Hackers achieved an extremely rare feat by successfully taking over the operation of Mobile Commons, a legitimate bulk text messaging company that works with governments and progressive organizations to send public service announcements and alerts. The breach allowed the unauthorized party to push hundreds of thousands of scam texts to subscribers who had opted in to receive alerts from trusted sources, including New York state, the charity Catholic Relief Services, and a political organizing group. While routine text message scams from unknown numbers are common, gaining access to an existing, legitimate platform like this represents a significant escalation in cybercriminal activity.
Mobile Commons confirmed the incident, stating that an unauthorized third party gained illegal access to their platform through what they believe was a spear phishing attack or similar social engineering method. The intruder’s access was active for approximately a four-hour period before the activity was detected and shut down. During this time, multiple attempts were made to send spam messages, with a limited number of these malicious texts successfully reaching subscribers before the company’s security protocols intervened.
Organizations that send out mass text alerts rely on companies like Mobile Commons, which are vetted by the telecommunications industry to comply with federal guidelines. These companies are granted access to highly regulated, five- or six-digit short code phone numbers that are designed to send rapid bursts of millions of texts without being marked as spam. Despite the potential to cause mass panic with the hijacked platform, the hackers chose instead to deploy variations of a routine financial scam.
The scam messages reviewed by NBC News were sent from numbers associated with Mobile Commons’ legitimate clients. All the malicious texts referenced nonexistent transactions and urged the recipients to call the same 888 number, which has since been disconnected. While the specific nature of the messages was a common scam, the method of delivery—from a trusted, legitimate source—lent the scam an air of credibility.
This incident is part of a growing industry threat. The U.S. Short Code Registry, the industry nonprofit that maintains these specialized codes, sent an email to messaging platforms noting a “notable increase in attempts by unauthorized actors to initiate account takeovers (ATOs) and originate unwanted or illegal text messages using Short Codes.” The organization encouraged companies to strengthen their cybersecurity defenses in response to the increased targeting by hackers.
Reference:
