F-Secure are calling these things SMS phishing (sometimes called smishing, unfortunately), but really they are more like Nigerian email scams delivered via SMS, which isn’t quite the same. The scam is basically this: send an SMS saying the recipient has won the lottery, have them call the scammer, and the scammer tricks them into giving their account details — or persuading the victim to transfer money to another account.
These things have been going on for a while in Indonesia (which is where F-Secure’s originated.) What’s interesting about F-Secure’s is that it’s targetted at Malaysians, indicating that some Indonesians are beginning to use their shared language to export their scamming skills.
From the phone numbers that we got from the SMS, we know that they belong to the Indonesian mobile network Indosat and therefore the phisher is located somewhere in Indonesia. This was further confirmed when the phisher spoke to us in Malay with a clearly Indonesian accent.