SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by sign-in/authentication links delivered over SMS, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected 332,000 unique SMS-delivered URLs extracted from 33 million texts sent to 30,000+ phone numbers, and reported that messages from 701 endpoints on behalf of 177 services exposed critical PII. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems.
Greek police separately dismantled a criminal operation in the Athens area that used a rogue mobile base station (an “SMS blaster”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and downgraded them from 4G to 2G, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with phishing links used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Investigators link Athens-area SMS blaster gang to at least three fraud cases
Authorities said the rogue base station was used to force nearby phones onto 2G networks, collect identifiers, and send phishing texts impersonating banks or courier companies to steal payment card data. Investigators linked the suspects to at least three fraud cases in Maroussi, Spata, and Athens, and the suspects were brought before a prosecutor.
Greek police stop suspects in Spata and uncover rogue cell tower
Greek authorities dismantled a mobile phishing operation in the Athens area after stopping suspects in Spata following reports of suspicious behavior. Police found forged identity documents and a fake cellular base station hidden in a car trunk, with a transmitter disguised as a shark-fin antenna.
Study finds 701 exposed SMS endpoints across 177 services
The researchers reported evidence that SMS-delivered authentication links could expose sensitive data at scale, identifying 701 endpoints across 177 services. They found messages and linked endpoints exposing critical personal information such as Social Security numbers, dates of birth, bank account numbers, and credit scores.
Researchers analyze SMS-delivered sign-in links at internet scale
Researchers from the universities of New Mexico, Arizona, and Louisiana, along with Circle, studied SMS authentication links using public SMS gateways and temporary numbers. Across 33 million texts sent to more than 30,000 phone numbers, they collected 332,000 unique URLs to assess how widely SMS-delivered links expose users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Millions of people imperiled through sign-in links sent by SMS - Ars Technica
arstechnica.com
Open sourceGreek police arrest scammers using fake cell tower hidden in car trunk | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


