Earlier this month, Vigilante discovered that SMS marketing firm, Rocket Text (rocket-text.com), failed to secure its Mongo database exposing just over 600 million customer emails and 63 million phone numbers. Vigilante was tipped to this egregious oversight by security researcher Bob Diachenko, who has been an advocate for responsible security practices and has been tracking developments associated with Rocket Text closely. Rocket Text, formerly known as ApexSMS, first came under scrutiny after a May 2019 disclosure by Mr. Diachenko to TechCrunch highlighted that the company failed to secure its Mongo database of customer information by neglecting to password-protect their server. This lack of simple server protection is exactly the same kind of failure Diachenko would find again
with the recent leak associated with Rocket Text.

  • Vigilante connected the dots between the two marketing firms by observing that the exposed Rocket  Text database is set up in exactly the same manner as ApexSMS and also shares the same
    database administrator. Moreover, the below picture demonstrates that even the URL associated with the Mongo DB is named “apexsms”.

The exposed records include:
• First Name
• Last Name
• Email Address
• Postal Address
• Zip Code
• Phone Number
In the previous leak, there was a distinction made between cellphone numbers and landlines in the data. In this leak, however, that distinction is not made, but Vigilante assesses that the numbers being leaked and unprotected on the server are cellphone numbers based on our technical
analysis. Vigilante notes that not all marketing firms are this careless with our
data. Most companies go to great lengths to ensure that our personal information is protected commensurate with today’s high industry standards. Regardless, it is time for us to own our digital footprint by being mindful of what we click on, sign up for, and the terms of the offers associated with today’s miraculous technological advancements.
• Do not be afraid to unsubscribe from online services you no longer use
• Ask hard questions about a company’s security posture,
• And become aware of who knows what about you.
Interestingly, Vigilante reached out to the Rocket Text support team at the email address provided on their website, but the email was returned, and we were informed that the “…email account does not exist.”

“Smishing:” The Dangers of SMS Phishing and How to Avoid It
Major phone number leaks, like the one from Rocket Text, exposes clients to SMS phishing…also known as “smishing.” Mobile spam is not just annoying. It can be downright dangerous if it tricks you into clicking on a link that will inject malware into your system or that will steal your personal information.
• The problem with stolen and misused data is not new. As one example, in 2018, Vigilante analysts observed a threat actor on a prominent Deep and Dark web carding forum offering sensitive Canadian bank data allegedly acquired through smishing. The threat actor’s offering included IP addresses, Log-in information, passwords, and even personally chosen security questions and answers. Open sources subsequently reported that Canadian and American banks fell prey to a similar SMS phishing scheme that started in June 2019 and only recently ended.

Protecting Yourself from SMS Phishing and Mobile Text Spam
As more and more people make greater use of smartphones to manage their online banking and accounts, the risk from smishing becomes even greater. Here are a few tips to avoid falling prey to SMS phishing scams beyond simply avoiding clicking links in SMS messages:

  • Always be cautious, even if you think you recognize a phone number. Remember that criminals will spoof numbers to make it appear that they are calling from trusted numbers.
  • Don’t reply to a text message from an unknown number or call the number. Block the number outright if you can. Even if the text message says “text ‘stop’ to stop receiving messages,” never reply. Providing a response to the message will verify to them that the number is active.
  • Do a web search of both the number and the message content. If the phishing message appears to be impersonating a company, call the company directly at the number on their official site to confirm the message’s authenticity.