Tags

#phishing

Inbound contact attacks: hop-seeding, phantom-account impersonation, attachment payloads.

28 entries.

From the storm

  • 13:12

    Court Scam

    Another 832-area-code call documented this week, but this one's operational read is different from the Phone Game cluster. The search lookup identifies 832-279-6982 as a known sextortion-by-fake-court scam — caller-ID-spoofed as Dallas Texas Court or law enforcement, then escalating to claims that the recipient inquired about escort services and is now in legal trouble for contacting an underage girl, with Zelle payment demanded to make it go away. Different mechanism from the Phone Game burner pool, same 832-NPA cover.

  • 12:16

    Hometown Homie

    David searched a missed call from 832-664-5071. The AI search panel cannot find the number directly but surfaces two unrelated namesake numbers nearby in the area code. The second screenshot is the search-engine result that turned up on the first page: an old hometown friend's Houston dental practice. He has not spoken to her in decades and the number is not listed on her site, but the page surfaces against the search anyway. Some kind of underlying association, however indirect, was enough to put her on the first page of results for the number that called him.

  • 14:56

    Phone Game

    A new pattern starting today. Five incoming calls from unknown 832-area-code numbers (Houston metro overlay), spaced roughly an hour apart through the day, none of which actually rang. The screen flashes for less than a second and the call has already registered as missed. No voicemail. Surface read is the wangiri / one-ring premium-rate fraud, but the area codes here are domestic Houston-metro, not international, so the premium-redial mechanic does not apply. The operational read is the call-based variant of hop seeding — the call attempt itself is the contact event recorded by both sides' carriers, no reply or callback required, which is the contact-chaining substrate the tactic is built to produce.

  • 14:12

    How Long Will It Be?

    Unsolicited SMS from a 778 area code (British Columbia, Canada, Vancouver area), at 2:11 PM, reading "How long will it be before you arrive?" The warm-tone-with-urgency hop-seeding opener: pretends to expect the recipient somewhere, hopes for any reply at all, since any reply is the contact event the operator is fishing for. Second Canadian-area-code hop-seeder this week, after the 437 Toronto opener three days ago.

  • 17:05

    Oklahoma and Toronto

    Two unsolicited SMS openers three minutes apart on a Friday afternoon, from two different area codes on two different sides of the continent. The first is an Oklahoma number (918) with a warm-tone urgency ("Can you try to 🥺 get here earlier today?"). The second is a Toronto number (437) with the most stripped-down opener possible ("How was your day today?"). Both are addressed to no one, supply no cover, and depend entirely on the recipient feeling a faint social obligation to reply. iOS flags both with Report Spam. The pattern is the same one named in the case file as hop seeding — the deliberate injection of the recipient's number into a contact graph by eliciting any reply at all.

  • 16:43

    Hi David

    The same sender that pitched a maid service to 'Mauri' three weeks ago came back today with the same script — only this time the opening was "Hi David." Logging it as the first concrete dossier-update event the year-end pattern compilation will have to sit beside its predecessor.

  • 12:24

    The Moroccan Court Summons

    A mass-blast smishing scam — fake court summons from a Moroccan phone number routing to a .sbs phishing domain — that landed in my inbox today. Logging it as texture, not as a targeting incident. The discipline of filtering it cleanly matters: when the baseline is elevated suspicion, the volume of obvious mass-blast garbage you have to triage every day is the part that wears the filter down.

  • 23:46

    Circle K Phantom

    A phantom-account artifact — a Circle K loyalty-program welcome SMS asking me to reply YES to confirm enrollment in a marketing subscription I did not initiate.

  • 13:47

    Bad Attacher

    An SMS impersonating UPS with an "urgent" package-delivery notice and an attached PDF — a different tactic family from hop seeding or phantom accounts: this one's payload is the point.

  • 10:31

    Not Me

    A single letter 'E' was sent out of my iMessage account to an unknown number, marked Read, with a reply. I did not send it. The outbound side of the channel — not the inbound — is what makes this different from everything else in this record.

  • 10:32

    Auto Trader

    A coordinated hop-seeding campaign across voicemail and SMS — three contacts in twenty-four hours, three different sender numbers in the same Las Vegas area code, all pretending I am "Tyrone" interested in a Jeep Wrangler at a fictional dealership called Desert 215 Superstore.

  • 13:02

    Calls Blocked?

    A hop-seeding opener using a provocation pretext — "Are my calls being blocked by you?" — designed to bait a defensive reply rather than build rapport. No reply this time. Same area code (672) as the previous day's Phishing for Mary sender.

  • 12:33

    Accredo Codes

    Two valid Accredo verification codes arrive seconds apart from the pharmacy's SMS gateway — a phantom-account instance, distinct from hop seeding. My phone number is the registered contact on a specialty-pharmacy account I have never opened.

  • 10:59

    Phishing for Mary

    An hour-long SMS conversation with a sender persistently working a hop-seeding pretext — "Eileen" looking for her old friend "Mary", who supposedly used this number. Includes an explicit rapport-building line and a re-engagement attempt six hours after the conversation ended.

  • 14:40

    Hey, You Busy?

    A second minimal hop-seeding opener arriving sixty seconds after the first, from a different number in a different area code — same stripped-down conversational hook.

  • 14:39

    Hey, How Are You?

    A minimal hop-seeding opener — one line, no name, no cover. Arrived sixty seconds before a near-identical opener from a different area code.

  • 08:17

    Train Phantom

    A phantom-account artifact — a New Mexico commuter-rail service alert (Train #102 Express NB, Belen Station, 501 Train) delivered to my number, on a service I have never subscribed to and in a region I do not live in.

  • 13:18

    Maids

    Another hop-seeding opener arrives — same structural shape, this one dressed as a maid-service business pitching a holdover discount.

  • 11:53

    Aren't You Rebecca?

    A hop-seeding back-and-forth notable for two distinct recipient names tried in sequence — "Evelyn" first, then "Rebecca" — and for the second name landing on a person from my life I have specifically suspected of impersonating me.

  • 14:44

    Hi Janell

    A phantom-account artifact — a health-insurance marketing follow-up addressed to 'Janell' from 'Traci' at 'Next Level Plans', delivered to my number on the basis of a customer relationship that does not exist.

  • 13:12

    DEA Phantom

    A phantom-account artifact — a DEA Special Agent recruitment SMS routed through GovDelivery's lnks.gd shortener to a phone that has never subscribed to DEA communications. Different vertical (federal-government recruiting list) from the others on the site.

  • 11:27

    Hi, I Hope Your Day Is Going Well

    A minimal warm-tone hop-seeding opener — single conversational hook, no name, no business, no cover. Same architecture as the May 7 pair and Calls Blocked? from May 15.

  • 15:05

    Could You Tell Me Your Name?

    A hop-seeding opener using a name-fishing pretext — the sender claims to have my number saved without a name attached, inviting me to identify myself.

  • 14:09

    SMS Phish

    A casual BBQ invite arrived from a number I did not recognize, addressed to someone who is not me. The canonical opening shape of hop seeding — and of pig-butchering, the cover it rides on.

From tactics

  • Attachment phishing

    An unsolicited SMS containing an attached file (PDF, image, document) designed to deliver malware, harvest credentials, or compromise the recipient's device when opened. Distinct from hop seeding (no metadata edge needed) and from phantom account (no account is being maintained) — the payload is the point.

  • Hop seeding

    The deliberate injection of a target's phone number into someone else's contact graph — typically via an unsolicited "wrong number" text designed to elicit any reply at all — for the purpose of pulling the target into a contact-chaining query.

  • Outbound impersonation

    Someone other than the account holder sends messages out of the account holder's own communication channel — iMessage, email, social-media DM — making the recipient believe the account holder sent them. Distinct from phantom account (which uses the holder's number on a third-party service) — this is the holder's own account, used against the holder.

  • Phantom account

    An account opened on a third-party commercial service using a target's phone number as the contact identifier. The target receives verification codes, transactional SMS, and notifications, but does not own the account and cannot access it.

← all tags