Massive ‘Parcel Delivery’ SMS Scam Campaign Hits UK

The National Cyber Security Centre (NCSC) has warned of a scam campaign affecting Android smartphones that can steal banking details another sensitive data.

The scam is carried out via text messages that appear to be from a delivery firm, and ask the user to install software to track a parcel.

Instead, the package installs the Flubot malware, which tries to steal banking and other information.

Flubot can also intercept text messages in order to receive one-time passwords from banks and forward them to the attackers.

A scam text message spreading Flubot. Image credit: Vodafone

Phone number theft

The malware furthermore forwards user’s list of contacts to the scammers’ control centre so that it can be targeted by further messages.

Security researchers and mobile phone network operators said the Flubot scam messages began targeting UK users on a massive scale late last week.

“We believe this current wave of Flubot malware SMS attacks will gain serious traction very quickly, and it’s something that needs awareness to stop the spread,” Vodafone said in a statement.

The operator warned that users should be “especially vigilant” with the malware and should be wary of clicking on any links in a text message.

The messages have been sent to millions of users on all networks, Vodafone said.

In an alert on Twitter, Vodafone posted an image of the suspect text message and advised users to forward suspicious messages to 7726 to report them, then to delete them.

EE, Three and other UK networks issued similar warnings.

A scam web page used to spread the Flubot malware. Image credit: Paul Morrison

Scam URLs

The NCSC said there are steps users can take even if they have already fallen for the scam.

“If users have clicked a malicious link it’s important not to panic – there are actionable steps they can take to protect their devices and their accounts,” the agency stated.

Security researcher Paul Morrison said in an advisory the malware uses a wide range of scam URLs that are embedded in the text message.

When visited by an Android device, they display a page appearing to be that of a delivery courier, such as DHL or FedEx, with instructions on how to download and install a parcel-tracking app.

Installing apps outside the official Google Play Store is disabled by default, but users can enable the process in their settings.

Morrison said the complex process is likely to lead to a low success rate, but that with the number of SMS messages being sent out “just a 0.1 percent success rate could be very profitable”.

In a study of Flubot published in early March, Swiss computer security firm Prodaft found that Flubot had already infected more than 60,000 devices and stolen more than 11 million phone numbers.

Phone number theft

Prodaft noted that 11 million is 25 percent of the entire population of Spain, the country that Flubot was targeting at the time.

“We estimate that the malware is capable to collect almost all phone numbers in Spain within six months’ time if no action is taken,” the company’s researchers wrote.

Prodaft noted that the use of stolen contact lists to send the malware via SMS messages was a novelty distinguishing it from other banking malware.

It said the malware’s spreading techniques and its algorithm for generating malicious domains make Flubot “almost impossible” to block using existing techniques.

Flubot has since spread to countries including Germany, Poland and Hungary before arriving in the UK.

Morrison said that while tools exist for removing the malware, he recommends backing up important data and resetting the affected device to factory settings.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

2 days ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

2 days ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

4 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

4 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

4 days ago
  翻译: