[HN Gopher] Smishing scam regarding debt for road toll services
___________________________________________________________________
Smishing scam regarding debt for road toll services
Author : impish9208
Score : 44 points
Date : 2024-04-15 14:04 UTC (8 hours ago)
(HTM) web link (www.ic3.gov)
(TXT) w3m dump (www.ic3.gov)
| Bluescreenbuddy wrote:
| I actually got one of these texts recently. Problem is, I don't
| drive or own a car. LMAO. I reported the domain they linked in
| the text to Cloudfare since WHOIS pointed to it.
| meepmorp wrote:
| > Smishing: A social engineering attack using fake text messages
| to trick people into downloading malware, sharing sensitive
| information, or sending money to cybercriminals. "Smishing"
| combines "SMS"--or "short message service," and "phishing."
| "Phishing" generally pertains to attacks on the internet, email,
| or websites.
| ChrisArchitect wrote:
| Didn't know _smishing_ was that common a term for this enough
| for its use here
| jwally wrote:
| I don't know how well it would scale, but from an ease-of-use
| perspective it feels like Quishing (eyes roll - QR Phishing) is a
| plague waiting to explode.
|
| "Just scan this and donate to the red cross!". My kid's
| afterschool provider had some sign up form for an event they're
| hosting - with a QR Code to sign up / pay - which was some random
| third party provider. Legitimate, but _painfully_ easy to
| spoof...
| jwally wrote:
| Also, juvenile shenanigans with links to goatse et al being
| placed on the local plumber's van feels like an easy win for 17
| yo boys everywhere.
| toast0 wrote:
| > links to goatse
|
| The Email service? why would people link to that? :P
| fckgw wrote:
| There was an explosion about 6-7 months ago reported on Reddit
| in the amount of phishing emails with QR codes in them. Because
| they have no URLs in them and the actual phishing happens off-
| device with no endpoint security, they seem to be bypassing a
| lot of filters.
|
| https://www.reddit.com/r/sysadmin/comments/16oh8ar/how_is_ev...
|
| https://www.reddit.com/r/cybersecurity/comments/16mn6ve/how_...
| WarOnPrivacy wrote:
| I used screenshotmachine.com to look at myturnpiketollservices
| dot com.
|
| It looks like the site is behind Cloudflare and CF has marked it
| as a phish (w/ an ignore & proceed link).
| mistercheph wrote:
| smishing is such a stupid term -- this is the kind of nonsense
| they invent and then test for on CompTIA et al cert exams
| macshome wrote:
| I found out about smishing and vishing from some mandatory
| security training at work.
|
| It's all just phishing to me, I don't get the need for all the
| other terms.
| myself248 wrote:
| In my day, we called it lying!
| Scoundreller wrote:
| Lucky for all you in US reporting these things.
|
| For the Canadian targeted ones, they generally geo-target the
| page (Canadian IP = scam, foreign IP = no scam presented) and
| it's an ordeal trying to get stuff taken down. I try at domain,
| SSL, host, Google safe search, netcraft levels and it's often a
| waste of time.
|
| Drives me bonkers when it gets assessed as "safe".
| euniceee3 wrote:
| Wild to see the extreme Smishing plus IMSI grabbing to then use
| an SDR to send the SMS without going through an SMS Gateway.
| https://commsrisk.com/chinese-arms-dealer-sold-imsi-catchers...
| Scoundreller wrote:
| I thought SMS gateways weren't really used anymore and the way
| to go was to buy a bunch of prepaid unlimited SIMs and blast
| out messages at a below-detection rate through thingies that
| rotate between 64/128/256 SIMs and 8-16 radios.
|
| Like shown here: https://au.finance.yahoo.com/news/how-one-man-
| allegedly-cost...
|
| The IMSI catching approach, wow!
| John23832 wrote:
| Totally secondary, but we could solve this by not giving the
| revenue rights for pubic good (parking meters, expressways, etc)
| to private companies which then have random toll websites. Just
| saying.
| Scoundreller wrote:
| Iunno, the EZ-Pass website looks designed a few decades ago.
| fwip wrote:
| Tables-for-layout the whole way down!
| (https://www.e-zpassny.com/en/home/index.shtml)
| uxjw wrote:
| Don't they already scam people by duplicating government
| websites?
| renewiltord wrote:
| Interesting. I see what you mean. Limiting it to .gov domains
| would make this hard to do but that cat is out of the bag and,
| in practice, we're better served with an open bidding process.
|
| However, I did find it painful just now to find who
| etimspayments.com is since they're using domain privacy even
| though they are the SF provider
| https://wmq.etimspayments.com/pbw/include/sanfrancisco/input...
|
| I was just talking to a friend and he put in a CPRA request to
| find out which LLC provides that service so we'll know soon
| enough.
| runsfromfire wrote:
| Would having an open bidding process preclude the use of .gov
| TLD?
|
| Why couldn't the highest bidder handle the payment and
| processing at e.g. tolls.gov?
| renewiltord wrote:
| I imagine the process of getting a .gov TLD and
| transferring it is currently arduous - perhaps because that
| .gov is a heavy hitter TLD. If so, local governments may
| lack the resources to put into place improvements for their
| constituents if blocked on that TLD. But if it is the case
| that the process for that is simple then what you say is
| reasonable.
| paulgb wrote:
| The FBI should become a virtual credit card issuer and allow
| anyone who thinks they are being scammed by a
| phishing/smishing/etc. scam to generate a fake card (with no
| balance attached to it) to give to the scammers. Seems like that
| would give them enough information to track down the bad guys, or
| at least to track down their enablers.
| ronsor wrote:
| People would blacklist FBI VCCs
| tgsovlerkhgsel wrote:
| Hard to do if the FBI were to work with several major banks
| and getting numbers from their ranges. And obviously the
| numbers would be single/limited use.
| e40 wrote:
| If they wanted to trace the transactions, it wouldn't require
| anything as complex as this. They could trace existing
| transactions with a warrant, which I assume would be easy to
| get.
|
| The truth is, LEO don't give a shit about these types of
| crimes, because the CC companies have the fraud already built
| into their business models (e.g., they've priced in losses).
| tgsovlerkhgsel wrote:
| Many such scams must work, otherwise they wouldn't keep
| happening.
|
| I suspect CC companies refund the ones who complain, but
| enough victims of smaller scams never complain and thus it
| pays off.
|
| What would help is shared liability, and mandatory full
| refunds for all victims, not just those that come forward.
| For example, a consumer protection agency or association
| could prove that a certain company was scamming, and get a
| court order forcing the payment companies to reverse all
| transactions associated with that company.
|
| Suddenly, all those "FREE SUBSCRIPTION *turns into a
| $49/month, 6 month minimum subscription if not cancelled
| within 7 days" (with the "free" repeated in huge letters and
| the subscription terms hidden in the finest fine print) scams
| would become risky enough that the payment providers would no
| longer be happy to enable them for a small percentage of the
| loot.
| Luc wrote:
| Looks like the hardware he was using is on AliExpress:
| https://www.aliexpress.com/item/1005006609463852.html
| babyshake wrote:
| Anyone else think the the term smishing is too cute and
| confusing, and "text message phishing" should be used instead?
| yamazakiwi wrote:
| Tishing would be more easily inferred than Smishing if they
| want to keep the fishing part for recognition. I can't find or
| think of any other examples in English where we combine a word
| with an acronyms first 2 letters pronounced phonetically.
|
| Lollercopter?
| teeray wrote:
| > visit https://myturnpiketollservices.com to settle your balance
|
| This is partly the fault of these rent collectors--they all use
| some shady-sounding but vaguely-related third party to settle
| fines (something like paymyparkingticket.com or
| paymyhospitalbill.com). Use your own domain, put a subdomain on
| it, and CNAME over to the third party so we can have _some_
| trust.
___________________________________________________________________
(page generated 2024-04-15 23:00 UTC)