Photo by wei on Unsplash
What do traffic lights, power meters, and phishing texts have in common?
If you’ve gotten one of those shady SMS messages lately — you know, the kind telling you to “verify your identity” or “log into your government account” — there’s a good chance it came from a beat-up, forgotten box sitting in an industrial site somewhere in Sweden, Belgium, or Italy.
Welcome to the world of smishing powered by insecure industrial routers.
The little box causing big trouble
Photo by Compare Fibre on Unsplash
The culprit behind these phishing texts isn’t some ultra-sophisticated cyber weapon. It’s a rugged little device called a cellular router. Manufactured by China-based Milesight IoT Co., Ltd., these boxes are built to connect things like traffic systems and power meters to the internet through SIM cards and mobile networks.
They’re meant for behind-the-scenes industrial use. But it turns out, many of them are sitting wide open on the internet — with outdated software, weak security, and open doors for anyone who knows where to look.
Sekoia, a cybersecurity firm, took a closer look. What they found was surprising in its simplicity.
What the researchers discovered
After picking up some shady network activity in their honeypots, Sekoia dug in and discovered a stash of over 18,000 Milesight routers accessible online. From that group, they zeroed in on 572 routers that had no protection on their APIs — giving basically anyone the ability to send and read SMS messages right from the router.
Most of these devices were running software that hadn’t been updated in over three years. Translation: They were sitting ducks. And they were being used to send out smishing messages by the thousands.
The phishing campaigns date back to October 2023. They mainly targeted phone numbers in Europe — especially users in Sweden, Belgium, and Italy. Victims were urged to log into fake websites that looked like official government portals. These pages were crafted to harvest login credentials, banking info, and other personal data.
How it works, and why it’s scary
Here’s the scary part: the setup wasn’t even that advanced.
Attackers didn’t need expensive hardware or deeply hidden infrastructure. They just needed a list of vulnerable routers, most of which were running outdated firmware with known vulnerabilities — like CVE-2023-43261. That particular flaw made it possible to access sensitive config files sitting out in the open.
Even worse, some of those files contained encrypted passwords and, awkwardly, the encryption key and IV needed to decrypt them — meaning full admin access was just a few clicks away.
But to make things more confusing, Sekoia’s researchers found that not all of the compromised routers showed signs of using this flaw. Some ran more recent versions that weren’t technically affected, which means attackers might have other tricks up their sleeve.
Not just about the routers
Photo by Kaptured by Kasia on Unsplash
The scam websites linked in those messages were also cleverly built.
They used JavaScript tricks to make sure the malicious content would only show up if accessed from a phone — hiding from researchers using desktops. They even blocked right-clicks and browser dev tools to make sure analysts couldn’t snoop on the page code easily.
Oh, and some of the phishing pages had a bot named GroozaBot tracking visitor activity. It’s linked to an attacker named “Gro_oza” who reportedly speaks Arabic and French. So these scams aren’t totally random — there’s someone behind them.
Why it matters
This whole operation shows just how easy it is for scammers to slip under the radar with simple tools. Instead of renting massive SMS infrastructure, they just hijack forgotten IoT devices with SIM cards and text messaging capabilities.
And since they’re scattered all over the world, it makes them notoriously hard to shut down.
Sekoia put it best: “These devices are particularly appealing to threat actors, as they enable decentralized SMS distribution across multiple countries, complicating both detection and takedown efforts.”
In other words, bad guys love these routers because they’re cheap, available, and invisible among the clutter of industrial tech.
So what now?
Sadly, the company behind the routers, Milesight, hasn’t responded to requests for comment.
The best thing users can do is stay alert. If you get a text urging you to “log in” or “verify info,” skip the link and go straight to the known website on your own. And if you’re managing any kind of industrial device — check those software versions. Update, lock down your interfaces, and turn off any unnecessary remote access.
These phishing texts may seem harmless. But behind that SMS is a whole ecosystem of neglected machinery quietly being turned into tools for cybercrime.
It might be time to check the closet.
