SMSishing Attacks Jim Horwath July 2012 GIAC GSE

SMSishing Attacks Jim Horwath July 2012 GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP 1 1

What is SMSishing? • SMSishing: Is criminal activity similar to phishing where SMS messages are sent to a mobile phone trying to scam users into responding to bogus messages (links/phone numbers/text messages). The SMS messages entice people to divulge personal information. • Result: After user responds to the bogus message, charges start accumulating on the user’s cellular bill. • Why: Most phone contracts do not have clauses in them protecting users from SMSishing scams. The attackers and cellular providers each profit from this scam. 2

Why Do SMSishing Attacks Work? • Human Emotion Fear: – – Fear of of loosing money false accusations harm to friends and loved ones dark secret revelation • The Weak Link: – Mobile devices lack protections to spot malicious messages – People think mobile devices are safe – Most recipients do not think twice about clicking on links in text messages 3

How to Protect Against SMSishing • Common Sense Approaches § Review bank and credit card policies on sending text messages § If you receive a message – ask if it sounds too good to be true § If you receive a message – ask if it is trying to instill fear in you § Use Text Alias Feature of cell providers § Enable “block texts from the Internet” feature is available from your cellular provider § Look carefully at the message for mistakes such as spelling and grammar errors 4

SMSishing Summary • Criminals will find the easiest and most lucrative way to make money • Mobile devices are common among all demographics • Mobile devices are a perfect target for criminals • Mobile devices lack protection against SMSishing • Leverage available controls from cellular companies • Use common sense when sending and receiving text • Review cellular contracts for “scam protection” clauses • Know policies of financial companies you use • Educate family and friends to SMSishing attacks 5