SMS Phishers Exploit Twilio and ow.ly to Steal Mobile Account Logins
Thu, Feb 13, 2014 by Mike Acar
Via the GSMA Spam Reporting Service, we’ve been receiving reports of an SMS phishing attack aimed at the customers of several large mobile providers in the US. And in an unusual twist, the phishers are trying to evade anti-abuse services by showing their malicious content only to mobile users. More than a quarter of a million mobile users.
The SMS reports sent to 7726 cover a very large range of source phone numbers, with only a few messages reported from each sending number. Investigating these numbers shows that over 90% of them belong to Twilio, a communications company which offers voice and mobile messaging APIs accessible over the Internet. Cloudmark estimates that, since early January, the phishers exploited Twilio to attack over a quarter of a million US mobile phone subscribers, sending over 385,000 messages from about 2,500 unique phone numbers.
The pitch promises a bonus or discount on your next bill:
Congratulations! You have been randomly selected to receive an account Credit, please visit http://[redacted]/[redacted]
Hurray! You are one lucky customer getting a 5% discount on your next month balance, please login: http://ow.ly/[redacted]
Excellent! You are one lucky customer getting a 35% discount on your next month balance, please visit: http://ow.ly/[redacted]
If you’re particularly lucky, they’ll compliment you as well:
Hurray! You are one graceful customer getting a 40USD discount on your next month invoice, please visit: http://ow.ly/[redacted]
I’m graceful today, and $40 richer next month? Great news!
If you follow the short URL with a mobile browser, then you get a fairly plausible-looking sign-in page, complete with operator branding. (Savvy users will notice signs that the page is a forgery – for example, the domain hosting it doesn’t belong to the mobile operator.)
But if you were to follow this link with a desktop browser, you’d get a “Page Not Found” error – a dead link.
Well, only mostly dead: The phishers are detecting whether the browser is mobile or desktop; mobile browsers get malicious content, and other browsers get an HTTP 404 status code. It seems likely that the phishers are returning the 404 to try to deceive anti-abuse services: if the link is dead, then there’s nothing for the anti-abuse service to analyze, and hopefully the link will be classified as innocuous.
URL shortener abuse isn’t new, and shortener services have a responsibility to prevent that abuse. Many services accept abuse reports and take proactive actions such as checking URL contents. For example, bit.ly fetches the original URL it has shortened (and even checks robots.txt, honoring a site’s expressed policy on being indexed) – exactly the kind of proactive checking the phishers are hoping to deceive.
We’ve seen older samples of this attack abusing bit.do. However, bit.do has defanged the short URLs, and they now redirect to http://phish-education.apwg.org/ instead of the malicious site.
But recent samples show that the phishers have moved on to ow.ly, which doesn’t seem even to check the original URL. Nor does ow.ly have an obvious way to report abuse – it took some searching on Google and in forums to discover they suggest contacting firstname.lastname@example.org.
Twilio’s had problems with accusations of spamming before (see the class action complaint here). Despite that, they don’t have an obvious way to report abuse – again, we had to do a Google search to find a web form here.
URL shortening services like ow.ly and advanced telecommunications services like Twilio offer real value to individuals and organizations, lowering the barriers to communication and connection – usually a great thing. But they’re also open to abuse, and they need to recognize their part in helping to prevent it.
Email showed how any messaging system that becomes popular becomes a target for abuse. Mobile is growing, and for many users and businesses, it’s the next step in messaging – and as we see in this attack, it’s the next step for the phishers as well.
Update: Twilio contacted Cloudmark after reading this post and let us know that they have been working to resolve this issue, and that they take abuses like this seriously.
We are now in discussions with Twilio around how we can work together to further mitigate current and future issues of abuse.