Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
phishing-campaign-intelligenceidentity-authentication-vulnerabilitytelecommunications-sector-threatidentity-impersonation-fraud

SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links

Updated 2d agoFirst seen Jan 22, 20262 sources

Recent research highlighted systemic security and privacy risks created by sign-in/authentication links delivered over SMS, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected 332,000 unique SMS-delivered URLs extracted from 33 million texts sent to 30,000+ phone numbers, and reported that messages from 701 endpoints on behalf of 177 services exposed critical PII. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems.

Greek police separately dismantled a criminal operation in the Athens area that used a rogue mobile base station (an “SMS blaster”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and downgraded them from 4G to 2G, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with phishing links used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.

Share:
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

4 events from the most recent confirmed update back to the earliest known activity.

4 EVENTS
Jan 21, 20265mo ago

Investigators link Athens-area SMS blaster gang to at least three fraud cases

Authorities said the rogue base station was used to force nearby phones onto 2G networks, collect identifiers, and send phishing texts impersonating banks or courier companies to steal payment card data. Investigators linked the suspects to at least three fraud cases in Maroussi, Spata, and Athens, and the suspects were brought before a prosecutor.

Greek police stop suspects in Spata and uncover rogue cell tower

Greek authorities dismantled a mobile phishing operation in the Athens area after stopping suspects in Spata following reports of suspicious behavior. Police found forged identity documents and a fake cellular base station hidden in a car trunk, with a transmitter disguised as a shark-fin antenna.

Study finds 701 exposed SMS endpoints across 177 services

The researchers reported evidence that SMS-delivered authentication links could expose sensitive data at scale, identifying 701 endpoints across 177 services. They found messages and linked endpoints exposing critical personal information such as Social Security numbers, dates of birth, bank account numbers, and credit scores.

Researchers analyze SMS-delivered sign-in links at internet scale

Researchers from the universities of New Mexico, Arizona, and Louisiana, along with Circle, studied SMS authentication links using public SMS gateways and temporary numbers. Across 33 million texts sent to more than 30,000 phone numbers, they collected 332,000 unique URLs to assess how widely SMS-delivered links expose users.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

3 LINKEDOpen in app
Organizations
3 linked
Recorded FutureNFACommsrisk
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.