SMiShing - an emerging threat vector
Friday August 25, 2006 at 3:06 pm CST
Posted by David Rayhawk
Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.
While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.
Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.
Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.
October 31st, 2006 at 10:45 am
[…] Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices. […]
October 31st, 2006 at 10:57 am
[…] Trackback Only a little while ago we were discussing the possibility of someone taking the techniques of phishing by email and porting them to SMS. SMiShing instead of phishing. […]
November 13th, 2006 at 12:12 pm
Please, please, for the love of science stop coming up with more names for things that we arleady have names for. Phishing is phishing, SPAM is SPAM, regardless of the transport or delivery mechanims. Phishing over SMS (SMiShing???) is still just phishing, SPAM over Internet Telephony (SPIT) is still just SPAM. SPAM over Instant Messenger (SPIM) is, again, still just SPAM. There’s no point in differentiating so granularly other than to deliberately cause confusion. Of course, if you discover something truely unique, by all means coin a new term for it.
Also, is this even technically phishing? It has the fake message component, however the collecting of personal information component is only one of the mentioned potential effects of installation of the trojan. If it were truly phishing I would expect the website to be collecting authentication credentials or something. The fact that the website provides a trojaned piece of software would make me expect it to be far more likely that the compromised host would be used as part of a botnet. This sounds much more like a common virus/trojan delivery technique than a phishing attack.
November 27th, 2006 at 1:46 am
[…] You are probably overwhelmed with lot of new and various words and acronyms that you can hear or read everywhere. Here is one more: SMiShing. McAfee Avert Labs Blog in its post (I saw this word for first time there), considers SMiShing as an emerging threat vector. Some cell phone users have started receiving SMS messages that call them to visit various web sites or that are fake confirmation about signing to various online services. […]