More information is emerging on a text scam that is hitting Kiwi phones en masse.
"It's bigger than Ben Hur," says a person immediately involved with official efforts to stamp out the scam says.
The Herald understands the Department of Internal Affairs has received a record number of complaints about a scam text purporting to be from a courier company. More than 56,000 people have forwarded the agency a copy of one of the texts of the past two days.
An official update is due later today.
The Government's Computer Emergency Response Team (Cert NZ) is asking anyone who receives one of the scam texts (see examples below) to forward it to the DIA on 7726.
The scam messages ask the recipient to click on a link, then install the delivery app, which is actually a piece of malware called Flubot - which has been sweeping the world and reached NZ on Wednesday.
The scam texts have been sent to all models of phone, but Flubot can only infect those running Android software. Android powers Samsung phones, and almost every other model outside of Apple's iPhone.
Cert NZ says Flubot attempts to steal your credit card information, banking passwords and other sensitive information, to enrich its makers, who have yet to be identified.
The malware also steals your phone's address book, then uses it to send text messages to your contacts to perpetuate the scam.
"It sends itself to everybody in your address book," says Paul Brislen, CEO of the Telecommunications Forum, whose members include Spark, Vodafone and 2degrees.
Efforts to stamp out the scam have been complicated by this approach. Scam messages are coming from real numbers, so blocking them isn't an option.
"The industry is working closely with government agencies including DIA and Cert to tackle the problem. We are working to block the URL [web link] included in some of these messages," Brislen says.
"But the advice to those who receive the text message is the same - don't click on it, report it to the DIA via 7726 and if you have clicked on the link contact Cert."
Cert NZ can be contacted via its website, www.cert.govt.nz or by phoning 0800 CERT NZ (0800 2378 69).
The agency says if you think you have inadvertently downloaded Flubot, you should factory reset your Android phone as soon as possible (remembering the malware cannot infect iPhones).
Meanwhile, a number of readers have reported receiving what is possibly a new twist on the same scam, with a text saying photos of them have been uploaded to an online album. Again, Cert NZ's advice is: Do not click that link.
Identifying a scam text
People are advised to phone a courier company, on its publically listed number, if they are unsure if a text message about a delivery is real.
Legitimate text messages do not usually include a link to a website, and are usually sent from a shortcode (like the "7726" being used by the DIA) rather than a normal mobile phone number.
Security company NortonLifeLock recommends the following precautionary steps for Android phone owners (again, iPhones are not affected):
- Disable "Install Unknown Apps". A lot of malicious apps find their way on your phone outside of the official Google Play store, but from unknown sources.
- While it might be tempting to install the occasional app that you can't find in the official app store, if you're willing to take the risk and trust the source, make sure to disable the feature again afterwards, to reduce any ongoing security risk.
- Never open links that seem suspicious. Check to make sure that the mail is really from the sender it claims to be. If it promises things that seem to be too good to be true, they probably are.
- Don't grant apps broad permissions, only let them access what they need to function. Avoid any apps that ask for more data than necessary. As can be seen in the FluBot case, broad permissions can lead to the malware being able to perform their unwanted tasks and spread themselves further.
- Get security software for your mobile device.