That annoying SMS phish you just got may have come from a box like this

Scammers have found a new tool in their arsenal: unsecured cellular routers commonly used in industrial applications. Research indicates that since early 2023, these devices have been exploited to launch widespread SMS phishing campaigns. Manufactured by Milesight IoT Co., Ltd., a company based in China, these rugged Internet of Things (IoT) routers serve as crucial links for connecting essential infrastructure like traffic lights and power meters to centralized systems. Equipped with SIM cards compatible with 3G, 4G, and 5G networks, these routers can be managed through text messaging, Python scripts, and web interfaces. A report from security firm Sekoia revealed that an analysis of suspicious network activity captured in their honeypots uncovered instances of these routers being misused to send out SMS messages embedded with phishing links. Upon further investigation, researchers discovered over 18,000 of these routers were publicly accessible on the internet. Alarmingly, at least 572 of them had unprotected programming interfaces, making them easy targets for cybercriminals. Many of these devices were running outdated firmware—some by more than three years—and contained known security vulnerabilities. By sending requests to these unauthenticated APIs, researchers were able to access the SMS inbox and outbox of the routers. The findings revealed a series of smishing campaigns that commenced in October 2023, targeting phone numbers across various countries, notably Sweden, Belgium, and Italy. The fraudulent messages typically directed recipients to log into accounts related to government services, aiming to steal personal credentials through deceptive links. According to Sekoia's researchers, Jeremy Scion and Marc N., these phishing campaigns illustrate a concerning trend. They noted that the exploitation of vulnerable cellular routers represents a relatively simple yet effective method for distributing phishing messages globally. The decentralized nature of these devices complicates the efforts to detect and dismantle such scams, posing a significant challenge to cybersecurity initiatives.