Phishing vs SMiShing

What can fit into your pocket, take selfies at an alarming rate, and own your whole corporate network? If you guessed your phone or tablet, you win the door prize. That little social media box that so many are connected to 24/7, has been used for an alarming increase in an attack called SMiShing, or SMS phishing. SMiShing is a type of phishing attack where mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse to the mobile phone.

The alarming increase in the way mobile phones are being used to phish. Once a phone or mobile device is compromised, and malware is loaded on it, passwords can be scraped, contact lists can be harvested, and if that device connects to your BYOD (Bring Your Own Device) network, I am sure you can imagine what the potential consequences could be, notwithstanding the corporate secrets that can be compromised with this device.

So, what is the lesson? Yes, BYOD can save your company money, but before you just jump on that bandwagon, really think about what you allow your people to access over their devices and if they are allowed to connect that device to your network.

Here are some stats from the 2015 Verizon DBIR report:

  • More than 2/3 of all espionage cases involved phishing attacks
  • 23% of recipients now open phishing messages, and 11% click on attachments
  • It takes only 82 seconds on average for hackers to get their first victim in a phishing campaign

A recently discovered and sophisticated fraud scheme run by a well-funded Eastern European gang of cyber criminals uses a combination of phishing, malware and phone calls that has netted large amounts of money from large and medium-sized companies.

The attackers have been targeting people working in companies by sending phishing emails and SMiShing attacks with unsafe attachments to get a variant of the malware known as Dyre into as many devices as possible.

Now here is the scary bit, if installed, the malware waits until it recognizes that the user is navigating to a bank website and instantly creates a fake screen telling the user that the bank’s site is having problems and to call a certain number.

If users call that number, they get through to an English-speaking operator who already knows what bank the users think they are contacting. The operator then elicits the users’ banking details and immediately starts a large wire transfer to take money out of the relevant account.

What’s very different in this case is the attackers to use a set of social engineering techniques that are unprecedented. The use of a live phone operator is what makes the scheme unique.

Once the transfer is complete, the money is then quickly moved from bank to bank to evade detection. In one instance the gang hit the victim company with a denial of service attack, essentially bringing down their Web capabilities, so it would not discover the theft until much later.

We recommend that companies make sure employees are trained in spotting phishing attacks and SMiShing attacks, especially on BYOD devices, where attachments can infect a device and subsequently, the network, and to never provide any private or corporate credentials to anyone.

Popular Posts