2021 was the year of SMS phishing and, unfortunately, in 2022 things have not slowed down. Flubot was the most devastating example of what attackers could achieve by posing as messaging companies: in months they got 60,000 infected phones, which contributed, as we will see, to a much greater damage.
After messaging, SMS from banks, supermarkets and many other variants arrived. With all this, the same question always arose: we know how they attack us and why, but how do they have our numbers?
How they do with our phone numbers
It is not possible to give a clear answer, but it is time to talk about Flubot again. In March 2021 it was estimated that with this SMS from Fedex, DHL and other couriers, those responsible managed to get hold of 11 million Spanish numbers, and it is likely that since then, more than a year later, the figure has risen a lot. It is a very large database of phones (and with names in many cases) to which you can start attacking.
And obtaining it for them was as simple as the victims installing the fraudulent applications on Android and, without knowing it, sharing their entire contact list, to which the SMS was also sent later so that they could install it and follow the chain. That controlling such a number of phones is something so trivial for attackers, thanks to Android’s accessibility permission, is something Google is starting to wrestle with in Android 13.
Other possibilities to seize many phone numbers were the Facebook breach, which also left 11 million Spanish numbers uncovered, and The Phone House breach, which allowed attackers with Ransomware to seize more than 5.2 million numbers. records and emails, many of them associated with Spanish phone numbers. These two databases are easily obtained on the Deep Web.
In 2022 we have not experienced anything as serious as these breaches, and finally the scams seem to have been changing. It doesn’t go away, for example, that of Microsoft, which is nothing more than an alleged technical service of those from Redmont, trying to pass themselves off as workers who want to help us.
As for SMS scams, what we have seen the most in the last year has been above all, using the name of banks. Unlike what we saw with Flubot, here we are not prompted to install applications, but to enter our bank credentials to supposedly “log in” and solve a security problem. In the end, they even ask us for a card and a security number.
Even though entire agendas are no longer emptied as with Flubot, the databases of numbers that may have been harvested from that malware, the case of Facebook and especially that of The Phone House, with numbers associated with telephone numbers, addresses, etc., are enormous. . The worst thing is that all this moves through messaging groups and websites without any control.
An earlier version of the article was published in 2021.