Tag: SMS Fraud

An SMS fraud adventure

A few of us began receiving SMS based fraud messages over the last few months. Covid-19 related fraud, HSBC overdraft fraud, Royal Mail related fraud amongst others. One in particular was very persistent and it seemed that everyone I spoke with was on the recipient list. Obviously the next step here is to forward the SMS to 7726 (which presented a few challenges, see *footnote below). However, I began wondering if I could to get the fraudulent website taken down myself… well… Challenge accepted!


Private Eye

After a little investigation it actually turned out to be incredibly easy.

Step 1. Identify the DNS provider for the domain.
I used https://mxtoolbox.com/Whois.aspx and I simply searched for the website mentioned in the fraud SMS.

That gave me the name of the DNS provider used by the fraudsters. The DNS provider manages domain names such as website addresses for innocent customers and inadvertently, criminal customers.

In the information returned, you’ll need to look for the “abuse” email address to contact if domains they host are being abused – e.g. used for crime.

Step 2. Email the DNS provider, advising them of the website and the issue and ask them to investigate and take the site down.

Example mail:

Hi,

This website DNS is hosted by you :
<insert website URL>
Your customer is sending fraudulent SMS messages to UK residents directing them to this website. The site is being used illegally by your customer to take money and information fraudulently from UK residents.
Please investigate and take the website down.

Thanks!

So.. I sent the mail off the their abuse team and waited..

POW!

By the end of the day the fraud site was inaccessible! (Very satisfying).

Next day I had another SMS with a new fraud URL (linking back to that same website), so took a minute out of my day to check the DNS provider and email them again.

BAM!
Site down again within a few hours!! (ok this is fun)

Later on they seemed annoyed and sent four more SMS one after another, with two new URLs, but same website again…

ZAP!

Got those taken down too!!! (‘k, this is worth a blog post)


Its four days down the line now and no more SMS messages have turned up but if I get any more I’ll still report them, but then try to get the site out of action as fast as possible by contacting their provider directly.


So the point of telling you this is really to show that we are not powerless. We don’t have to just accept fraud, phishing etc. through SMS and Email. Although we’ve received it, we need to push back and report it when we can, so that others don’t get affected.

So I make a request now to you all.

Check out the excellent NCSC guidance here and then help others understand how to spot the tell-tale signs and what to do next.

If you do get a fraud SMS, don’t just delete it, follow the official guidance above and report it, but once that’s done you can also have a go for yourself, and may get the same sense of satisfaction of seeing the site taken down a lot more quickly...

And if you don’t have the time, by all means name the site in the comments and we’ll give it a go for you.

*footnote.

After receiving the SMS I duly reported by forwarding to 7726, only to receive a response saying that the message was undeliverable! A quick search revealed it’s a common experience (and something to look into later).

Not one to be put off, I figured I’d assemble the details into an email, remembering to include the URL of the fraudulent website and sent that off to report@phishing.gov.uk

Ironically Google mail rejected my email, presumably because it contained the very phishing URL I was trying to report!! (hopefully Google completes this circle for us by reporting these blocked malicious URLs to NCSC – would be nice to see some public reassurance about that though). However the dodgy website was still up and I was continuing to receive the same SMS messages.

Eventually I sent a screen shot of the SMS to report@phishing.gov.uk and that successfully went through without setting off any Google alarms and had a nice confirmation email from NCSC.