SMSishing Attacks

1. SMSishing Attacks Jim Horwath July 2012 GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP

2. What is SMSishing? • SMSishing: Is criminal activity similar to phishing where SMS messages are sent to a mobile phone trying to scam users into responding to bogus messages (links/phone numbers/text messages). The SMS messages entice people to divulge personal information. • Result: After user respondsto the bogus message,charges start accumulating on the user’s cellular bill. • Why: Most phone contracts do not have clauses in them protecting users from SMSishing scams. The attackers and cellular providers each profit from this scam.

3. Why Do SMSishing Attacks Work? • Human Emotion Fear: • Fear of loosing money • Fear of false accusations • Fear of harm to friends and loved ones • Fear of dark secret revelation • The Weak Link: • Mobile devices lack protections to spot malicious messages • People think mobile devices are safe • Most recipients do not think twice about clicking on links in text messages

4. How to Protect Against SMSishing • Common Sense Approaches • Review bank and credit card policies on sending text messages • If you receive a message – ask if it sounds too good to be true • If you receive a message – ask if it is trying to instill fear in you • Use Text Alias Feature of cell providers • Enable “block texts from the Internet” feature is available from your cellular provider • Look carefully at the message for mistakes such as spelling and grammar errors

5. SMSishing Summary • Criminals will find the easiest and most lucrative way to make money • Mobile devices are common among all demographics • Mobile devicesare a perfect target for criminals • Mobile deviceslack protection against SMSishing • Leverage available controls from cellular companies • Use common sense when sending and receiving text • Review cellular contracts for “scam protection” clauses • Know policies of financial companies you use • Educate family and friends to SMSishing attacks