SMS Phishing (smishing) is nothing new - and they're getting better...

 
 

Most people are aware of phishing scams - sending an email to customers or users of a targeted website that usually links to a well crafted impostor website in an attempt to get the website's customer to enter their username and password or more into an imposter website to be captured for future use by the scammer.

Smishing is the same thing but using a text (SMS) message as the initial delivery vehicle to get the customer to the attacker's website with a short message and a link/URL.

This isn't exactly new. Smishing scams have been around for many years and as we start to move away from land lines and mobile phones become ubiquitous, we're sure to see more of these types of attacks.  Some references indicate that SMS attacks have been seen as early as 2012.  This really isn't surprising given that the iPhone has been around for almost 10 years now.

What is surprising is that I, personally, have only seen this once or twice in those same 10 years. In today's case, I received a smishing scam with the source ID of a known sender (the same one that sends out the Symantec Deep Sight alerts) and made reference to Wells Fargo - a bank that I happen to use. This was an unusual message to receive and it made me stop to think about how sophisticated these scams are getting.

While this particular message was well targeted it was only marginally well crafted. The message itself used proper English (an improvement) but the URL was obviously not an officially owned URL. It turns out that the domain registrant's street address and phone number in Texas is listed and - at the time of this writing - may be underwater from the results of hurricane Harvey. If that was intentional, it's a smart (and evil) ploy to use a contact in a disaster affected area.

I also found it interesting that the URL includes a reference to SSL in the URL - making it clear that the perpetrators believe that their targets know what that means and hope to instill trust with the URL. Ironically, neither the URL nor the site is actually SSL protected so any information sent to the imposter's website would be done via cleartext HTTP anyway - obviously not good and not showing the level of maturity in the message that one would expect from a major financial institution.

The message was also not unique in any way. The exact same message can be sent to multiple recipients (which it probably was) and wouldn't include any tracking detail such as a GUID or phone number or something indicating which SMS messages went through successfully. While this is great for analysis, it's another indicator that this wasn't actually coming from a major financial institution. Unfortunately, I'm sure we'll see better in the future.

I had the opportunity to do a deep analysis of this site through a secure browsing solution from Cyberinc (side note: I do contract work for Cyberinc) and found that the scammers used the proper Wells Fargo icons, favicons, colors, and even the stagecoach. These were all hosted from the site but look nothing like the actual Wells Fargo login page. Yes, this page accepts ANY credentials offered and then goes even further to ask for more information including your Social Security #, credit card # and ATM PIN! 

I’m surprised they didn’t ask you to update your security questions at the same time! They did ask for full validation on the additional information with a few odd quirks:

  • The Social Security Number allows for one extra number (10 digits instead of 9) but not two – which doesn’t allow for dashes to be entered.
  • The credit card number is actually validated! Invalid format card combinations are rejected.
  • The expiration data is in an unusual format (four digit year) and not validated.
  • The ATM PIN isn’t actually verified – different numbers can be entered.

The final page asked for a security code to "verify your identity" and asks for an access code that was supposedly sent to your phone. This is an interesting ask. It’s possible that they used the frmPhoneNumA autofill that Chrome uses to populate the phone number in their web page code but that didn’t come across as happening. In any event, there isn’t a phone number associated with the browser I was using so I never received a confirmation and that didn’t appear to matter anyway. Any “code” will do and then the web page dutifully sends you off to the actual Wells Fargo site - just to be helpful.

It's amazing to me how much time and effort is going into these smishing (and phishing) scams. Barkley has a great (although mono-perspective) blog on 2017 phishing that summarizes the direction that things are heading. You can expect more of the same growth for smishing as this vector bypasses a lot of the existing mitigations in place with email to go directly to the end users.

As Information Security professionals, we have an obligation to help educate the public that some simple steps will keep them secure, make smishing less lucrative, and (with a bit of luck) decrease over time vs. the tremendous increase we've seen with phishing.

To that end, there are three simple steps anyone can take to avoid getting hooked by a smishing/phishing scam:

  1. Think before you click! - Don't be so automatic to click "OK" on those popups or to read a new text message. Realize that an electronic message could actually be coming from anywhere. As for links - I almost never click on a link in an email or SMS unless it was specifically requested from a trusted source. 
  2. Skip the link! - Our vendors all try to make is easy for us to "click here to login" but this is exactly the security loophole scammers use to hook us. If you receive a message that your bank data is compromised, close the message (without clicking on any links), open a new window and go directly to the bank website - securely. If you're not able to login normally or are concerned about doing so, call the bank directly. If your credit card has been "used" to purchase something questionable - call the number on the card. That's what they're there for.
  3. Verify before you give any information! - Anytime you hand off information, via email, webpage, or even over the phone, ensure that you're doing so to a known entity and via secure transport. If someone calls from the bank asking for a fraud alert verification, hang up and call the bank directly. Same thing for a web link (see #2). When you're on a website, check to make sure that you're using secure transport (HTTPS connected). Does it look the same as usual? If not, why not? What changed - is there another method you can use that you're more familiar with?

At the end of the day, it's our responsibility to protect ourselves. Because it's so lucrative, these attacks will continue to get better and better. Soon, we won't be able to tell the difference between an actual alert and a smishing attempt. With a few simple steps, we can keep one step ahead of the attackers - for now.

--SMartin

Scott Martin