Contact tracing apps are not leaking your information

Published November 20, 2021, 12:09 AM

by Art Samaniego

The country’s contact tracing effort is the most convenient excuse to blame in the recent SMS spam incident. Sorry to disappoint you, but the contact tracing apps for COVID-19 are not the reason why you’re getting spam text messages.

SMS offering high-paying part-time jobs has been circulating recently. Some recipients blame contact tracing apps as they believe (without any proof) that these apps leaked their phone numbers to the spammers. However, even mobile numbers not submitted to these apps also received spam messages.

While we have discussed the possible vulnerability of many contact tracing apps before, there is no proof that spammers use the phone numbers from the apps to send WhatsApp links and messages.

Also, this text-spam attack is not a troll recruitment activity by any political party, as claimed by some users from all sides of the country’s political spectrum. It’s a scam that started around mid-2020 where scammers promised recipients high-paying part-time jobs. A time where many people lost their jobs because of the pandemic.

One thing is clear, this SMS spam that users are getting is a phishing attack. Phishing is a scam that tricks victims into sharing sensitive information such as login names and passwords, downloading a file containing malware, and sending money to the cybercriminal’s account.

Phishing is prevalent and comes in many forms. It is SMiShing when cybercriminals use to send malicious links using text messages. Vishing happens when the internet bad guys are confident enough to call you and attempt to get sensitive information from you. Spear phishing targets a specific individual or group of individuals, for example, tellers of a bank or employees of a large company. Whaling targets high-profile individuals such as the CEO or the CFO of a company and involves a sense of urgency to pressure the victim to submit credentials on a malicious website or immediately send funds to a third-party account.

The latest SMiShing attacks would ask recipients to click a link where they would automatically connect to the WhatsApp account of the scammer. WhatsApp’s click to chat feature allows scammers to begin a chat with other users even without the phone number saved in their phone’s address book. Using this feature, scammers would create a link to start a WhatsApp conversation when the recipient clicks the link from a text message sent by the cybercriminals.

Next, the scammers claiming to be from Amazon would ask victims to help merchants get more sales by boosting their performance online. They would require the victims to register in their platform to earn commissions if they help facilitate sales. The cybercriminals promise to give the victim a commission immediately after the registration.

The scammer claimed to be from Amazon and used “SM-Mall” to attract more victims.

The platform is aptly named “SM-Mall,” a name all Pinoys are familiar with to attract more users.

It’s a form of advanced fee scam where cybercriminals promise money in exchange for cash. The scammers will give victims tasks allegedly to help “SM-Mall” improve its sales by making advance purchases. They are assured of getting refunds plus commission if they deposit a specific amount to the account the scammers provided. If you get this part-time offer from a WhatsApp link, ignore it. It’s a scam.

So, where did the scammers get our mobile numbers? Last year, WhatsApp owned domain exposed phone numbers of users registered in the app. The domain stores the click to chat details in the URL string, allowing search engines like Google to index the details, making it publicly searchable and accessible. According to researcher and bug-bounty hunter Athul Jayaram, WhatsApp’s click to chat feature can land a user’s phone number in the results of public search engines. It could expose the user to scams and cyberattacks.

While WhatsApp downplayed this serious privacy leak, the company also fixed the issue silently last year. However, you would see the user’s profile photo using the number you would like to check plus the “” domain. And, using reverse search, the profile photo could tell you a lot about the owner.

“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, and scammers,” explained Jayaram in a blog post.

While WhatsApp offers end-to-end encryption and is renowned for its high data privacy standards. This incident shows that personal data may not be as private as we might like to think.

Lastly, it is expected that some users would insist and blame, even without proof, the contact tracing apps for the spam messages they get. Just think about this. The same spam messages offering high-paying part-time jobs are also prevalent in India, Malaysia, Singapore, and other countries.

Beware, do not click links in your text messages. Ignore it. #BeFullyInformed