Consumers and businesses are urged to become more aware of the growing trend of SMS phishing and to keep their wits about them.
In the past, SMS phishing generally involved a text message with a single link to a fake account login page.
Over the course of a recent week, researchers at cyber security company Proofpoint received and investigated SMS-based phishing messages purporting to be from a major US bank. The messages were received from both an email addresses and a phone number, with legitimate-looking links.
But, instead of taking users directly to a phishing form or site, the links shown in the first two images below, eventually takes users to the final image.
This technique defeats many phishing filters because the brand name is an image and is not machine parsable. After six seconds, victims are automatically redirected to the real phishing site.
The phishers then present a clever three-step verification that begins with the victim’s phone number and post code instead of more ‘traditional’ phishing sites that begin by asking for passwords and usernames.
Victims are then prompted to enter an email address in the next step of the fake verification process. If recipients enter a Gmail address, they are presented with a bogus Gmail login page, creating what appears to be a trustworthy site and account verification transaction. If victims enter their password, the attackers gain control of the Gmail account and can reset passwords for any other services attached to the email address.
If victims instead enter a Yahoo! email address, they are presented with a similar Yahoo! login as the final step in the phishing attack. At this stage of the phish, attackers have already captured their victim’s phone number, post code, email address, and email password.
The final stage of the attack brings victims back to the bank phishing site and prompts victims to enter credit card information and their social security number. Even if recipients become suspicious at this point, attackers already have a phone number and access to an associated email account.
For many providers, this is enough data to port the phone number away from the original provider and take control of a victim’s online identity. In many cases, recipients will also enter credit card data and social security numbers, allowing the attackers to immediately engage in financial fraud and identity theft as well.
Because there are no commercially available SMS inbound filtering products as there are with email, attackers have discovered that sending SMS messages can be highly effective at tricking users.
This gap in defences is highlighted by the fact that the small screens of mobile devices make it difficult to determine if websites are legitimate or fake.