AT&T Cell Phone Phish

Published: 2009-10-09
Last Updated: 2009-10-09 19:55:48 UTC
by Rob VandenBrink (Version: 5)
5 comment(s)

Alan tells us that several AT&T cell subscribers have just received a text message, which instructs them to call a toll-free number XXX-XXX-7649 to resolve a problem with their account.  When called, a voice menu harvests their credit card information. 

An interesting delivery mechanism for an old-hat phish, which we're all used to seeing in our email inboxes - now bright-shiny-new as a text message - nice find Allan!

Johannes tested this with the 4111 1111 1111 test card number, which the phish menu verified correctly.  Subsequent tests indicate that a random 16 digit number is initially accepted by the voice menu, but fails verification at the end of the input process.  This indicates that the menu is actually verifying and processing the CC numbers correctly, and is most likely processing (evil) transactions in close to real-time.

A recording of a successful transaction is here ==> http://johannes.homepc.org/scam.mp3

Since first posting this story, we've had reports of similar attacks on Nextel (Sprint) and T-Mobile, and I'm sure the list will grow as more folks report in.

Also since posting this story, the process of taking down the original number has been initiated, but this is still a valuable discussion to have, as it's becoming a more common occurance.

Don Smith (another ISC handler) has some other interesting interesting diary entries on this here ==> http://isc.sans.org/diary.html?storyid=4507

and here ==> http://isc.sans.org/diary.html?storyid=4180

Always interesting to keep tabs on what evil lurks out there !

5 comment(s)

Comments

Over the last few weekends, we've had the same thing occur with most of the Nextel units in my company's fleet.

I've also spoken with someone in the local police department (also on Nextel) and they have been receiving the same messages.

There does seem to be a specific timing to the messages - I tend to receive them while driving home and again about 2 hours later, with Friday being especially common.

I wish they'd reset my debit card already. ;)
I have had the same experience as Johannes. This was a T-Mobil scam and I entered a random 16 digit number which was checked and failed verification. How can we find the owners of he 8xx- telephone numbers we are calling?
You should be able to find the resporg for most 8xx numbers using the Ameritech Resporg ID service: 800-337-4194. It appears to be down at the moment, but I've had good luck with it in the past.

Getting the number deactivated can be an adventure, even though most telecomm companies will cooperate since this sort of thing is typically a TOS violation. Some of them can be a bit slow, though.
You should be able to find the resporg for most 8xx numbers using the Ameritech Resporg ID service: 800-337-4194. It appears to be down at the moment, but I've had good luck with it in the past.

Getting the number deactivated can be an adventure, even though most telecomm companies will cooperate since this sort of thing is typically a TOS violation. Some of them can be a bit slow, though.
Jim, thank you for the information. Let the adventure begin. I will post my results on here.

Diary Archives