A Sceptical Mind

So I read this article today on Comon.dk: http://www.comon.dk/news/forste.store.smishing-angreb.i.danmark_36080.html

It’s Danish, so if you followed the link and thought to yourself: “What the f*ck?” - That’s probably because you’re not Danish, so lets start with me explaining what the article says!

The article talks about the first big SMiShing attack in Danish history and features comments from Danish security expert Peter Kruse (CSIS Security Group). Now for all of you who don’t know what SMiShing is, SMiShing is basically just a SMS oriented way of doing Phising. So instead of trying to scam a victim to a fake website (which is Phising), SMiShing tries to scam you into calling a specific number due to something like “Hey you won 10 million dollars. Call #somenumber# to claim your prize”. So what’s really dangerous about this? Is people really gonna fall for something like this? - A lot of stuff and yes!

Let’s have a look at the SMS sent to a bunch of Danes the other day:

“Your mobile number won 750.000 Euros from the Espana global promotion. Contact claim dept. on: Tel: 0034664219273 Fax: 0034911013657 mcellproiaim.com”

How many do you think would fall for this scam and call the number? There’s no official number, but former numbers for other Phishing sites have stated that 1-2% of all recipients visit the site after receiving the scam e-mail. So is it also 1-2% with SMiShing? - I would argue no, specifically because e-mail is still being stigmatized. People don’t trust e-mails because they’ve grown accustomed to spam and other forms of fake emails - but they trust their mobile phones! So while we see numbers like 1-2% for e-mail scams, I fear we will be seeing numbers like 4-6% for mobile phone scams - if not even more than that.

So what happens if you call the number? According to Peter Kruse, one would probably be met with the scam artist himself, trying to get your bank information so that he can “transfer the money to you”, while in fact he just wants the information to do some form of identity theft. - Personally I don’t believe this one! It seems very much unlike mass computerized criminals to initiate contact to their victims. Experienced hackers do it, however they’re usually also a lot more focused.. they plan ahead and hit one or two companies very specifically. SMiShing’s nature of mass-oriented scamming is not well suited for this type of theft attempt. No, I find it much more likely you’re met with a computerized voice asking for a lot of information - including a bunch of information that doesn’t seem odd but just completely unnecessary, like address, city, postal code, state, country, gender and so on. So why would a scammer want to know all of these things? Very easy - he wouldn’t! But he would very much like you to stay on the line while you’re chunking up huge premium rate fees - all of which go straight into the scammer’s pockets, without you being able to do much about it.

Scams with premium rate numbers have been around for a very long time and while obviously illegal, it can be very difficult to get someone convicted. So the scammers can sit back while perhaps 2000 people call (if they’ve contacted enough victims with SMS) and on average use 12 minutes on the phone with a fee of 15$ a minute - adding up to: 360000$ in profits for the scammers. - Actually these numbers are probably way to low if they’ve attacked several countries.

But this is just one of the ways you can use SMiShing and is actually one of the more naive ways. A much better way would be to exploit the way SMS’s actually work. Many people believe that SMS’s include numbers and the only way their phones can show names (like “Tom” instead of 08005552342) is if they themselves added it to their phone book. But this is actually not true! You can very easily spoof names instead of numbers, so that when a victim receives a message from you, instead of having 08005551215 as a number, you could choose “Mom”. This way, you would be able to do a very evil form of SMiShing, where the number of callers would quite likely be much higher:

“Hi son. You need to call me straight away - We’re in Honduras and your Dad just had a heart attack! I’m sitting here in the hospital but my phone isn’t working well and almost has no more batteries. Would you please call the hospital’s phone at: (504) 559 - 0300. Love you! - Mom.”

If I were trying to scam people with SMiShing (and I had no soul) - this would be the way to do it!
Assuming it isn’t possible for the son to call his mother (as in she’s not picking up or at work) and the son’s parents aren’t dead already, this will work wonders and a lot more than 4-6% would call!

So to sum it all up. Is SMiShing much of a threat? Well yes because it uses an old technology which hasn’t had any real security boosts and which people mistakenly trust. So in that sense it’s much worse than scamming over e-mail (Phising) as it’s much more likely the victim will fall for the scam. I fear we will be seeing a lot of these scams in the future unless something is done to secure SMS - a scenario that’s probably very unlikely!