1. 1 1 SMSishing Attacks Jim Horwath July 2012 GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP

2. 2 What is SMSishing? SMSishing: Is criminal activity similar to phishing where SMS messages are sent to a mobile phone trying to scam users into responding to bogus messages (links/phone numbers/text messages). The SMS messages entice people to divulge personal information. Result: After user responds to the bogus message, charges start accumulating on the user’s cellular bill. Why: Most phone contracts do not have clauses in them protecting users from SMSishing scams. The attackers and cellular providers each profit from this scam.

3. 3 Why Do SMSishing Attacks Work? Human Emotion Fear: –Fear of loosing money –Fear of false accusations –Fear of harm to friends and loved ones –Fear of dark secret revelation The Weak Link: –Mobile devices lack protections to spot malicious messages –People think mobile devices are safe –Most recipients do not think twice about clicking on links in text messages

4. 4 How to Protect Against SMSishing Common Sense Approaches  Review bank and credit card policies on sending text messages  If you receive a message – ask if it sounds too good to be true  If you receive a message – ask if it is trying to instill fear in you  Use Text Alias Feature of cell providers  Enable “block texts from the Internet” feature is available from your cellular provider  Look carefully at the message for mistakes such as spelling and grammar errors

5. 5 SMSishing Summary Criminals will find the easiest and most lucrative way to make money Mobile devices are common among all demographics Mobile devices are a perfect target for criminals Mobile devices lack protection against SMSishing Leverage available controls from cellular companies Use common sense when sending and receiving text Review cellular contracts for “scam protection” clauses Know policies of financial companies you use Educate family and friends to SMSishing attacks