Phishing attacks are not new attack methods for experienced cyber attackers, however, when the campaigns target large groups of people and leverage this method to become a business, it can lead to investigations and arrests. During the pandemic lockdowns, phishing spiked to unprecedented levels, and many of the attacks used SMS text messages. In the UK, a group of attackers from Birmingham was recently arrested for offering mass text messages used to trick users into divulging their login credentials. The attackers had a website and advertised on numerous platforms, and their brazen attempts to defraud people led to a warrant for arrest.
Email filters are good with blocking spoofed senders and malicious message content, but text messages rarely have any cybersecurity in place. When you receive a text message, you see a link or a phone number asking that you respond to it. Rarely do users suspect phishing in text messages, so “smishing” (the name for phishing in SMS messages) is a newer form of attack that bypasses typical email cybersecurity filters.
The group of attackers called themselves the SMS Bandits. They advertised across several mediums and even offered to host the malicious landing pages using a provider that would not take down rule-breaking content. The text messages included a link to a malicious web page that asked users to enter their login credentials and other sensitive information. Normally, a provider would take down a page proven to be phishing for sensitive information, but the attackers promised that their website host would leave up content regardless of reports.
SMS Bandits promised to flood numerous phone numbers with smishing messages for a low price between $40 and $125 per week. They named the service OTP Agency, and it offered continuous smishing attacks every week where the link included in the malicious message would point to a page of your choice.
In addition to offering smishing attacks, the SMS bandits offered “bulletproof hosting,” meaning the attack site could not be taken down by standard legal efforts. Usually, these attacks fail when the site is reported and taken down by the host. To ensure that the customer could collect as much data as possible, bulletproof hosting made it difficult for anyone to have the site taken down or subpoena the host to get the attacker’s information.
Because the smishing attacks could be customized, the targeted victims in the attacks could be small businesses, large businesses, and even individuals. All targets should be aware of the dangers of smishing, but corporations should educate their users on the dangers of smishing. It’s not uncommon for corporate espionage attacks to start with phishing or smishing attacks where a competitor will steal user credentials or install malware on a targeted device. With this data, an attacker could then obtain intellectual property or private corporate information that could be damaging to an organization’s internal marketing advantage.
Since smishing does not use email, it’s much more common for users to trust the text message sender and click the link. The best defense against this attack is to educate users. Smishing uses the same tricks and methods as a phishing attack. The message promises discounts or money in exchange for clicking a link and entering private data. If this data happens to be corporate data, then it would be disclosed to an attacker.
Users should be aware of smishing in addition to their education to avoid phishing. You can use email filters to protect against phishing, but SMS text messages use a cellphone plan and have no interaction with email servers. The organization must rely on users identifying a malicious message and ignoring it.
Smishing messages often use short links, so users cannot see the site behind the URL. Short links are the first red flag that indicates the message is smishing. The second red flag is promising money or discounts. Both components in one message indicate that the message is malicious. Users can either ignore the message or delete it.
Because smishing can be used against corporate employees, organizations should always educate users on the signs and dangers. Never disclose credentials to any third party, but even more important is never entering credentials from a linked website. This includes linked sites in a text message but also sites linked in an email. If a text message includes a short link, users should immediately be suspicious. Never click short links in a text message, and alert security staff if it mentions employees or the business by name.
TitanHQ is a multi-award winning cybersecurity vendor, offering advanced email security, DNS filtering & email archiving. Learn more about TitanHQ’s leading cybersecurity and compliance solutions. Find out more.
Sign-up for email updates...