Can I track a fraudster

Citizens have probably never bought so many goods on the Internet as in the past Corona months. In some households the postman now rings every day. That is why not a few people clicked on links in SMS messages that promised them the arrival of another package. The SMS land on the cell phone sometimes in German, sometimes in English. Sometimes they are teeming with errors, sometimes it simply says "Under Armor: Your package is on its way with UPS. Click here to track the package."

Some of those affected are currently receiving such messages in large numbers. The sender numbers seem rather harmless, start with 0176 or 0179 - just like many other SMS messages. The SMS is of course not harmless, at least not if users follow the prompts in the text. This is because it is a variant of the well-known phishing methods that are tailored to text messages and that criminal hackers use to try to obtain user bank details, for example.

The so-called smishing occurs in waves - with ever new "contact contexts", as the police call it. Currently, the context of contact is parcel delivery. This is not only perfidious because there are currently so many waiting for packages, but also because it is mostly familiar names that appear in these SMS messages. Almost everyone knows DHL or UPS. Some parcel service providers also send regular SMS.

Recently, mobile phone users have also been addressed personally

The latest wave began a few months ago, according to a Vodafone spokeswoman. A number of customers have reached out to customer care for more information. The SMS are also well known in the Federal Office for Information Security (BSI). They are often distributed via the Android malware Flubot, which has been in circulation since November 2020. And the SMS are not always formulated impersonally: Since the Easter days there have been cases in which mobile phone users are addressed personally. In addition to the text, the Flubot SMS contain a link to compromised websites. Android users can download the Flubot app via the link, for example in the form of a supposed Fed-Ex or DHL app. Users of the Apple operating system, on the other hand, are redirected to advertising or phishing pages. Some users were also asked to download banking apps.

But just like that, a malicious app doesn't get onto the phone. This is only possible if the users explicitly confirm the installation of the app, according to the BSI. When that happens, mass SMS messages are usually sent from your own cell phone. The local contacts are also read out, which then probably also enables personal addressing in some SMS. What is particularly perfidious is that the apps can still look real after installation, as Alexander Vukcevic, head of the Avira Protection Lab has observed. There is then, for example, DHL in red on a yellow background - that also gives those affected a feeling of security. If they click on the app and grant their rights, the app can no longer be removed in the normal way.

According to Vukcevic, behind Flubot is a banking trojan that tries to get login data and Tan numbers. The app should not only be able to track the calling of apps and browser data, but it should also be able to log call data and SMS.

What those affected can do

A connection with the recently known Facebook data leak, as it is currently often suspected in the social media, is not recognizable according to the Federal Institute. Vukcevic does not rule him out either. It is common practice to buy large numbers of stolen data on the Internet.

What should those affected do now if they accidentally installed the app? Andreas Marx, head of AV-Test, a company specializing in IT security, advises smartphone users to first set their device to flight mode in order to prevent any communication between the fraudulent software and the Internet. You can then save contacts and photos via a USB cable before you reset the cell phone to the factory settings, for example. The BSI also recommends informing the mobile phone provider and filing criminal charges.