Most everyone these days has heard of or had experience with the email-based attack known as Phishing. An attacker sends an email pretending to be a legitimate sender and attempts to manipulate their victim using a variety of social engineering tactics to get them to disclose sensitive information, click on a link, or open a malicious file. Some of these emails can be incredibly sophisticated and polished whereas others are easy to distinguish as potentially dubious.
Although phishing occurs in many shapes and forms, it only leverages one type of communication medium – email. Attackers have now expanded similar social engineering attacks to cover a wider variety of communication tools. Phishing attacks conducted over the phone are known as Vishing – a combination of the words “Voice” and “Phishing,” attacks that leverage social media are known as Angler Phishing and attacks conducted via text messages are known as Smishing taken from Short Message Services or SMS and Phishing.
Social engineering has a focus on exploiting human trust and attacks are then often paired with technical exploits. These may include an attachment to download being sent in the text message which may contain malware or a link to click that redirects users to a malicious website. Attackers often pose as a legitimate company to reduce scepticism, such as a bank, healthcare provider, postal service, etc., to entice victims into accessing the malicious content. They may also use techniques that prey on their target’s emotions such as fear, urgency, and desires, or use situational context to make their message seem more genuine. The method of compromise can vary, and some examples may be to get the victim to respond to the message, provide a phone number for the victim to call – converting to a Vishing attack, prompt the user to interact with a file or link, or send the attacker money.
Recently, a smishing campaign has been targeting New Zealanders, which you can read more about in our Cyber Guidance Issue 0205.
Targets are selected in many ways. Victims may be associated with a particular organisation, industry or demographic but mostly these are “spray” attacks where a high number of people are targeted at random with hopes that a percentage of them will take the bait and fall victim to the attack. Often in these types of attacks a feature of the malware that is installed enables it to source information for other contacts stored in the mobile phone and in other applications to send back to their Command and Control (C2) server providing the attacker with more victims. Some are even clever enough to self-propagate and send malicious messages to contacts all by themselves.
Once the attacker has the information they are seeking, they can use it in a number of ways. This could be to gain trust and access to other individuals or further sensitive information, acquire funds through various methods of theft, commit identity theft or fraud, or leak company data.
Smishing attacks evolve quickly so it can be difficult to identify specific types or provide a comprehensive list of examples. Recently there have been a number of COVID-19 related smishing campaigns preying on the fear and uncertainty created by the global pandemic. Financial services are also often impersonated from banks, insurance providers and lenders to investment schemes. Invoicing or receipt confirmation and parcel delivery services are growing in popularity and smishing messages offering customer support services or letting you know about a problem with an account, device, or security risk are also common. The offer of a gift, freebies, competition winner announcements, sneak peeks or pre-order offers can also be enticing to targets making them ideal for a smishing campaign.
Most users have a false sense of confidence when it comes to text message safety and using their phone. Smartphone security has its limits, and it is often difficult to protect against malicious text messages. Users don’t often associate text messages or voice calls with a potential cyber or information security risk. While awareness of phishing may be high, attention should be paid to the various other methods of social engineering when training your staff to identify potential threats. It is important to provide them with the tools to recognize the threat, know what to do and how to verify legitimacy before proceeding with requests received via phone, email, text message, or social media. It is less effort for an attacker to find a valid phone number than an email address, as they only have to consider numbers and the structure of those numbers for the targeted country. With attackers requiring only a touch of trust and a short lapse in judgement to succeed, the risks are high for users and rewards potentially lucrative for attackers.
Some key takeaways to assist with preventing a successful compromise from a suspected smishing message are:
If you suspect you may be the victim of a smishing attack, reach out to CERT NZ or Netsafe for assistance and advice or you business IT Service Provider. You should change your passwords and account PINs and monitor your finances for strange or unexpected behaviour. If you suspect your bank account or credit card may have been compromised, contact your bank immediately and put a freeze on your accounts.
The team at Unisphere Solutions Ltd are always available for advice and guidance. Contact us today!
Unisphere Solutions - Powered by Capacitate Group