Cloudmark is now part of Proofpoint. Learn More

About Proofpoint

SMS Phishers Exploit Twilio and to Steal Mobile Account Logins

Via the GSMA Spam Reporting Service, we’ve been receiving reports of an SMS phishing attack aimed at the customers of several large mobile providers in the US. And in an unusual twist, the phishers are trying to evade anti-abuse services by showing their malicious content only to mobile users. More than a quarter of a million mobile users.

The SMS reports sent to 7726 cover a very large range of source phone numbers, with only a few messages reported from each sending number. Investigating these numbers shows that over 90% of them belong to Twilio, a communications company which offers voice and mobile messaging APIs accessible over the Internet. Cloudmark estimates that, since early January, the phishers exploited Twilio to attack over a quarter of a million US mobile phone subscribers, sending over 385,000 messages from about 2,500 unique phone numbers.

Dx cBDY Phishing2 Daily volume of this SMS phishing attack being reported to 7726


The pitch promises a bonus or discount on your next bill:

Congratulations! You have been randomly selected to receive an account Credit, please visit http://[redacted]/[redacted]

Hurray! You are one lucky customer getting a 5% discount on your next month balance, please login:[redacted]

Excellent! You are one lucky customer getting a 35% discount on your next month balance, please visit:[redacted]

If you’re particularly lucky, they’ll compliment you as well:

Hurray! You are one graceful customer getting a 40USD discount on your next month invoice, please visit:[redacted]

I’m graceful today, and $40 richer next month? Great news!

If you follow the short URL with a mobile browser, then you get a fairly plausible-looking sign-in page, complete with operator branding. (Savvy users will notice signs that the page is a forgery – for example, the domain hosting it doesn’t belong to the mobile operator.)

Mobile Phishing Landing Page
Mobile Phishing Sign In Page – Designed to steal the subscribers User ID, Password and Last 4 digits of their Social Security Number.


But if you were to follow this link with a desktop browser, you’d get a “Page Not Found” error – a dead link.

Well, only mostly dead: The phishers are detecting whether the browser is mobile or desktop; mobile browsers get malicious content, and other browsers get an HTTP 404 status code. It seems likely that the phishers are returning the 404 to try to deceive anti-abuse services: if the link is dead, then there’s nothing for the anti-abuse service to analyze, and hopefully the link will be classified as innocuous.

URL shortener abuse isn’t new, and shortener services have a responsibility to prevent that abuse. Many services accept abuse reports and take proactive actions such as checking URL contents. For example, fetches the original URL it has shortened (and even checks robots.txt, honoring a site’s expressed policy on being indexed) – exactly the kind of proactive checking the phishers are hoping to deceive.

We’ve seen older samples of this attack abusing However, has defanged the short URLs, and they now redirect to instead of the malicious site.

But recent samples show that the phishers have moved on to, which doesn’t seem even to check the original URL. Nor does have an obvious way to report abuse – it took some searching on Google and in forums to discover they suggest contacting

Twilio’s had problems with accusations of spamming before (see the class action complaint here). Despite that, they don’t have an obvious way to report abuse – again, we had to do a Google search to find a web form here.

URL shortening services like and advanced telecommunications services like Twilio offer real value to individuals and organizations, lowering the barriers to communication and connection – usually a great thing. But they’re also open to abuse, and they need to recognize their part in helping to prevent it.

Email showed how any messaging system that becomes popular becomes a target for abuse. Mobile is growing, and for many users and businesses, it’s the next step in messaging – and as we see in this attack, it’s the next step for the phishers as well.

Update:  Twilio contacted Cloudmark after reading this post and let us know that they have been working to resolve this issue, and that they take abuses like this seriously.

We are now in discussions with Twilio around how we can work together to further mitigate current and future issues of abuse.

3 thoughts on “SMS Phishers Exploit Twilio and to Steal Mobile Account Logins”

  1. Just got this text today. Didn’t click the link, but they obviously are not serious,about resolving the issue. Text from something saying congratulations you can get a credit on next month’s bill.

Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2020 Cloudmark, Inc.