Cenzic 232 Patent
Paid Advertising
web application security lab

Key Point SMiShing

Yesterday, my gfnd got a SMiShing text to her phone against Key Point Credit Union. The obvious tip off that this was an attack was that she doesn’t have an account with Key Point, not to mention the other clues. This is the first instance of it in the US I’ve heard of, although I’d be surprised if this was the first example of it. The number it was from was 905-392-8040. Unlike normal phishing though, it’s much harder to report the issue. Most people wouldn’t have the first clue how to log, forward or respond to the SMiShing attack.

Dear Key Point Credit Union Customer, we regret to inform you that we had to lock your bank account access. Call 800-482-0452 to restore your bank account.

Just another thing to be worried about. I have no idea what the lift on SMiShing attacks are compared to their online variants, but it’s an interesting phenomena. Since email addresses of SMSs are fairly easy to predict, it’s fairly simple to re-purpose spam gateways that are designed exactly for this purpose. The only trick is gathering enough mobile phone numbers.

15 Responses to “Key Point SMiShing”

  1. kanedaaa Says:

    Did You call to this number?
    On keypoint site there is a article about vishing from 2006:
    http://www.keypointcu.com/keypoint.cfm?tn=newsevents&menuid=74&navids=7,74&id=36

  2. ChrisP Says:

    I received the same SMS yesterday afternoon. Obvious phishing attempt, but definitely “interesting”. Here’s the full text of the SMS:

    Dear Key Point Credit Union Customer, we regret to inform you that we had to lock your bank account access. Call 800-482-0452 to restore your bank account.

    I’m guessing there’s a “social engineer” at the other end of the line probably waiting for preys.

  3. - R | s | n G - Says:

    It’s scam.

    In my country it’s a norm for that kind of sms scam. Usually names of big companies are being used. Example, like american idol, u got sms says u won their jackpot or something from smsing the american idol contest, then when u call, that person ask to bank in money to proses the money as a requirement to get the prize.

    lol…

  4. nm Says:

    brute forcing the numbers not viable?
    07 (loop 9 digits) @ provider.(com, org, co.uk, etc.)

  5. Owen Says:

    @nm most sms gateways (atleast the ones I’ve worked with) have limits or some sort of captcha that will limit the rate that you can send them. Maybe with a captcha breaking system it would be possible.

  6. Natasha Trotsky Says:

    The 800 number matches this web site:
    http://www.safeandfastlocksmith.com/
    ?

  7. dusoft Says:

    Iw ould go for just guessing the numbers by using incerements. you can skip gold and silver numbers, also number starting with zero, so this gives you a limited group of numbers that could be used for SMiShing… this is just much easier than guessing email addresses. you just increment and done… hopefully, we won’t see much of these.

  8. Awesome AnDrEw Says:

    Never received anything quite that exciting on any of my phones other than a “message from Jesus, your lord and savior”, a Spanish service, and the ocassional adult website SPAM.

  9. Log0 Says:

    Heard of that it is quite a rarity in the States. On the other hand, SMS spam is very common in China, almost enough to make a good market for spam filtering.

    But like you said, no really good idea how to log or report them, even if you know it’s a phishing attempt.

  10. shannon Says:

    Yeah. I’ve gotten this message twice now. I know its a scam, but I called the 800 number the second time. It rings forever then takes you to an automated system. It says “to reactivate your account, press 1″. When you do it immediately asks for the credit card number you are trying to “reactivate”. Pretty clever scam. Hope no one falls for it. What will they think of next…

  11. Aardvark Says:

    First time I’ve encountered this kind of scam. My scenario was identical to that described above by “shannon”. The number I was told to call to “reactivate my account” was 440-448-4830. I pity the occasional (hopefully) random victim who really DOES have an account with Key Point. They might just be sucked in.

  12. Suzanne Says:

    FYI - I received the same text message from a VerondaEngelke@pombity.com. Here’s the full text:

    Dear Key Point Credit Union Customer, we have to inform you that we had to lock your bank account access. Call 319-722-0016 to restore your bank account.

    The scammers didn’t use the 800 number. The area code is in Iowa and I live in California. I knew it was a scam because I don’t have a Key Point CU account. I didn’t bother calling it.

    I just wanted to get another phone number out there so hopefully no one falls for the scam.

  13. Owen Says:

    I see another scam coming along for people to stop the spam messages. They then use those services like that are here in the US that when you text certain number to a phone number you get billed for it.

  14. tom Says:

    It says “to reactivate your account, press 1″. When you do it immediately asks for the credit card number you are trying to “reactivate”.

  15. lyn Says:

    I got 2 keypoint sm’s this morning as well. I have never even heard of keypoint as a company. I live in CA.

    it said my account was locked and to call 8888742461. I knew it was a scam but I wanted to see what the number would lead to. I called from a blocked land line, and the call wouldnt go through.

    its interesting that its been years and this scam is still active.