Dec 122012
 

Many times we receive SMS’s on our cell phones displaying messages like the one shown below:

Typically a phone number to call or a website link is given which asks the user to provide his/her personal identifiable information – bank account number, PIN, or credit card number – to claim the prize money.  When an innocent user provides such information, unauthorized transactions are made from user’s talk time or bank account on user’s behalf.

What is SMiShing?
‘SMiShing’ is used to describe phishing attempts over text messages (SMS). This occurs when a fraudster sends you a SMS/text message asking you to provide sensitive, personal, and/or financial information via a web link and false website, or a telephone number.

If Phishing and SMiShing are basically same techniques applied across different platforms, then what makes SMiShing attack more dangerous?

SMiShing attacks are more convincing to the victim because:

  • Smartphones are highly personal devices owned by the users.
  • Banks now offer mobile banking apps which may provide an option to store account details, credit card info etc. locally for handy usage and quick transactions.
  • In Mobile Banking apps, generally the phishing warning and disclaimer are usually avoided to save space on screen.
  • User is more likely to see and reply to an SMS rather than an email.
  • Acute shortage of good SMS Spam detector app for mobiles :)
  • User unawareness remains the strongest factor for the widespread success of SMiShing attack.
  • Minimal interaction is required from the user-end for a successful attack. User doesn’t have to lurk around his home or office to get the desired details of bank account nos., credit card nos. for feeding back to the SMS replies.

Attack Discovery
The SMiShing vulnerability was identified by Xuxian Jiang and his team from NC State University in California. The issue affects basically all Android versions ranging from roughly from version 1.5+ to 4.1+. (from Donut to Jelly Bean). The vulnerability allows a running app to send the fake arbitrary SMS text message; which when received by recipients can be exploited to launch various Phishing, Vishing (Voice-phishing) and other malicious activities.

The most important aspect to note is that the malicious app doesn’t require any special permission to launch the phishing attack. This is due to Android exporting SMS receiving service in the Android messaging process with no required restrictions. A third party app can therefore pass an explicit Intent to the SMS app containing a fake SMS message and the SMS app will process it. What’s particularly interesting about this attack is that even when the cell phone is in offline mode or contains no SIM card, a user can still receive SMS from the malicious app!!

In order to check whether your cell phone is vulnerable to this issue, download the PoC app by name SMSSpoofer by Thomas Cannon [4]. Using this app you can send SMS to your own mobile no, with desired display no. and message contents. As seen from screenshot below, NO permission is granted to this application to send SMS. Yet in the previous screenshot we were able to review the crafted SMS originating from 123456789.

 Tips to Protect Yourself from Cyber Scams

  • Don’t respond to text messages or automated voice messages from unknown or blocked numbers on your mobile phone.
  • Don’t enable the feature in Android to install applications from ‘Untrusted Sources’
  • User awareness – don’t download anything unless you trust the source.
  • When buying online, use a legitimate payment service and always use a credit card because charges can be disputed if you don’t receive what you ordered or find unauthorized charges on your card.
  • Check each seller’s rating and feedback along with the dates the feedback was posted. Be wary of a seller with a 100% percent positive feedback score, with a low number of feedback postings, or with all feedback posted around the same date.
  • Don’t respond to unsolicited e-mails, texts or phone calls requesting personal information.
  • Never click on links or attachments contained within unsolicited e-mails.
  • While visiting a merchant’s website, type the URL directly into your browser’s address bar.

References:
1] Smishing Vulnerability in Multiple Android Platforms
http://www.csc.ncsu.edu/faculty/jiang/smishing.html
2] Smishing and Vishing
http://www.fbi.gov/news/stories/2010/november/cyber_112410/cyber_112410
3] Privacy & Security Resources
http://www.t-mobile.com/Company/PrivacyResources.aspx?tp=Abt_Tab_PhishingSMishing&tsp=Abt_Sub_IdentityTheft_SMiShing
4] Android SMS Spoofer
https://github.com/thomascannon/android-sms-spoof

Pralhad Chaskar

Pralhad Chaskar is the Security Analyst at NII Consulting. He has over 2 years of experience conducting Penetration Testing, Vulnerability Assessments, Mobile Security and Security Audits.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>