This is NOT Fraud Advice--SMS Blasters

Happy Friday - hope you all have gotten to enjoy some warmer weather across the States this week.

The Footprint team is headed to Vegas the week of 3/10 for Fintech Meetup. If you are there, we would love to get together. If you are there and have always wanted to race a Lamborghini Aventador, you should register for our raffle here.

With this newsletter, we have taught you how people traditionally steal or create identities in order to commit fraud. Today, I want to talk about a different type of fraud attack: Account Takeovers.

Onboarding to a company with a fake identity is great, but taking over a legitimate account could be even more profitable.

Luckily for the fraudsters of the world, new tools are hitting the market that make this type of attack even easier.

To take over someone’s account, you need their credentials. For many accounts, these credentials are simply a login email and a password. In the past, you would have had to gone through great lengths to manually phish this information from a target but technology has made it even easier.

I came across a tool called the “SMS Blaster” the other day. There was a news article, linked here, detailing the arrest of a pair of Chinese hackers who were driving around Bangkok with a “SMS Blaster”. This device is pretty much a miniature cell tower, but instead of connecting you to your network provider, it hijacks the airwaves to blast mass text messages to everyone within range. Originally designed for emergency alerts (think natural disasters), these devices have now been co-opted by scammers to flood phones with fake messages that impersonate banks, government agencies, or delivery services.

One SMS Blaster can send hundreds of thousands of messages per hour—no SIM card or subscription required. The worst part? They don’t rely on traditional telecom networks, making them almost impossible for mobile carriers to filter or block.

In Bangkok these fraudsters were sending thousands of SMS messages to everyone within range with fraudulent banking alerts, hoping to trick people into handing over their credentials.

Governments and telecom companies are struggling to contain this growing problem. Outright bans are tricky because law enforcement agencies rely on the same technology for legitimate emergency alerts. Meanwhile, mobile carriers can’t detect or filter these rogue signals, as the messages never pass through their networks.

In the past, these devices were hard to comeby. But now, with the proliferation of fraud advice shared on channels like Telegram, buying an SMS Blaster is shockingly easy. A quick search on Alibaba or niche tech sites turns up devices boasting capabilities like a 3 km range and 100,000 texts per hour. Some sellers even feature phishing-style message templates in their product demos.

Passwords are broken. At Footprint, we are big believers in Passkey technology and use it in our product to re-authenticate returning users. Passkeys cannot be phished, as their are cryptographic keys where one part of the pair is stored on the user’s device and the other is stored by the authenticating party.