Security

Cyber-crime

Two cuffed over suspected smishing campaign using 'text message blaster'

Thousands of dodgy SMSes bypassed network filters in UK-first case, it is claimed


British police have arrested two individuals following an investigation into an SMS-based phishing campaign using some kind of homebrew hardware.

That equipment, described by the cops variously as a "homemade mobile antenna," "an illegitimate telephone mast," and a "text message blaster," is thought to be a first-of-its-kind device in the UK designed to fire dodgy texts out en masse to marks, all while allegedly bypassing network operators' anti-SMS-based phishing, or smishing, defenses.

Thousands of messages were sent using this setup, City of London Police claimed on Friday, with those suspected to be behind the operation misrepresenting themselves as banks "and other official organizations" in their texts.

"The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on. It is vital we work with partners to help prevent the public from falling victim to fraud," said temporary detective chief inspector David Vint, head of City's Dedicated Card and Payment Crime Unit (DCPCU).

"Remember, a bank or another official authority will not ask you to share personal information over text or phone. If you think you have received a fraudulent text message, report it by forwarding it to 7726."

Most network operators in the UK are enrolled in a scheme that allows customers to forward suspicious SMS messages to 7726 – a dedicated number for assessing the potential threat of any given message. Network operators can then decide whether to block or ban the sender if foul play is afoot.

For example, EE has stopped tens of millions of scam SMS messages since stepping up its anti-spam filter in 2021. It also runs a scheme in its retail stores whereby new customers can verify their identity with the network, vastly reducing the likelihood that messages stemming from their accounts would ever be spammy in nature.

Huayong Xu, 32, of Alton Road in Croydon, was arrested on May 23 and remains the only individual identified by police in this investigation at this stage. He has been charged with possession of articles for use in fraud and will appear at Inner London Crown Court on June 26.

The other individual, who wasn't identified and did not have their charges disclosed by police, was arrested on May 9 in Manchester and was bailed.

City of London Police said it was working with network operators, communications regulator Ofcom, and the National Cyber Security Centre (NCSC) on the case.

Ofcom told us: “Criminals who defraud people using mobile technology cause huge distress and financial harm to their victims. We’re working closely with the police, the National Cyber Security Centre, other regulators, and industry to tackle the problem.”

The Register asked NCSC for more details on the masts and if there are thought to be additional devices popping up around the UK. NCSC referred us to the City of Police for comment.

Without any additional information to go on, it's difficult to make any kind of assumption about what these "text message blaster" devices might be. However, one possibility, judging from the messaging from the police, is that the plod are referring to an IMSI catcher aka a Stingray, which acts as a cellphone tower to communicate with people's handhelds.

But those are intended primarily for surveillance. What's more likely is that the suspected UK device is perhaps some kind of SIM bank or collection of phones programmed to spam out shedloads of SMSes at a time. ®

Editor's note: This article was revised on June 11 to clarify what the alleged "illegitimate telephone mast" may be. We're digging deeper into this.

Send us news
23 Comments

Don't open that 'copyright infringement' email attachment – it's an infostealer

Curiosity gives crims access to wallets and passwords

Russian spies use remote desktop protocol files in unusual mass phishing drive

The prolific Midnight Blizzard crew cast a much wider net in search of scrummy intel

Cyberattackers stole Microlise staff data following DHL, Serco disruption

Experts say incident has 'all the hallmarks of ransomware'

FBI issues warning as crooks ramp up emergency data request scams

Just because it's .gov doesn't mean that email is trustworthy

Cybercrooks are targeting Bengal cat lovers in Australia for some reason

In case today’s news cycle wasn’t shocking enough, here’s a gem from Sophos

Dark web crypto laundering kingpin sentenced to 12.5 years in prison

Prosecutors hand Russo-Swede a half-billion bill

Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack

Victims were placed in serious danger following highly sensitive data dump

UK councils bat away DDoS barrage from pro-Russia keyboard warriors

Local authority websites downed in response to renewed support for Ukraine

LottieFiles supply chain attack exposes users to malicious crypto wallet drainer

A scary few Halloween hours for team behind hugely popular web plugin

Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting

US also charges an alleged Redline dev, no mention of an arrest

Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases

Legal proceedings underway with more details to follow

Public sector cyber break-ins: Our money, our lives, our right to know

Is that a walrus in your server logs, or aren't you pleased to see me?