"homemade mobile antenna" - advice to mitigate?

zzz

I ran across this article:

Two people arrested in connection with investigation into homemade mobile antenna used to send thousands of smishing text messages to the public
Officers have made two arrests in connection with an investigation into the use of a “text message blaster”, believed to have been used to send thousands of smishing messages, posing as banks and other official organisations, to members of the public.
In what is thought to be the first of its kind in the UK, an illegitimate telephone mast is believed to have been used as an “SMS blaster” to send messages that bypass mobile phone networks’ systems in place to block suspicious text messages.
https://www.cityoflondon.police.uk/news/city-of-london/news/2024/june/two-people-arrested-in-connection-with-investigation-into-homemade-mobile-antenna-used-to-send-thousands-of-smishing-text-messages-to-the-public/

Does anyone have knowledge about how these devices might work and how to mitigate?
Is Google's RCS also vulnerable to this kind of thing?

Very unsettling that SMS is so essential to so many, yet so vulnerable.

PaulDavis

"....... to send messages that bypass mobile phone networks’ systems in place to block suspicious text messages."

But then it tells you to report it to your operator so they can ban it.
Uhh, which part of the phrase " bypass mobile phone networks’ systems" did they fail to understand?

GlytchMeister

I don't think Google RCS operates fundemantally on mobile data or SMS transmission systems. It's an internet service AFAIK.

As for how to avoid this:

Avoid SMS entirely. If that's impossible, avoid SMS 2FA and don't tell companies to text you, and don't interact with their texts if they do it anyway.

If that's also impossible for you (which is entirely reasonable)... Be smart and careful.

If you aren't expecting a message, don't open it. This doesn't work on every attack, but it helps.

If you are expecting a message, and it has a link, don't click or copy/paste it. Its a pain, but manually type it into a notes app and copy/paste THAT to ensure you don't get hoodwinked by weird Unicode symbols/characters in the URL that look like regular letters but aren't and thus direct you to a spoof website.

Trust me, they can be deceptively close in appearance, especially in certain fonts.

At least, that's what my infosec training course about phishing at work said. I'm not entirely sure if weird Unicode characters can be used in URLs.

And finally, if they seem to be in a big hurry or are saying its a big problem, be extra careful, because that is a tactic used to throw you off guard by making you rush.

GlytchMeister

I'm not sure if VOIP XMPP phone numbers are protected from this. It makes sense in my head but I'd wait for confirmation from someone more knowledgeable than I.