With the new year come new social engineering threats to users. While many of these threats themselves are not new, the rising frequency and execution of them are worth attention.
SMiShing (SMS phishing) is one of those techniques attackers use that is not new, but some see it as a trend to keep an eye on in the new year.
If you are unfamiliar with the term, the basic description is that it is like phishing, but utilizes the target’s mobile phone for the delivery of a fraudulent text message as opposed to the target’s email address; in essence, SMS phishing.
How does an attack work?
SMiShing attacks generally work when a person receives an SMS message that appears to come from some trusted vendor or contact letting them know that their account has a problem, and they need some information from them urgently, or something of interest is on the other side of the link in the message.
The target clicks the link in the message because it seems to have come from the trusted sender, and it redirects the target to a website that is made to look like the vendor sending them the message or a social media service, then asks for some form of personal or authentication information. The end goal is either to harvest credentials or to install malware on the mobile device.
It’s not new, but it’s becoming more frequent, why?
First, end users and email providers are getting better at recognizing phishing emails, as the trust level of email has decreased over the years due to company-provided training, news stories describing the threat email presents, and technology-based defenses. That same level of concern has not yet been seen regarding text messaging though. Second, there is a large increase in companies that allow BYOD or Bring Your Own Device. This means the attackers know they can gain access to corporate resources by breaching personal devices. Third, there has been a number of data breaches in the past couple of years where phone numbers were disclosed and are packaged, in criminal markets, with other personal data. The criminals have the body of information and are starting to use it more often.
A quick look at some notable breaches in the past couple of years that included phone numbers is an indication of the rising magnitude of this threat.
The ride-sharing service giant Uber revealed that, in late 2016, it became aware of a data breach that potentially exposed the personal information of 57 million Uber users and drivers. This breach included names, email addresses, and phone numbers of Uber users worldwide.
On December 30, 2016, E-Sports Entertainment Association (ESEA), one of the largest video gaming communities, issued a warning to players after discovering a breach, which included over 1.5 million first and last names, email addresses, and phone numbers.
Dun & Bradstreet, a huge business services company, found its marketing database, including over 33 million corporate contacts, shared across the web in March 2017. This database contained full names, work email addresses, phone numbers, and other business-related data.
In June of 2017, Deep Root Analytics, which collected personal data for roughly 198 million American citizens, was storing data on an Amazon cloud server without password protection for almost two weeks. The exposed information included names, dates of birth, home addresses, phone numbers, and voter registration details.
So, what can be done about this threat?
End-users can use the same techniques used with phishing emails. They should think critically about unexpected text messages that are asking them to perform some action, like following a link, calling a phone number, or even replying, especially when it comes from a number that doesn’t have nine digits.
Business owners should be communicating this threat to their employees, and have policies in place that can protect their network if they allow users to bring their own devices onto their network.
It all comes down to awareness of the threat, a clear understanding of the policies in place to protect the user and the company, as well as proper and frequent testing of the user base to make critical thinking a habit, not a hassle.
If your organization already has a phishing program in place and allows users to read email on mobile devices, start including SMiShing tests in your testing program. The more awareness you, as business owners and administrators, bring to the threat, the less surprised your users will be when they encounter a malicious text message in the wild.
If you don’t have a phishing program already in place, get one!