Hackers on Monday hijacked a mass text messaging service, pushing hundreds of thousands of scam texts to people who subscribe to alerts from New York state, a Catholic charity and a political organizing group.
While text message scams from unknown numbers are common, it’s extremely rare for cybercriminals to successfully take over an existing, legitimate bulk text messaging operation.
Mobile Commons, the company that was hacked, works with local and state governments and progressive organizations to send out public service announcements and fundraising texts.
In a statement, the company said: “On the evening of Monday, November 10th, an unauthorized third party gained illegal access to our platform through what we believe was a spear phishing attack or similar social engineering method. The intruder’s access was active for a four-hour period ending at 12:10 AM on November 11th before being detected and removed. During this time, multiple attempts were made to send spam messages through our system. A limited number of these messages reached subscribers before our security protocols identified and shut down the malicious activity.”
Organizations that give people the option to receive alerts through text messages often hire companies like Mobile Commons, which are vetted by the telecommunications industry to operate in compliance with federal guidelines and have access to so-called short code phone numbers. Those numbers are five or six digits long and tightly regulated so they won’t be marked as spam when they rapidly send bursts of hundreds of thousands or millions of texts.
In an email sent to messaging platforms Thursday and viewed by NBC News, the U.S. Short Code Registry, an industry nonprofit that maintains those codes in the U.S., said that the industry is under increased attack from hackers.
“Our monitoring teams have detected a notable increase in attempts by unauthorized actors to initiate account takeovers (ATOs) and originate unwanted or illegal text messages using Short Codes,” the email said. It also encouraged those companies to take basic steps to protect their cybersecurity. The Short Code Registry did not respond to a request for comment.
While breaking into Mobile Commons could have allowed the hackers to send messages designed to cause mass panic, they instead sent variations of a routine scam.
NBC News reviewed scam messages sent to people who received them from numbers associated with three Mobile Commons customers: New York state, the charity Catholic Relief Services and the political organizing group Fight for a Union, which helped promote the “No Kings” protests. All three scam texts referenced nonexistent transactions, urging users to call the same 888 number that appears to have been linked to the scam. That number is now disconnected.
Mobile Commons said it doesn’t believe that customer or subscriber data was accessed through its databases. But it remains unclear whether anyone suffered financial harm through the scam.
While Mobile Commons declined to share how many people received the scam message, a spokesperson for the state of New York’s Office of Information Technology Services told NBC News that around 188,000 people get text messages from the state and that around 160,000 received the scam text.
Separately, an industry source familiar with the incident told NBC News that one of the major American telecommunications companies saw more than 70,000 texts associated with those organizations on Monday, most of them from the number used by Fight for a Union. It’s rare for more than 10,000 messages to go out from those numbers in a day, the source said.
The spokesperson for New York’s Office of Information Technology Services and a spokesperson for Catholic Relief Services confirmed to NBC News that they were Mobile Commons customers and did not authorize the scam messages.
Fight for a Union did not respond to requests for comment.
