Security 101: SMShing
By now, most are familiar with the concept of phishing , when an attacker baits a victim by sending out a persuasive social engineering message coupled with a malicious link or attachment. And even spear phishing , where the attacker similarly reels in an intended target, only with highly personal information available via social media and Internet searches.
But SMShing? Perhaps not surprisingly, the same concept applies to SMS messages.
As its name might suggest, SMShing is defined as the act of sending a fraudulent URL or phone number via SMS, according to Axelle Apvrille , Fortinet senior mobile antivirus analyst and researcher. And like its close cousins, phishing and spear phishing, SMShing is often accompanied by an array of social engineering ploys designed to get users to unwittingly accept mobile malware or sign onto expensive phone services.
To that end, a typical attack would likely entail an unsolicited SMS sent to a victim’s mobile phone, enticing the user to call a premium number or visit a malicious Website, among other things.
While attacks vary, there are a few qualities they have in common. For one, many claim to be from some sort of financial institution. Because many users conduct banking transactions from their smartphones, they often don’t think twice when they receive a message from their respective bank.
Also, SMShing attacks typically urge the user to take immediate action, which usually requires them to hand over personally identifying information and account details.
Finally, the attack will inevitably be sourced to someone that’s not on the user’s contact list and, thus, someone the user doesn’t know.
SMShing is not a new attack. However, while once relegated to the periphery of serious threats, SMShing now appears to be reaching its stride, thanks to the explosive growth of smart phones and increased reliance on mobile banking platforms.
In the same vein, mobile banking attacks have experienced an uptick, according to Apvrille, who maintained that researchers have seen a rise in mobile banking malware over the last year. In 2012, for example, two mobile banking attacks – Zitmo and Spitmo – emerged on the mobile threat landscape. But recently added to the attack list were Android/Perkel and Citmo malware. Another recently discovered attack, Android/FakeDefend, sends victim card details in plaintext over the Internet, Apvrille said.
Thus far, researchers have yet to detect specific SMShing campaigns related to online banking, although they are certainly not out of the realm of possibility.
Even still, banks these days need to keep a sharp eye out for such attacks in the near future.
“Naturally, online banking Websites need to keep an eye on unauthorized or strange behaviors they register on their portals,” Aprville said. “SMShing related to online banks certainly are a possibility, but we are not particularly aware of such malicious campaigns yet.”
With the rise in mobile banking threats in general, and SMShing in particular, it stands to reason that more users will fall prey to such attacks before wising up.
Upon the unintentional acceptance of an SMShing request, users often have the option of forwarding the bogus message to the cell provider which gives the company’s security administrators the ability to investigate the attack.
If users gave away personal information by calling a provided number, or clicked on a link that downloaded mobile malware, they should also notify their bank or financial institution of potential fraud, while also requesting current statements and the most up-to-date credit report.
As with its phishing and spear phishing predecessors, SMShing attacks will likely become more sophisticated, evasive and difficult to detect. If history is any indicator, SMShing attacks will also increasingly appear more authentic, garnering from a wealth of available personal information intended to legitimize their aims and better deceive users.
And users should be on their guard.