SMS (smishing) scams are relatively easy to identify for those of us who have some digital experience. They often have spelling mistakes, the messages are generic, and the web URL is too strange. They are the classic signs that serve as a warning to avoid falling into these scams. The case that is happening these days with MRW is considerably more complex, because it is not only a more careful message, it also includes real data that in principle no attacker should have access.
MRW itself has informed who is suffering these days a campaign to try to impersonate his identity. Dozens of users have explained in social networks that they are receiving SMS impersonating MRW where a dispatch locator is sent and a link that redirects to a fake page that try to get us to pay some supposed shipping costs for the package sent by MRW. Many would not fall into this trap, if it were not for the fact that our name, the actual shipping locator and the name of the store where we have purchased the product appear in that message.
Fake SMS, but with real data
MRW explains that if we have received an SMS indicating that we must pay shipping costs, we should not do so. Specifically, this MRW SMS scam follows the following pattern:
Dear [usuario], you must pay the shipping costs [XXX] from [XXX]. Can do it: [enlace fraudulento]
Currently the fake page of ‘envios-mrw.com’ is no longer available, but it is not ruled out that the fake SMS campaign continues with another similar address. This fraudulent page has a design very similar to the original MRW one and after showing us data of our shipment, it refers us to a payment website where you can add the bank card to make a supposed payment of € 0.99 for false shipping costs.
Here an example of SMS. The URL does not match that of MRW. 👇 pic.twitter.com/8WB7Jbru5n
– MRW Spain (@mrw_es) December 27, 2021
We have discussed similar SMS scams in the past, such as FedEx. However, in this case there is an important difference: attackers take advantage of a data breach to give their scam more credibility.
If the user enters the link received through the SMS, the false MRW website will be accessed but where some correct information is reflected such as the name, the town to which the shipment is made and the locator or actual delivery note number. A piece of information that should only be in the hands of the person who sends the product.
At the moment the details of the security breach have not been confirmed, but from MRW they explain that they are “trying to fix it as soon as possible”, evidencing that it is also a problem on their side and not only a phishing attempt outside the parcel company.
INCIBE warns of the high danger
From the National Institute of Cybersecurity (INCIBE) they explain to Xataka that have been alerted to this problem and have posted a notification today on their security advisories channel where they classify the importance of MRW SMS scam as “high”, with a score of 4 out of 5.
In cases where personal data has been compromised, companies have the right to obligation to communicate that there has been a security breach to the Spanish Agency for Data Protection (AEPD).
From Xataka we have consulted with the AEPD to find out if they have been notified by MRW about this possible security breach. We have also asked MRW about this matter. At the moment both the data protection organization and the affected company have not commented..
According to the legislation, companies have 72 hours to inform the AEPD that there has been a data breach, otherwise you are subject to a penalty.
From INCIBE they warn that this campaign can also reach users by other means, such as mail. The alert speaks of “parcel companies”, leaving the door open for other companies to have been affected. Some users on social networks they aim that They are also using the company name Sending Transportes to scam.
What to do if we have been a victim of this scam
If we have received an SMS of these characteristics and we have fallen into the scam, giving our card details to make the supposed payment, it is important that our first step is block the credit card, contacting the bank and explain the situation to them.
In case of having received this message but not having given any type of personal data, we will simply have to delete the message. In principle, the danger of this fake MRW SMS scam lies in the fact that it deceives us into giving out our data, but no malware is known to be transmitted.
In Engadget | Sending your ID as is is extremely dangerous: these three tips minimize the risks when making purchases or reservations