Mobile Phone SMS Spam All Afternoon

Forums › New Zealand Mobile and Wireless › Mobile Phone SMS Spam All Afternoon

1 | 2 | 3

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2786657 29-Sep-2021 21:48

alavaliant:
My point was about not putting all your eggs in one basket. I'd also be happy with doing banking on mobile IF the 2FA was exclusively handled on the computer (and I never banked on the computer handling 2FA). No matter how good the app is if the app/phone is all your need to sign in then compromise of that single thing will give an attacker access to your banking details.

Not at all true and I personally work on one of the said apps for one of the big banks here in NZ.

The app basically asks for your credentials once and that is the initial setup phase, good apps should 2FA you somehow (where it be over SMS, push notification to another device or ask you to phone the app). From here you connect to your bank via a token + API encrypted in the app itself using some secret sauce and your pin / biometrics.

This is way more secure than logging in manually on your PC and also convenient too.

The app is designed in a way where the customer is the weakest link in the banks security model. There is a whole lot of backend fraud checking I can't disclose the details of.

Seriously, install your banks app. It is safer than logging in via a PC and as long as you don't disclose your internet banking password directly (eg - using POLi or Account2account) then you're totally backed by your bank if you ever get compromised. Take it from me who has a very sound understanding on the technical details of most banking apps...

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

alavaliant

222 posts

Master Geek

Subscriber

#2786685 29-Sep-2021 22:34

michaelmurfy:
alavaliant:
My point was about not putting all your eggs in one basket. I'd also be happy with doing banking on mobile IF the 2FA was exclusively handled on the computer (and I never banked on the computer handling 2FA). No matter how good the app is if the app/phone is all your need to sign in then compromise of that single thing will give an attacker access to your banking details.

Not at all true and I personally work on one of the said apps for one of the big banks here in NZ.

The app basically asks for your credentials once and that is the initial setup phase, good apps should 2FA you somehow (where it be over SMS, push notification to another device or ask you to phone the app). From here you connect to your bank via a token + API encrypted in the app itself using some secret sauce and your pin / biometrics.

This is way more secure than logging in manually on your PC and also convenient too.

The app is designed in a way where the customer is the weakest link in the banks security model. There is a whole lot of backend fraud checking I can't disclose the details of.

Seriously, install your banks app. It is safer than logging in via a PC and as long as you don't disclose your internet banking password directly (eg - using POLi or Account2account) then you're totally backed by your bank if you ever get compromised. Take it from me who has a very sound understanding on the technical details of most banking apps...

That might be the case but since I don't have access to verify any of the internals of how the app works. I'm personally not inclined to be 100% trustful of it. I spend a lot of time working with both closed source and open source software. I'm happyier with my Linux computer stack which I knew in detail vs the internals of Android which has a lot more binary only components on most standard phones which I can't verify.

halper86

547 posts

Ultimate Geek

ID Verified

#2786695 29-Sep-2021 23:16

alavaliant:
That might be the case but since I don't have access to verify any of the internals of how the app works. I'm personally not inclined to be 100% trustful of it. I spend a lot of time working with both closed source and open source software. I'm happyier with my Linux computer stack which I knew in detail vs the internals of Android which has a lot more binary only components on most standard phones which I can't verify.

Can you really trust your bank at all then? How can you trust their back end systems when you don’t have faith in their front end systems?
You can’t ‘verify’ their back end systems as these are both commercially sensitive and a security concern if you were to.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2786696 29-Sep-2021 23:32

alavaliant: That might be the case but since I don't have access to verify any of the internals of how the app works. I'm personally not inclined to be 100% trustful of it. I spend a lot of time working with both closed source and open source software. I'm happyier with my Linux computer stack which I knew in detail vs the internals of Android which has a lot more binary only components on most standard phones which I can't verify.

It is clear I am not going to win you over and this is where I don't know if you're just trolling or naive...

Your bank will never make any portion of its source code opensource because it is money on the line. You're also already trusting your bank to keep your money secure and they've got an app to make your life easier to connect you to said money that they already know has the chance to run on a compromised device. And I am still going to say (being a Linux user myself) I would actually trust the app running on my phone than using Internet Banking on my computer where I've got extensions running on my browser. I fully bet you have not reviewed the source code of every kernel module, or your web browser, or even the software running on your router or rest of the network.

Anyway we're off topic now but you're now just being silly and really need to remove your tinfoil hat right now. I can fully bet you have logged into internet banking using your phones web browser which is way, way worse than using the app if you were wanting to not get compromised. Your bank also has no need to spy on you - they've already got all your financial data including where you spend your money...

alavaliant

222 posts

Master Geek

Subscriber

#2786742 30-Sep-2021 07:28

michaelmurfy:
alavaliant: That might be the case but since I don't have access to verify any of the internals of how the app works. I'm personally not inclined to be 100% trustful of it. I spend a lot of time working with both closed source and open source software. I'm happyier with my Linux computer stack which I knew in detail vs the internals of Android which has a lot more binary only components on most standard phones which I can't verify.

It is clear I am not going to win you over and this is where I don't know if you're just trolling or naive...

Your bank will never make any portion of its source code opensource because it is money on the line. You're also already trusting your bank to keep your money secure and they've got an app to make your life easier to connect you to said money that they already know has the chance to run on a compromised device. And I am still going to say (being a Linux user myself) I would actually trust the app running on my phone than using Internet Banking on my computer where I've got extensions running on my browser. I fully bet you have not reviewed the source code of every kernel module, or your web browser, or even the software running on your router or rest of the network.

Anyway we're off topic now but you're now just being silly and really need to remove your tinfoil hat right now. I can fully bet you have logged into internet banking using your phones web browser which is way, way worse than using the app if you were wanting to not get compromised. Your bank also has no need to spy on you - they've already got all your financial data including where you spend your money...

Given you seem to mainly seem inclined to insult me and call me a tinfoil loonie for preferring software that can be independently verified over just trusting that a unverified binary blob is totally secure. I don't see any point trying to continue this conversation. I'd just note that some of encryption software that is considered the most secure is ones where the source is available and has been audited by multiple independent security firms. And no I've never ever logged into internet banking using my phone's web browser. - That would be putting both my login password and 2FA on the same device, the very thing I said at the start I'm fully against.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2787732 1-Oct-2021 16:13

From DIA:

Te Tari Taiwhenua Department of Internal Affairs (DIA) has identified new versions of the Flubot scam text message identified yesterday.

The new version of the message suggests that the sender has copies of a person’s photos or is attempting to share images. If the link is clicked, users will be directed to a fake security alert webpage which indicates that your phone is infected with the Flubot malware and you should install a security update to fix the device.

This is the same scam which has been warning people about missed deliveries and people should not install or download any applications. If installed, the app will use malware to steal personal information from your phone including banking details, passwords, and other sensitive information.

The app then accesses your contacts and sends their details to the perpetrators of the scam and send additional text messages from your device to other people's contacts, further spreading the scam.

If you receive a text from an unknown sender or a text with a suspicious hyper link, do not click any links included in the message. Simply report the text spam for free on your phone by forwarding the spam text message to 7726.

DIA are continuing to see high volumes of reports from the public about the large-scale ‘Flubot’ text message scam.

“In the past 48 hours we have received over 58,000 reports of the scam” said Joe Teo, Manager of the Digital Messaging and Systems Team. “Thank you to everyone who has reported the scam to us so far. Your reports provide vital information which help us to reduce the spread of the scam campaign”.

If you receive a pop-up message saying that forwarding the message “may incur a fee”, you will not be charged for forwarding the message to us. DIA will contact you with details on how to complete a report.

“If you have been a victim of this or any other scam, it can be extremely distressing. It’s important to remember that scams like this are a crime and by reporting it you can help us stop it from happening again – to you or other people”

“We encourage everyone to talk to both young and vulnerable people to ensure they’re aware of this scam” said Teo

If you have already downloaded the app, do not log into any accounts until you have taken the following steps:

Perform a factory reset on your device as soon as possible. When you start up your device after the reset, it may ask you if you want to restore from a backup. Do not restore from any backups created after you downloaded the app, as they will also be infected.
Change your passwords to any accounts or apps that you logged into after downloading the app.
For more information about preventing malicious software from infecting your device or advice on what to do if you have become a victim of a malware scam, contact CERT NZ at cert.govt.nz or call 0800 2378 69.

From CERT NZ (FluBot malware Infecting Android Phones | CERT NZ):

FluBot malware is being spread through text messages on Android phones and is currently affecting New Zealanders. The text messages are about a parcel delivery pending or been missed, with a link to a delivery service website. Some texts are now claiming that photos of the recipient have been uploaded and they can be viewed by clicking on the following link. This is the same scam with the message worded slightly differently.

If you have received the texts this does not mean your device has installed the malware.

Do not click on the link. If you do, it will ask you to install the application for the delivery service or to install a security update, both of which are actually a malicious app. Clicking the link without installing an application or security update does not infect the device with FluBot malware.

The application attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself. Once a device has been infected with this malicious app it can result in significant financial loss.

Given that the wording of these texts has changed within a short timeframe, it is likely the wording will change again. Be wary of any suspicious text messages you receive, asking you to click on a link, and forward any new suspicious texts to 7726.

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#2787758 1-Oct-2021 17:43

So, victims are advised to factory reset their phones and not restore any recent backups? I guess that means most people affected by this will suffer total data loss as a result!

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

halper86

547 posts

Ultimate Geek

ID Verified

#2787770 1-Oct-2021 18:29

I have been in contact with an individual affected. They have reset their phone and are still uncertain to if they are all clear. They informed me that their phone records show that the malware sent over 5000 texts within a day.

K8Toledo

1014 posts

Uber Geek

#2801382 26-Oct-2021 14:04

freitasm:

From CERT NZ (FluBot malware Infecting Android Phones | CERT NZ):

FluBot malware is being spread through text messages on Android phones and is currently affecting New Zealanders. The text messages are about a parcel delivery pending or been missed, with a link to a delivery service website. Some texts are now claiming that photos of the recipient have been uploaded and they can be viewed by clicking on the following link. This is the same scam with the message worded slightly differently.

If you have received the texts this does not mean your device has installed the malware.

Do not click on the link. If you do, it will ask you to install the application for the delivery service or to install a security update, both of which are actually a malicious app. Clicking the link without installing an application or security update does not infect the device with FluBot malware.

The application attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself. Once a device has been infected with this malicious app it can result in significant financial loss.

Given that the wording of these texts has changed within a short timeframe, it is likely the wording will change again. Be wary of any suspicious text messages you receive, asking you to click on a link, and forward any new suspicious texts to 7726.

More examples (Skinny):

According to Google the 0210 number originates from India.

Yetti92

62 posts

Master Geek

#2829090 9-Dec-2021 08:29

Anyone else getting slammed with similar scam texts again in the last few weeks, I've given up on using the Samsung Messenger app and gone to google messages as it filters the 5-6 spam texts a day better I get from NZ numbers with dodgy links again. Been forwarding them on to the DIA on 7726 but they keep coming for the last 3 weeks non stop. Sometimes in the middle of the night I'm getting these texts which is a pain.

1 | 2 | 3