May 03 2024

What is Smishing?

Category: Information Security,Phishingdisc7 @ 10:21 am
https://www.sans.org/blog/a-tale-of-the-three-ishings-part-02-what-is-smishing/?

What is Smishing and Why?

Smishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks their victim into doing something they should not do, such as giving money, their password, or access to their computer. Cyber attackers have learned the easiest way to get something is just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.

Phishing is one of the most common forms of social engineering as it’s one of the simplest and most effective and an attack method we are all familiar with. However, both organizations and individuals are becoming not only far more aware of how phishing attacks work, but much better at spotting and stopping them. Phishing is still an effective attack method, but it is getting harder and harder for cyber criminals to be effective with phishing. This is where smishing comes in.

Smishing vs Phishing

Smishing is very similar to phishing, but instead of sending emails trying to trick people, cyber attackers send text messages. The term smishing is a combination of the words SMS messaging and phishing. You may have noticed a rise in random text messages that are trying to get you to click on links or respond to text messages. That’s smishing.

Why the Increase in Smishing Attacks?

  1. It is harder for organizations to secure mobile devices. Security teams often have neither the visibility nor control of employees’ mobile devices like they do for workstations. This means it’s harder to both secure and monitor mobile devices.
  2. There are far fewer security controls that effectively identify and filter smishing attacks. This means when a cyber attacker sends a smishing text message to victims, that message is far more likely to make it and not be filtered.
  3. A text message tends to be much shorter than an email, there is far less context or information, making it harder to determine if the message is legitimate or not. In other words, people are more likely to fall victim.
  4. Texting tends to be far more informal than email, as such people tend to trust and act on text messages more. In other words, people are more likely to fall victim.

The Smishing Attacks

So, what type of text messaging attacks are there? While these attacks are always evolving, some of the most common are detailed below.

Links

The text message entices you to click on a link, often through a sense of urgency, something too good to be true, or simple curiosity. Once you click on the link, the goal is usually to harvest your personal information (by getting you to fill out a survey) or your login and password (to your bank or email account, for example). Notice how, in the link in the message below, the cyber attacker uses HTTPS, an encrypted connection to make the link look more legitimate.

Scams

In these attacks, the cyber attacker will attempt to start a conversation with you, build trust, and ultimately scam you. Romance scams are one common example where cyber criminals randomly text millions of people to find those who are lonely or emotionally vulnerable, build a pretend romance, and then take advantage of them.

Call-Back

Like some phishing emails, the text message has a phone number in it and is urging the victim to call. Once the victim calls the phone number they are then scammed.

What to Do About Smishing Attacks?

While many security training programs focus on phishing, we far too often neglect text based smishing attacks. In fact, this can create a situation where your workforce is highly aware of phishing attacks but may mistakenly think that cyber attackers only use email for attacks. From a training perspective, we recommend you teach people that cyber attackers can use a variety of different methods to trick people, to include both email phishing and text based smishing. For smishing, we do not recommend that you try to teach people about every different type of attack possible. Not only will this likely overwhelm your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, like in phishing training, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. Of note, the indicators below are the same indicators of an email phishing attack.

  • Urgency: Any message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
  • Pressure: Any message that pressures an employee to ignore or bypass company policies and procedures. Gift card scams are often started with a simple text message.
  • Curiosity: Any message that generates a tremendous amount of curiosity or is too good to be true such as notice of an undelivered UPS package or receiving an Amazon refund.
  • Sensitive: Any message that requests (or requires) highly sensitive information such as your password or unique codes.
  • Tone: Any message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone is wrong.

Smishing Minefield: Defusing Text Message Threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Smishing

Feb 29 2024

Vishing, smishing, and phishing attacks skyrocket 1,265% post-ChatGPT

Category: Phishingdisc7 @ 8:40 am
Vishing, smishing, and phishing attacks skyrocket 1,265% post-ChatGPT

76% of enterprises lack sufficient voice and messaging fraud protection as AI-powered vishing and smishing skyrocket following the launch of ChatGPT, according to Enea.

Enterprises report significant losses from mobile fraud

61% of enterprises still suffer significant losses to mobile fraud, with smishing (SMS phishing) and vishing (voice phishing) being the most prevalent and costly.

Enterprises account for a significant share of communication service provider (CSP) subscribers and an even greater share of their revenues. They depend on their CSP to protect them from telecom-related fraud, with 85% saying security is important or extremely important for their telecoms buying decisions.

Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering 1,265%.

61% of enterprise respondents said their mobile messaging fraud costs were significant, yet more than three-quarters don’t invest in SMS spam or voice scam/fraud protection.

51% said they expect their telecom operator to protect them from voice and mobile messaging fraud, citing their role as more important than that of cloud providers, managed IT providers, systems integrators or direct software vendors.

85% of enterprises say that security is important or extremely important for their telecoms purchasing decisions.

Only 59% of CSPs say they have implemented a messaging firewall, and just 51% said they have implemented a signaling firewall. 46% report adopting some threat intelligence service, essentially leaving a majority blind to new or morphing threats.

CSPs that prioritize security are better positioned to win enterprise business

Security leaders, characterized by better capabilities, better funding, and a higher prioritization of security, are less than half as likely as the followers to have a security breach go undetected or unmitigated (12% vs 25%). CSP security leaders are more likely to see security as an opportunity to generate revenues (31% vs 19%).

“We’ve observed the rapidly evolving threat landscape with growing concern, particularly as AI-powered techniques become more accessible to cybercriminals,” commented John Hughes, SVP and Head of Network Security at Enea.

“The stark increase in mobile fraud, particularly following the advent of advanced technologies like ChatGPT, underscores a critical need for enhanced network security measures. This survey highlights a significant disconnect between enterprise expectations and the current capabilities of many CSPs, and our ongoing mission is to help the sector bridge that gap and safeguard networks and users,” concluded Hughes.

Maintaining and enhancing mobile network security is a never-ending challenge for CSPs. Mobile networks are constantly evolving – and continually being threatened by a range of threat actors who may have different objectives, but all of whom can exploit vulnerabilities and execute breaches that impact millions of subscribers and enterprises and can be highly costly to remediate.

To bridge this gap, CSPs must overcome challenges such as a lack of skilled staff to handle potential security breaches, a lack of budget to invest in adequate security tools, and internal organizational complexity preventing them from prioritising security.

Phishing for Phools: The Economics of Manipulation and Deception

Investigation on Phishing Attacks and Modelling Intelligent

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smishing, vishing

Sep 04 2023

“SMISHING TRIAD” TARGETED USPS AND US CITIZENS FOR DATA THEFT

Category: Phishingdisc7 @ 10:30 pm
“Smishing Triad” Targeted USPS and US Citizens for Data Theft

Resecurity has identified a large-scale smishing campaign, tracked as Smishing Triad, targeting the US Citizens.

Earlier episodes have revealed victims from the U.K., Poland, Sweden, Italy, Indonesia, Japan and other countries – the group was impersonating the Royal Mail, New Zealand Postal Service (NZPOST), Correos (Spain), Postnord, Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate). Similar scams have been observed before targeting Fedex and UPS.

The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with the associated campaign has been named “Smishing Triad” as it leverages smishing as the main attack vector and originates from China.

Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information. These scammers often attempt to disguise themselves as a government agency, bank, or other organization to lend legitimacy to their claims, for example, a postal service like the United States Postal Service (USPS), asking to pay additional delivery fees via credit card. Once the victim shares payment information, the bad actors use it for fraudulent purposes and unauthorized charges.

Expecting the spike of this activity during summer time, USPS has timely warned about the growing risk of package tracking text scams sent via SMS/iMessage. The spike of this activity has been observed during August with big number of domain names registered by attackers.

The notable detail of “Smishing Triad” campaign is that bad actors used solely iMessage sent from compromised Apple iCloud accounts as the main delivery method of malicious messages to victims instead of traditional SMS or calls how it was done in other scam campaigns like “PostalFurious” and “RedZei” observed by other researchers in the past.

“Smishing Triad” also attacks online-shopping platforms and injects malicious code to intercept customer data. Around July 19, 2023 – there was identified a campaign conducted by the same actors targeting popular online-shopping platforms with malicious scenarios containing payment form impersonating Sumitomo Mitsui Banking Corporation (SMBC). Around same time, there were also identified customized forms impersonating New Zealand Transport Agency and the Agenzia delle Entrate (the Italian Revenue Agency), that enforces the financial code of Italy and collects taxes and revenue.

The bad actors also distribute an engine of fake online-shop (TrickyCart) allowing them to defraud consumers with a pseudo 3D Secure Payment form impersonating popular payment systems and e-commerce platforms including Visa, Mastercard and PayPal. 

“Smishing Triad” has own Telegram channel with over 2,725 members on it and several private groups. The actors are weaponizing other cybercriminals by selling them customized ‘smishing kits’ targeting popular U.S., U.K. and EU brands – starting at $200 per month provided on subscription with further support. Resecurity has identified a group of domain names used by “Smishing Triad” registered in “.top” zone via NameSilo and protected by Cloudflare around August 2023. Notably, some of the domain names are still functioning as well as the identified Telegram group managed by the actors.

After acquisition of the ‘smishing kit’, Resecurity was able to identify a vulnerability acting as a hidden backdoor in the code allowing actors to silently extract collected personal and payment data from their clients. According to researchers, such scenarios are widely used by cybercriminals in password stealers and phishing kits allowing them to profit from efforts of their clients or at least to monitor their activity. Resecurity was able to recover over 108,044 records with victims’ compromised data in order to alert them about identity theft. The collected information has been shared with relevant law enforcement agencies and the United States Postal Inspection Service.

Resecurity highlighted that it may be complicated to disrupt such cybercriminal activity committed by foreign actors located in jurisdictions like China without proper law enforcement and industry collaboration. Therefor, Resecurity is sharing the information about the “Smishing Triad” with the wider community and network defenders to raise awareness and safeguard their customers.

Further technical details are available in the report published by ReSecurity.

SCAM!: How to Avoid the Scams That Cost Victims Billions of Dollars Every

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smishing