T-Mobile Customers Warned of Unblockable SMS Phishing Attacks
An ongoing phishing campaign targets T-Mobile customers with malicious links using unblockable texts sent via SMS (Short Message Service) group messages.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple customers have filed reports of being targeted by this new SMS phishing (smishing) campaign.
NJCCIC is a component organization within the state’s Office of Homeland Security and Preparedness focused on incident reporting, cyber threat analysis, and information sharing.
Phishing messages come with “gifts”
The phishing texts thank the recipients for paying their T-Mobile bill and ask them to open a malicious link that will redirect them to a gift.
“The messages vary but typically thank the recipient for paying their bill and offer a gift. The messages include a link to accept the gift,” the NJCCIC explained on Friday.
“These links may lead to malicious websites intending to steal account credentials or personal information, or install malware.”
In March, a similar series of smishing attacks also targeted Verizon Wireless and Spectrum customers, impersonating the carriers in text messages spoofed to look like they were sent from the target’s phone number.
The Federal Trade Commission also warned consumers to watch out for scammers sending them texts from their numbers.
“They’ve changed (spoofed) the caller ID to look like they’re messaging you from your number, but the shock of getting a text from yourself is bound to get your attention — which is what they’re after,” the FTC said.
Attackers likely using info from past data breaches
According to the NJCCIC, this new smishing campaign is likely targeting T-Mobile customers because of past data breaches that affected the mobile carrier and affected millions of current, former, or prospective clients.
Since 2018, when info belonging to 3% of T-Mobile customers was accessed by hackers, T-Mobile has disclosed five other data breaches.
In 2019, T-Mobile exposed prepaid customers’ data, while in March 2020, hackers gained access to T-Mobile employees’ email accounts.
In December 2020, they also gained access to customer proprietary network information (phone numbers, call records).
One year later, in February 2021, threat actors accessed an internal T-Mobile application. Several months later, in August 2021, attackers brute-forced their way through T-Mobile’s network after breaching the carrier’s testing environments.
In December 2021, T-Mobile confirmed that the August data breach was linked to SIM swap attack notifications sent to a “very small number of customers.”
Last month, the New York State Office of the Attorney General (NY OAG) also warned victims of T-Mobile’s August 2021 data breach that they’re facing increased identity theft risks after some of their stolen information ended up for sale on the dark web.
The FTC says that Americans have reported losing more than $5.8 billion to fraud in 2021, a massive increase of over 70% compared to the losses reported the year before.
Smishing defense measures
To defend against ongoing smishing attacks promising gifts for paying your bill, you should avoid clicking any links you receive from unknown contacts via text message.
Instead, you should always manually open T-Mobile’s official website and never provide sensitive personal information on sites you were redirected to after clicking links delivered via SMS.
Update: T-Mobile told BleepingComputer that there is no link between previous data breaches and these smishing attacks and shared the following statement:
As we detect new spam attacks from bad actors, we update our filters to block texts with known malicious links. We also encourage consumers to be cautious with engaging with unknown senders or unexpected messages. Don’t click on the links or reply to a group thread that contains people you do not know.
You can mute the text thread to stop getting alerts if anyone replies by following your phone manufacturer’s instructions. And while it won’t stop the replies, you can also delete the thread and messages. Customers can report spam by forwarding the message to 7726 (SPAM).