We define SMiShing as “the act of using mobile phone text messages (SMS) to lure victims into immediate action such as downloading mobile malware, visiting a malicious website or calling a fraudulent phone number.” SMiShing messages are usually crafted to elicit an immediate action from the target, requiring them to hand over personally identifying information and account details. They will often do so by using fear or greed based terminology such as “impending account suspension,” “fraudulent account activity detected,” or by offering some type of award or discount.
SMiShing attacks are rapidly growing in popularity. According to a 2014 Annual Threat Report from Cloudmark, the incidence of SMiShing in the U.S. more than tripled in September 2014. The report further identified that one in four unsolicited SMS messages reported in 2014 attempted to steal the victim’s personal or financial information. The rise in this threat vector can be attributed to several factors. First and most obvious is the widespread use of smartphones. Second, there has been a dramatic increase in the reliance on mobile applications to pay bills and conduct business transactions. Lastly, the adaptation of online two factor authentication has created an authentic layer of trust for messages delivered to smartphones, making it difficult for the average user to decipher a real “enter this verification code before it expires” from an “act now” message.
Due to the fact that more and more users are conducting banking transactions through smart phones, many SMiShing messages claim to be from a financial institution. Many users won’t think twice before acting when they receive a message from their bank. Attackers will use legitimate sounding verbiage and even some branding to assist their pretext.
Figure 1 is an example of a typical SMiShing attack.
Image via Numbercop
Financial Institution Example
In early 2015, a widespread SMiShing attack was sent in bursts to hundreds of thousands of mobile users in the Houston area with varying bank affiliations including Bank of America, Fifth Third Bank and Susquehanna bank. The SMS messages informed recipients of a problem with their bank account and urged them to call a supplied number to follow the automated prompt in order to validate credit card account information. When a user dialed the number, they would reach an automated robo-prompt requesting account details.
An interesting note about this widespread seemingly random attack: it was actually quite targeted. Security researchers later revealed that attackers used geo-targeting by area code to pursue SMSishing targets in the Houston area. The phone number victims were dialing actually belonged to a Holiday Inn Express in Houston, but at the time, calls were being routed to the automated robo-prompt designed to obtain credentials. A sample of an automated prompt that has been associated with SMiShing attacks can be found here.
While SMiShing attackers certainly favor posing as financial institutions, SMiShing attacks are not limited to the banking sector. In 2015 alone, phone spam research group NUMBERCOP has reported on a vast array of SMiShing messages sent on behalf of telecommunications and tech companies such as Verizon, AT&T, Apple and T-Mobile which both drove traffic to adult sites and included a vast number of account takeover attempts. SMiShing attacks targeted at carriers that involve account takeover attempts usually cast a smaller net by grouping SMS targets into 25 or less users. The preferred method for these type of attacks includes driving users to well known phishing sites.
Equipment Needed for SMiShing
SMiShing is attractive to attackers since it is a low-cost attack. A VOIP server, a burner cell phone and a spoofing method are all that are needed in order to send targeted text messages.
With applications such as BurnerApp and SpoofCard, it is easy and also very inexpensive to purchase a spoofed number to text from.
Protecting Users Against SMiShing Attacks
The best way to educate users against SMiShing attacks is by conducting simulated attacks as part of your security awareness and training program. This provides the opportunity to train an individual how to respond to and prevent future threats.
Simulated attacks can lead to educational pages that allow the moment an employee behaves badly to be a teachable moment.