Thanks to thorough work by dogged security experts, and journalists in Norway, we now have a clearer picture of how advanced and effective today’s scamming operations are, and their enormous scale. They reach every part of the world, including New Zealand.
A recent investigation by Norwegian security vendor Mnemonic and the Norwegian Broadcasting Corporation (NRK) revealed a large and sophisticated China-based operation which develops software for scammers to use, called Darcula.
The scam, or “smishing” technique developed by Darcula involves sending text messages to victims that look like they are from legitimate entities such as postal and courier organisations, or toll payment reminders.
Messages reach users via the plain old short messaging service (SMS) on phones, Apple iMessage, the newer Rich Communications Services (RCS) and WhatsApp.
Lists from scammers’ Telegram chat groups found by Mnemonic show that fake NZ Post and the New Zealand Transport Authority (NZTA) sites were used by the scammers, along with telco One NZ.
Mnemonic and NRK got deep into the scam operation, and discovered absolutely mindboggling numbers. More than 13 million people clicked on links in the scam texts during seven months in 2023 and 2024.
In New Zealand, over 59,000 people clicked on the links. As people entered information into the site, scammers collected 10,755 valid payment cards, with 1410 having two and multifactor authentication codes captured as well.
Those MFA codes enable the scammers to add the card to digital smartphone wallets such as Apple Pay and Google Pay, which can then be used for purchases without PINs.
Powering the scams is the Magic Cat software developed by a Chinese company. A licence for Magic Cat costs around NZ$250 a week. Mnemonic counted over 600 scam operators sending out messages.
Darcula and other phishing-as-a-service operations continue to hone and refine their deception techniques, Paul Brislen, the chief executive of the New Zealand Telecommunications Forum (TCF) said.
"Some scammers are highly sophisticated, even up to the point of offering small refunds to earn a victim’s trust. Once they have that, they’ll call the victim to report “another problem” and ask the customer to send them a code they will generate, Brislen said.
“This is typically the MFA code the bank sends to ensure you know you’re about to transfer money. Once the victim shares that code the transfer goes ahead, typically for a vastly larger sum than the original refund,” Brislen added.
Brislen advises against clicking on links in text messages. He is aware that some companies continue to send messages with links in them however, and would like to see an end to that risky practice.
Joe Teo, of the Department of Internal Affairs’s Digital and Messaging anti-scam team, confirmed the Darcula scammers remain very active currently.
Read the NRK two-part investigation, and the technical details of the scam as uncovered by Mnemonic. It’s quite the story.
3 Comments
Pointing out to people that their cellphone number is not linked to their car's number plate should help, especially not their company car's number plate. But when they ask the same question a couple of weeks later it becomes obvious why people get scammed.
That is a good point.
The TXT messages I've seen don't even have the number plate number.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.