Group‑IB spots rogue BTS phishing

SMS phishing usually depends on carriers, bulk numbers, and a lot of luck. This campaign looks nastier. Group‑IB says the operators behind a global smishing network may be using rogue base transceiver stations — basically fake cell towers — to push phishing texts straight to nearby phones while bypassing normal carrier filtering. The company tied that delivery method to a broader phishing platform it calls the Phoenix System, and that changes the story from “more scam texts” to “attackers are starting to mess with the radio layer itself.” (group-ib.com) ### What did Group‑IB actually find? The new report, published April 29, says two big smishing themes — reward-points lures impersonating banks and telecoms, and failed-parcel lures impersonating logistics brands — were not separate scams at all. Group‑IB says they shared infrastructure and were tied back to the same phishing-as-a-service(group-ib.com)ltering, and dashboards for managing victims in real time. (group-ib.com) ### What is a rogue BTS? A BTS is part of a cellular network — the equipment that talks to your phone like a cell tower does. A rogue BTS copies that role without being part of the real carrier network. If a phone latches onto the fake signal, attackers can inject SMS messages directly to the device. That is the trick here. The text does (group-ib.com)rmal choke point disappears. (group-ib.com) ### Why is that more dangerous than ordinary smishing? Because the message can look more trustworthy and arrive through a channel people still treat as semi-official. Group‑IB says these campaigns may send texts that appear under trusted brand names. If that works, the victim sees what looks like a normal bank, telecom, or delivery messag(group-ib.com) to credentials, card details, and one-time passcodes. (group-ib.com) ### How big is this operation? Big enough that it does not look like a one-off crew with a homemade blaster. Group‑IB says it has identified more than 2,500 phishing domains tied to the operation since January 2025, and says the campaign has targeted more than 70 organizations across financial services, telecommunications, and logistics a(group-ib.com)hich means victims are funneled to country-specific pages instead of one generic scam site. (group-ib.com) ### Why does the “Phoenix System” matter? Because it suggests industrialization. This is not just criminals writing scam texts by hand. The platform appears to package the whole workflow — brand impersonation, phishing pages, region targeting, and live victim handling — so affiliates can run proven playbooks at scale. Group‑IB also says t(group-ib.com)uthentication, which is exactly the kind of feature that turns a basic lure into an account-takeover machine. (group-ib.com) ### Does this mean SMS MFA is broken? Not completely, but it does mean the old warning just got sharper. SMS-based codes were already weaker than app-based authenticators or hardware keys because phone numbers can be spoofed, SIMs can be swapped, and messages can be intercepted. A rogue-BTS delivery path adds another way to get victims on(group-ib.com)t is not just the code — it is the trust users place in the text itself. (group-ib.com) ### Who should worry most? Banks, telecoms, logistics companies, and really any brand that trains customers to click links from texts. Those three sectors were already among the top phishing targets in 2025 in Group‑IB’s broader crime trends work, and this campaign sits right on top of that behavior. The more a company relies on SMS for a(group-ib.com)ers to blend in. (group-ib.com) ### Bottom line The important shift is not just “more smishing.” It is that phishing infrastructure is colliding with rogue mobile-network gear. If that keeps spreading, carrier spam filters help less, brand impersonation gets more convincing, and SMS becomes even harder to trust by default. (group-ib.com)