SMiShing – a phishing based threat against the Mobile Channel.
SMiShing is a phishing based attack that leverages the Short Message Service (SMS) or phone based text message. SMiShing or Smishing has been around for many years now so it is not a new threat but a persistent threat that is evolving.
With SMiShing the criminals often leverage a known or trusted brand, such as a bank, to send a text message to an unsuspecting individuals phone in an attempt to get the victim to divulge personal information such as banking credentials, credit card details, username/passwords etc. As with traditional phishing, SMiShing has a social engineering component with a call to action for the victim that requires an immediate response.
Although SMiShing has been around for some time now, we are starting to see a resurgence of SMiShing attacks against our banking customers and their end user client base, across multiple geographies. This kind of attack runs parallel to the large mobile banking uptake as the criminal seeks to attack the mobile channel via another vector.
There are many forms and variables to SMiShing based attacks but our 24×7 GSOC Security Analysts routinely see three main types of attacks. The first type is more like a traditional phishing attack where the text message contains a phishing URL and the victim is redirected to phishing sites on the internet. This really is a phishing attack, however, the email vector has been replaced with a telco network SMS delivery channel. A second popular type of SMiShing that we see is where the call to action is for the victim to call a “fake’ phone number to confirm personal information, account numbers, banking credentials etc. A third type of SMiShing that is more of an emerging threat is where the SMS message is used to deliver a malicious payload to the victim’s mobile phone – kind of a drive by download – sent the victims phone and then victim clicks on the link to download the malicious code – bang a new infection.
Criminal networks can easily distribute SMS spam, however, based on mobile phone number prefixes, such spam can become fairly targeted and highly effective. SMiShing is becoming a tool of choice on a global scale as more consumers access the internet through a mobile device compared to a traditional home/office PC.
Mobile banking and mobile payments are leveraging the era of the wide and broad uptake of mobile and smart devices – which is seeming to provide much incentive for the criminal to revamp an older tool kit – SMiShing!!