Often when a subscriber installs an app on their smartphone, the permission section is not analyzed properly, especially if this app can offer up attractive opportunities to solve time-sensitive, money related issues: a pending payment on your credit card, late electricity bill etc. The opportunity to solve financial problems like these instantaneously can be a tempting prospect to some users, and may cause them to accept invasive terms and conditions without thinking when downloading loan apps onto their device. This is the case with a payday loan scam in Mexico, where a criminal group posing as legitimate financial entity is targeting mobile subscribers with SMS messages offering loans.
Anatomy of payday loan scams
The way payday loans normally work is a borrower receives a small amount of money instantly, with no major requirements attached, which they must pay back within a short window of time or on their next payday. Predictably, scammers have jumped at the opportunity to take advantage of these schemes to defraud individuals. Threat actors masquerading as financial groups have been using SMS messages to target Mexican subscribers with loan offers in an attempt to extract funds from victims. With this scam, the loan offers are often (though not always) fulfilled, but the victim will be coerced into making a high loan repayment, or into repaying the loan in a tighter timeline than agreed. Typical examples of these messages are displayed below:
<Prestamos XXX>Ha conseguido un prestamo de 50,000 pesos con bajo interes.Haga click a http://xxxxxx.top/abcd para recibir que se depositan en 5 mins.
Translation: <Loans XXX>You got a 50,000 pesos loan at a low interest rate. Click on http://xxxxxx.top/abcd to receive a loan that will be transferred in 5 mins.
Estimado cliente, felicidades, paso la revision, el monto es de 3,0000 pesos, haga clic para descargar y retirar dinero de Google Play: https://abcd.cc/9RT3Aio
Translation: Dear customer, congratulations, you have a loan approved, the amount is 3,0000 pesos, click to download and withdraw money from Google Play: https://abcd.cc/9RT3Aio
Buenas tarde! todo ha sido aprobado!Ahora simplemente haz clic en "Recibir el dinero" para recoger tu dinero 8000 pesos:https://bit.ly/abcd
Translation: Good afternoon! Everything has been approved, now simply click on "Receive the money" to pick up your 8000 pesos:https://bit.ly/abcd
If we break down the contents of the above messages, we can observe three commonalities that can help identify a payday loan scam:
- A company name, especially one that includes buzzwords like ‘loan’, ‘cash’, ‘easy’, ‘now’ or any other phrase that attempts to present a quick or easy money option.
- Advertisement of extremely attractive interest rates and/or rapid loan approval.
- Redirection to an android app – URL shorteners are generally used to link the download page for the designated app in the Google Play Store.
How do payday loan scams work?
For many people, data protection is not at the forefront of their mind when they are downloading apps onto their devices. Some won’t even glance twice at the access requested by an app before downloading. We have analyzed the permissions of some of the apps downloadable from the Google Play Store and found that in some cases these apps were able to access sensitive information such as:
- Contact list
- Read SMS
- Read Calendar
- Take pictures/access image gallery
Users often do not realize the risks they are taking with their data when downloading apps like these, and as evidenced in the case of the threat actor targeting Mexican subscribers, this information can be weaponized by threat actors. The example below demonstrates how the scammer acquires sensitive information from the victim’s device.
The following image shows the access the user permits by downloading the app:
The app has access to users' contacts, approximate and precise location, and their SMS. These loan applications can also read or add calendar events, in addition to taking pictures and videos:
An alarming number of negative comments reveal a lot about the credibility of the scheme:
“It doesn't even give you a verification code even if you ask for it a hundred times.”
“... they still haven't deposited the money and are already debiting me for the loan.”
Once the attacker has accessed the victim's personal information, they can use it to coerce the individual into repaying the loan, even if it is not due to be paid. The attacker will often use offensive language, harassing the victim to get what they want.
Our Threat Intelligence Unit has identified and tackled a series of message variations related to these spam campaigns. The messages, designed to fly under the radar, have been detected by AdaptiveMobile's Threat Intelligence team, allowing us to protect mobile subscribers from receiving them. The graph below demonstrates a significant drop in the number of messages reaching the users we protect, in particular if we compare the level of activity over weeks 9, 10 and 11 with the first few weeks of 2022:
How can mobile users protect themselves from fraudulent payday loans?
We have a few suggestions that can be considered in the case of a subscriber who receives these types of messages.
- After receiving a message advertising an attractive loan option, before taking any further action, the user should research the company name. A simple Google search is likely to reveal the credibility of the company, its reputation and trustworthiness. Pay particular attention to previous customer experiences.
- CONDUSEF is the Mexican Regulator where you can check if an organization is an authorized financial entity: https://webapps.condusef.gob.mx/SIPRES/jsp/pub/index.jsp.
- If a loan application requires the installation of an app on a handset, there are a few parameters that should be checked:
- Comments and reviews on the App Store.
- Be aware of the permissions requested by the app. If it is a financial app, it shouldn’t require access to your photo gallery.
- Response time: A rapid response time (5 minutes or less) is often a good indication that you are facing a scam.
- Carefully check the interest rates – sometimes the real rates can be found in a discrete location such as the terms and conditions footer in fine print.
How can MNOs mitigate SMS loan scams?
As attackers are continually evolving their attack methods and seeking to evade SMS Firewall protection, it can be challenging for mobile network operators to sufficiently protect subscribers. We recommend a managed SMS Firewall and Threat Intelligence service to build strong defenses against new and evolving mobile network security threats.
AdaptiveMobile Security uses a combination of the threat event visibility provided by our globally deployed award-winning security platform, and our threat response expertise to offer advanced threat detection, maintaining a strong defense against messaging threats.
This is the third in our monthly spam blog series. Stay tuned to discover the latest tactics that scammers are using to penetrate mobile networks and defraud users.
With over 15 years’ experience in Telecommunications, mobile messaging and Security, Johanson Alsina is an enthusiastic person focused on Telecom security. His experience as an implementation and troubleshooting engineer gives him accurate insights for his role as a TIU Security Analyst, helping to secure over 2.2 billion subscribers across the world.