Mobile network operator T-Mobile has warned its users about an unblockable smishing campaign that aims to steal their personal information and passwords, or install malware.
According to a BeepComputer report, T-Mobile warned its users after the company itself was alerted by the New Jersey Cybersecurity/Communications Integration Cell (NJCCIC), a branch of the Office of Homeland Security and Preparedness working on threat analysis cybersecurity and incident reporting.
The NJCCIC was approached by “multiple” customers, who had received group text messages claiming to be from T-Mobile. The message thanked the recipient for paying their bills on time and offered a free ‘gift’, to be claimed via the web link provided.
Group messages cannot be blocked
When clicked, the link redirects the user to a malicious website that aims to “steal account credentials or personal information, or install malware”.
The group message was sent to numerous random numbers, according to the NJCCIC, with victims being targeted “dozens of times” over a three-day period. Since these are bundled texts, the victims were unable to block the attacker.
The NJCCIC speculates that the smishing campaign was likely made possible due to previous data breaches affecting the mobile operator and millions of its users.
BeepComputer recalls that, over the past four years, T-Mobile has disclosed a total of seven data breaches.
In 2018, data belonging to 3% of the company’s customers was accessed. And a year later, T-Mobile exposed data belonging to some of its prepaid customers.
In 2020, meanwhile, T-Mobile employee email accounts were compromised, and phone numbers and call records were accessed by unauthorized third parties.
The past year was also not incident-free, with a threat actor compromising T-Mobile’s network through its test environment and using the stolen information to launch SIM-swapping attacks.
As usual, cybersecurity experts are urging people to deploy multi-factor authentication and security keys, and not click on links in emails and text messages from unknown senders.