Two cuffed over suspected smishing campaign using 'text message blaster'
Thousands of dodgy SMSes bypassed network filters in UK-first case, it is claimed
British police have arrested two individuals following an investigation into an SMS-based phishing campaign using some kind of homebrew hardware.
That equipment, described by the cops variously as a "homemade mobile antenna," "an illegitimate telephone mast," and a "text message blaster," is thought to be a first-of-its-kind device in the UK designed to fire dodgy texts out en masse to marks, all while allegedly bypassing network operators' anti-SMS-based phishing, or smishing, defenses.
Thousands of messages were sent using this setup, City of London Police claimed on Friday, with those suspected to be behind the operation misrepresenting themselves as banks "and other official organizations" in their texts.
"The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on. It is vital we work with partners to help prevent the public from falling victim to fraud," said temporary detective chief inspector David Vint, head of City's Dedicated Card and Payment Crime Unit (DCPCU).
"Remember, a bank or another official authority will not ask you to share personal information over text or phone. If you think you have received a fraudulent text message, report it by forwarding it to 7726."
Most network operators in the UK are enrolled in a scheme that allows customers to forward suspicious SMS messages to 7726 – a dedicated number for assessing the potential threat of any given message. Network operators can then decide whether to block or ban the sender if foul play is afoot.
For example, EE has stopped tens of millions of scam SMS messages since stepping up its anti-spam filter in 2021. It also runs a scheme in its retail stores whereby new customers can verify their identity with the network, vastly reducing the likelihood that messages stemming from their accounts would ever be spammy in nature.
Huayong Xu, 32, of Alton Road in Croydon, was arrested on May 23 and remains the only individual identified by police in this investigation at this stage. He has been charged with possession of articles for use in fraud and will appear at Inner London Crown Court on June 26.
The other individual, who wasn't identified and did not have their charges disclosed by police, was arrested on May 9 in Manchester and was bailed.
City of London Police said it was working with network operators, communications regulator Ofcom, and the National Cyber Security Centre (NCSC) on the case.
Ofcom told us: “Criminals who defraud people using mobile technology cause huge distress and financial harm to their victims. We’re working closely with the police, the National Cyber Security Centre, other regulators, and industry to tackle the problem.”
The Register asked NCSC for more details on the masts and if there are thought to be additional devices popping up around the UK. NCSC referred us to the City of Police for comment.
- April brings tulips, taxes ... and phisherfolk scammers
- Voicemail phishing emails steal Microsoft credentials
- Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts
- Meta says risk of account theft after phone number recycling isn't its problem to solve
Without any additional information to go on, it's difficult to make any kind of assumption about what these "text message blaster" devices might be. However, one possibility, judging from the messaging from the police, is that the plod are referring to an IMSI catcher aka a Stingray, which acts as a cellphone tower to communicate with people's handhelds.
But those are intended primarily for surveillance. What's more likely is that the suspected UK device is perhaps some kind of SIM bank or collection of phones programmed to spam out shedloads of SMSes at a time. ®
Editor's note: This article was revised on June 11 to clarify what the alleged "illegitimate telephone mast" may be. We're digging deeper into this.