1 1

SMSishing Attacks

Jim HorwathJuly 2012

GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP

2

What is SMSishing?

• SMSishing: Is criminal activity similar to phishing where SMS messages are sent to a mobile phone trying to scam users into responding to bogus messages (links/phone numbers/text messages). The SMS messages entice people to divulge personal information.

• Result: After user responds to the bogus message, charges start accumulating on the user’s cellular bill.

• Why: Most phone contracts do not have clauses in them protecting users from SMSishing scams. The attackers and cellular providers each profit from this scam.

3

Why Do SMSishing Attacks Work?

• Human Emotion Fear:– Fear of loosing money– Fear of false accusations – Fear of harm to friends and loved ones– Fear of dark secret revelation

• The Weak Link:– Mobile devices lack protections to spot malicious

messages– People think mobile devices are safe– Most recipients do not think twice about clicking on

links in text messages

4

How to Protect Against SMSishing

• Common Sense Approaches Review bank and credit card policies on sending

text messages If you receive a message – ask if it sounds too

good to be true If you receive a message – ask if it is trying to

instill fear in you Use Text Alias Feature of cell providers Enable “block texts from the Internet” feature is

available from your cellular provider Look carefully at the message for mistakes such

as spelling and grammar errors

5

SMSishing Summary

• Criminals will find the easiest and most lucrative way to make money

• Mobile devices are common among all demographics• Mobile devices are a perfect target for criminals• Mobile devices lack protection against SMSishing• Leverage available controls from cellular companies• Use common sense when sending and receiving text• Review cellular contracts for “scam protection” clauses• Know policies of financial companies you use• Educate family and friends to SMSishing attacks