2. Look for red flags: does this website really belong to the organization in question? Don’t trust the name – check the organization’s real website using another source. If there’s any doubt, make a call to the organization or agency in question.
3. NEVER disclose online banking details: There are no circumstances under which you will need to provide your online banking details, security questions or security codes to a website, other than when you are logging in to your own bank on your own volition. An organization transferring funds to your account will need only your account number and sort code. Any time you need to use online banking, go directly to your bank’s website or app.
This blog post originally appeared on the Adaptive Mobile Security Website and is re-used here with kind permission
The UK mobile, banking and finance industries along with the National Cyber Security Centre (NCSC) have joined forces to prevent fraudsters sending scam text messages that seek to exploit the Covid-19 crisis.