(Photo Via Pexels)
A phishing hack at texting firm Mobile Commons resulted in potentially hundreds of thousands of scam text messages being sent to supporters of nonprofits and state government clients using its site.
The system is down just two weeks prior to the global fundraising event GivingTuesday, which this year will be on December 2.
In a statement to The NonProfit Times from CEO Jed Alpert, on the evening of Monday, November 10, an unauthorized third party gained illegal access to the platform. The attacker’s access was active for a four-hour period ending at 12:10 a.m. on November 11 before being detected and removed. A secondary attack was detected at 4 p.m. on November 13 and was immediately disabled. “During these incidents, multiple attempts were made to send spam messages through our system.”
No customer or subscriber personal data was compromised or accessed, according to the statement.
“We are working directly with mobile carriers, aggregators, and affected customers to strengthen our security protocols and prevent any further follow-on attacks in the future. We have locked down messaging on our platform until we are confident that the platform is secure,” according to the statement from Alpert. “We take the security and integrity of our platform extremely seriously. We’re committed to maintaining the trust our customers place in us and will continue to invest in the systems and practices necessary to protect their communications.”
In an email to one nonprofit obtained by The NonProfit Times, it appears that a subsequent investigation found that a Mobile Commons administrator login with access to multiple clients had been compromised.
While the firm’s message said “a limited number of these messages reached subscribers before our security protocols identified and shut down the malicious activity,” fundraisers at the impacted nonprofits and schools said the numbers were in the thousands, and tens of thousands in at least one case. The firm told its clients that no personally identifiable information had been breached.
One fundraising executive told The NonProfit Times that the Mobile Commons platform was turned on for a client on Wednesday “and when they did this, it started up again by cueing another fraud text. At that point, they shut down their entire platform. I imagine when that happened, they knew they had a much bigger problem. They must have thought they had the problem isolated but then realized they didn’t,” the fundraiser said.
The message sent out by the hackers included a suggestion that a donation didn’t go through, and that the donor should call a toll-free number. That number led to a recorded message from the scammers asking for credit card information.
Mobile Commons reports in its website to having 245 clients in four countries. Among those clients are Princeton University, Mercy For Animals, National Audubon Society, Catholic Relief Services, Human Rights Campaign, Ocean Conservancy, and Fight for a Union. The firm has governmental clients and New York’s Office of Information Technology Services told NBC News that “around 188,000 people get text messages from the state and that around 160,000 received the scam text.”
In a message to clients, Mobile Commons said it disabled the compromised internal account and forced platform-wide session termination. It also implemented mandatory password resets for all administrative users with elevated access.
One fundraiser said the organization might move their phone numbers to another provider and use a new short code or use a 10-digit number for texting to communicate with their donors, which is the likely plan if the issue is not resolved this week.
According to the Cellular Telecommunications and Internet Association (CTIA), a Common Short Code (Short Code) is a five- or six-digit number to and from which text messages can be sent from and to consumers of all participating U.S. Wireless Providers. Each wireless provider makes the ultimate decision about its own Short Code Program requirements, which may differ from the CTIA guidelines. Following the guidelines, therefore, does not guarantee that a Short Code Program is compliant with any particular Wireless Provider’s requirements.
According to the M+R Benchmarks report, fundraising mobile messages generate an average of $92 in revenue for every 1,000 messages sent. Chances are, if you’re a nonprofit professional According to the M+R Benchmarks report, fundraising mobile messages generate an average of $92 in revenue for every 1,000 messages sent. And, according to Pew Research, 15% of U.S. adults are “smartphone-only” internet users, meaning they own a smartphone but do not even subscribe to a home broadband service.
