Skip to main content

T-Mobile sounds the alarm over unblockable SMS phishing attacks

Mobile network operator T-Mobile has warned its users of an unblockable smishing campaign that aims to steal their personal information and passwords, or install malware.

According to a BleepingComputer report, T-Mobile warned its users after the company was itself alerted by the New Jersey Cybersecurity / Communications Integration Cell (NJCCIC), an arm of the Office of Homeland Security and Preparedness working on cybersecurity threat analysis and incident reporting. 

The NJCCIC was approached by “multiple” customers, who had received group SMS messages pretending to be from T-Mobile. The message thanked the recipient for paying their bills on time and offered a free “gift”, to be claimed via the web link provided.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Group messages cannot be blocked

When clicked, the link redirects the user to a malicious website that aims to “steal account credentials or personal information, or install malware".

The group message was sent to numerous numbers, at random, the NJCCIC says, with the victims being targeted “dozens of times” over the span of three days. Given that these are group texts, the victims were unable to block the attacker.

The NJCCIC speculates that the smishing campaign was likely made possible due to previous data breaches affecting the mobile carrier and millions of its users. 

BleepingComputer reminds that, in the past four years, T-Mobile has disclosed a total of seven data breaches.

In 2018, data belonging to 3% of the company’s customers was accessed. And a year later, T-Mobile exposed the data belonging to some of its pre-paid customers.

In 2020, meanwhile, T-Mobile employees' email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.

Last year wasn't devoid of incident, either, with a threat actor compromising T-Mobile’s network through its testing environment, and using the stolen information to launch SIM swap attacks.

As usual, cybersecurity experts are urging people to deploy multi-factor authentication and security keys, and not to click on links in emails and SMS from unfamiliar senders.

Via BleepingComputer



Source: TechRadar

Popular posts from this blog

FCC approves broadband 'nutrition labels' to help you shop for internet

The FCC is pushing nutrition labels for internet providers. What you need to know The FCC has voted to move forward with new rules for ISPs to display nutrition labels. The proposed rulemaking would mandate ISPs to display relevant speed and pricing information to consumers. This should make it easier for consumers to make an informed decision on their broadband. The FCC voted unanimously on a plan that would allow consumers to make better decisions about their broadband internet. The proposal will require internet service providers (ISPs) - including many of the best wireless carriers in the U.S. — to display "nutrition labels" that display relevant service information for consumers at point-of-sale. This includes internet speeds, allowances, and clear information on rates. "If you walk into any grocery store and pull boxes of cereal from the shelves, you can easily compare calories and carbohydrates," FCC Chair Jessica Rosenworcel said in a statemen

Slack’s new integration deal with AWS could also be about tweaking Microsoft

Slack and Amazon announced a big integration late yesterday afternoon. As part of the deal, Slack will use Amazon Chime for its call feature, while reiterating its commitment to use AWS as its preferred cloud provider to run its infrastructure. At the same time, AWS has agreed to use Slack for internal communications. Make no mistake, this is a big deal as the SaaS communications tool increases its ties with AWS, but this agreement could also be about slighting Microsoft and its rival Teams product by making a deal with a cloud rival. In the past Slack CEO Stewart Butterfield has had choice words for Microsoft saying the Redmond technology giant sees his company as an “existential threat.” Whether that’s true or not — Teams is but one piece of a huge technology company — it’s impossible not to look at the deal in this context. Aligning more deeply with AWS sends a message to Microsoft, whose Azure infrastructure services compete with AWS. Butterfield didn’t say that of course

Yandex spins out self-driving car unit from its Uber JV, invests $150M into newco

Self-driving cars are still many years away from becoming a ubiquitous reality, but today one of the bigger efforts to build and develop them is taking a significant step out as part of its strategy to be at the forefront for when they do. Yandex — the publicly-traded Russian tech giant that started as a search engine but has expanded into a number of other, related areas (similar to US counterpart Google) — today announced that it is spinning out its self-driving car unit from MLU BV — a ride-hailing and food delivery joint venture it operates in partnership with Uber. The move comes amid reports that Yandex and Uber were eyeing up an IPO for MLU  last year. At the time, the JV was estimated to be valued at around $7.7 billion. It’s not clear how those plans will have been impacted in recent months, with COVID-19 putting huge pressure on ride-hailing and food-delivery businesses globally, and IPOs generally down compared to a year ago. In that context, spinning out the unit could

Elon Musk sends yet another notice trying to terminate the Twitter deal

Kristen Radtke / The Verge; Getty Images Elon Musk has sent a third letter to Twitter attempting to terminate his $44 billion acquisition of the company . Musk’s legal team cited Twitter’s multimillion dollar severance payment to former security chief and whistleblower Peiter Zatko as a violation of the merger agreement and a reason to end the deal. The letter, dated September 9th, was sent to Twitter’s chief legal officer Vijaya Gadde, and was included in a filing Twitter made with the SEC on Friday (which you can read at the bottom of this article). Last month, Zatko made headlines by accusing Twitter of misleading investors about the number of bots on the service, failing to delete users’ data, and having poor security practices, among other things. Musk jumped on the accusations, citing them in his second termination letter and subpoenaing Zatko to testify in the lawsuit. Zatko was set to be deposed on Friday. Elon Musk sent his first letter of termination in July , say