Security

Detecting Scam Text (SMS) Messages

/ Sarah Collins / Leave a comment

Regularly I get unsolicited phone calls, those are easy to handle. I normally don’t answer calls whose contact information is not in my phone. On rare occasions when I answer the phone, I found the best thing I could tell them is “I don’t do business with people who randomly calls me on the phone.”

Text messages (SMS messages) are a different story, they will appear on my phone solicited or unsolicited. Below is a recent, scam text message I received. They are trying their best to get me the click the URL link.

I will step you through the problems I found with this text message.

  1. Most legitimate companies I deal with does not use a real phone number. They are now using a 5-digit code like “59842” to send text. Also, the text message used the country identifier “+1” for the USA. Lastly, this number was not in my address book.
  2. Have you ever heard of NRSC Poll? They may be a legit company. If you want to fill out a survey, search for NRSC Poll and see the results. If they ask for any personal info, be cautious.
  3. The text message provided a deadline which you must respond quickly? Probably because the hacker knows that this domain has a limited life.
  4. Do we talk like the example in the text message? “Quick vote!” We aren’t voting, it’s a poll.
  5. Let check out the domain! First, item 2. said it was an NRSC poll. Why doesn’t the URL contain “NRSC”?

To check out domains, I use https://whois.domaintools.com/. Type the domain into the search box and press Search. Example: win-gop22.com. When I followed these steps for this domain, I found suspicious items:

  • Yellow highlight: The domain was created on the same day the text message was sent. This is suspicious.
  • Red highlight: The domain’s registrant information was redacted for privacy. Why would a legitimate company or organization need privacy? Very suspicious.

An email is provided (Green Highlight) where you can report abuse. It is different for every domain. You can’t report abuse to Godaddy if WordPress is the domain registrar. Godaddy has form to report abuse on their website: https://supportcenter.godaddy.com/AbuseReport?

Here is the text of the original text of the message. I want the search engines around the world to be able to index this page to warn other of scams:

NRSC LIVE POLL: BIDEN-HARRIS APPROVAL. We want to hear your thoughts on the DISASTROUS Biden-Harris Administration. All responses are due by MIDNIGHT. Take action RIGHT NOW, so your voice is heard. Quick vote! http://win-gop22.com/x6bpdNA
Text STOP to END

2022 Election Scam

/ Sarah Collins / 14 Comments

Below is another text I received on my phone. Yes, I believe that hackers have my phone number from the Dark Web. How? There are numerous companies that have my contact information and a several of the larger companies had data breaches, such as T-Mobile, CafePress, LinkedIn, Android, Facebook… Those were just in 2021.

+1 (386) 297-5094

Message from Donald Trump Jr. -> I can't lie to you guys. This election is going to be a tough one so it is REALLY important we hear from you. We need you to take the Official 2022 Nationwide Census. Take 2 mins and get it done: https://winitback2022.org/r.wr?id=JW0FCe4l

ReplySTOPToEnd

This is why I believe it is a scam:

  1. The phone number: It a phone number, not a 5 digits text number. It has a +1 in from of the number. And, when I looked up the number it did not return a legitimate organization.
  2. The web site “winitback2022.org” was created on December 23, 2021.
  3. The web site is hosted by GoDaddy. Okay, that makes it appear to be more legitimate. But, the domains registrant’s contact information has been withheld.
  4. The domain was registered by: Domains By Proxy, LLC. If you look them up, you will find they have a very bad rating with the BBB (Better Business Bureau).
  5. Finally, there no Official 2022 Nationwide Census. The only official Census takes place every 10 years; 2000, 2010, 2020, 2030….

Again, don’t click any link in a text message. Don’t reply to a text message.

Next step, I will report it to GoDaddy as abuse.

Parcel Scam Alert

/ Sarah Collins / Leave a comment

Below is a text I received on Christmas Eve, and it is a scam! Either they were phishing for information or worst:

+1 (402) 378-1378

Parcel Tracking: Hi, your package with tracking number ZZBURAHH is waiting for you to check the shipment address: spreadbrief.com/DemUgCq

It looked like it could have been legit with the a few problems:

  1. I never get text message starting in +1. I believe that to use +1 the message was probably sent from another country.
  2. I never seen a tracking number like “ZZBURAHH”. Personally, to me it sounds like “Brouhaha”
  3. I was only expecting packages from UPS or USPS.

First, I did a web search on the number. The results did not return any legitimate businesses. If a legit company was going to text me, I would expect to find their business on the web searching by their phone number.

Next I used WHOIS to look up the domain and I found problems:

  1. The domain was created the same day the text was sent.
  2. The domain owner was in another country.
  3. Most of the contact information on the domain was redacted for privacy. If you look at a legit company’s domain registration, such as UPS, they provide a mailing address and phone number.

Lastly, I emailed the text to myself and reported it to the domain provider. On WHOIS an email address is provided to report abuse.

Recommendation: Never click on a link you receive in a text or email.