News of SMS (text) phishing scams are nothing new to readers of this blog.  ESET researcher Cameron Camp recently wrote an article explaining how they work and how to avoid them here on ESET’s Threat Blog: SMSmishing (SMS Text Phishing) – how to spot and avoid scams, And just before Valentine’s Day, my colleague Stephen Cobb performed a two-part investigation into a Victoria’s Secret gift card scam delivered via email.

A Global Enterprise

Bestbuy gift card SMSThe scamming continues unabated, and this time electronics retailing giant Best Buy is the target: Within a period of about three hours, both a coworker and myself received identical messages inviting us to visit what appears at a cursory glance to be a Best Buy’s web site, but instead belongs to a domain registered through Internet.BS, a shadowy domain registrar registered to do business in the Bahamas, and perhaps best known for  its curious relationship to online pharmacies and use of anonymous payment systems favored by Russian cybercriminals. The web site itself is located at a French hosting provider.

Anatomy of a scam:  SMS scammer’s payoff

So, what is the scam here? Visiting the web site and entering the code takes you to a web site which asks you to enter your email address in a prominently displayed, larger form in the center of the page.

Blackberry SMS phishAnd what does this get you? Doing so, entitles you to receive emails from the company behind this scam.  According to the terms and conditions on the web site—which required some magnification for me to view legibly—you must also provide them with all of your contact information so that they may send additional texts to your cell phone, emails and your address. They, in turn, will use this information to send promotional offers your way.  You must make six purchases from their offers, and refer ten friends who must make six purchases as well, in order to receive your “FREE $1,000 Bestbuy Giftcard.”  Oh, and to add insult to injury, the last paragraph of their privacy policy states that they will resell the information you provide them to other marketing companies.

Countermeasures:  Defeating the wily scammer

It should be obvious to regular readers of this blog that this is a scam, and the best thing to do with such things is delete them.  You may (or may not) be able to report them to your carrier, but scams like these are typically paid for through fraudulent means such as stolen credit cards, so your carrier may be almost as much a victim as you were.

Avoiding this type of scam is largely a matter of impulse control: Con artists like the scammers behind this one prey on the naiveté and gullibility of the public, knowing that a certain percentage will click though, expecting to get their gift card rather than spams, telemarketing calls and junk mail. Applying a smidge of common sense and a dash of critical thinking largely alleviates such threats.

Like their email and telephone counterparts, scammers like these rely on an uneducated public, and the best defense is learning to recognize such scams.  ESET has been working for about three years on a free community education program called Securing Our eCity, whose job it is to educate the public about how to recognize and avoid cybercrime.  Initially focused on San Diego, the programs developed by SOeC are achieving national and even international recognition and use.

ESET recognizes that not all threats to your computer come from malware like trojans, viruses and worms.  That’s why we have developed free cybersecurity training for our customers to educate them about the “soft skills” needed to stay safe online.

Lastly, if you are one of the unlucky few who are constantly besieged by such unwanted texts, you might want to consider a installing a program such as ESET Mobile Security on your smartphone, which provides SMS and MMS antispam.

Have you received a SMS or text from a scammer?  If so, please leave a comment and let us know how you handled it.

The author would like to extend thanks to his colleagues Christopher Dale, David Harley and Octavio Vasquez for their assistance in preparing this post.

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher