Text message phishing scam?

Jan 06, 2009

Earlier this evening, my wife recieved an unusual text message to her phone:

"From: No Caller ID
"Date: 1/6/09 5:55 pm
"This is an automated message from Arlington Virginia FCU. Your ATM card has been suspended. To reactivate call urgent at (800) 295-3174."

I don't think I have to state that neither Lyssa nor myself have accounts with the Arlington, VA Federal Credit Union.

So I've been doing some detective work on who sent this and I've found out a few things. Unfortunately, because the initial contact came via a text message I don't have any way of looking at transmission headers (though if anyone knows of an SMS forensics utility that'll work with a Palm Treo, by all means leave me a comment). First of all, a number of people in the Virginia area have been contacted in this fashion, and none of them are exactly pleased with it.

My first stop was our Googley Pre-Singularity Lord and Master. The first link to appear is a link to an outfit called Get800Today.com, which appears to be a service from which you can rent an 800 number in much the same manner as you can use a pre-paid cellular telephone (first 60 minutes or month free, whichever comes first). You set the number they give you to forward to another line (which could be anything from a cellphone to a voicemail box to a VoIP line), which effectively covers your trail. They also have a toll-free customer support line (888-528-9892), which I plan on calling tomorrow during office numbers. If you dial the 800 number in question (which I just did from another phone, using *67 to block my caller ID), you will find that the line's been terminated.

Next, numberzoom.com has an extensive list of suspicious 800 numbers, which lists the 800 number in question as being up to something shady, but that's about it. Not too helpful save that it suggests that others have been contacted with this number referenced.

A handy site called phoneowner.info keeps a list of phone numbers and complaints about them, and this number in particular with the same complaint.

So, nothing, really.

From what I've seen in the field over the past few years, I've got a rough guess as to what's going down here. The fact that it's a phishing scam is pretty obvious. What I think the perpetrators did is SMS spam large blocks of cellphone numbers; certain cell providers will let you send a short e-mail to @cellular.provider.com and will forward the e-mail (sans headers) to the subscriber's cellphone. To e-mail NPANXX0000@celllular.provider.com through NPANXX9999@cellular.provider.com is trivial to accomplish with a few lines of Perl code, though conventional spamming techniques are more likely. Before spamming our cellphones, they appear to have rented the 800 number I've been talking about from get800today.com. Where it forwards to, I have no idea because there's no way that someone like me can find the destination of a call forward without having access to the telephony switch which actually relays the call or the CDR records therefrom (and given that they've shut the number down, it's pointless to try). The call could have been forwarded to a pre-paid cellphone, a voicemail box, or a VoIP line (which pretty much assumes voice mail), I would think with a suitably convincing recording of a bank's credit card validation and reactivation line, the better to get people to leave their names, addresses, debit card numbers, and expiration dates.

I hope that nobody out there fell for this scam.