Have you been ‘Smished’ lately?

Chances are, you very well have been…

In this post we’re going to talk about ‘Smishing’ in really simple terms.

So what exactly is Smishing?? It’s a bit of a funny name, but what it stands for is “SMS phishing.”

By SMS, I mean SMS texts you receive on your phone.

And by ‘phishing’ I also mean (according to Wikipedia) “the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication”

So basically it’s a form of social engineering, where the bad guys use SMS text messaging to trick you into handing over something valuable e.g. passwords, money etc.

Now, when it comes to Smishing, there are a couple things you need to remember:

  1. You’re dealing with a small handheld smartphone, and what the scammers are hoping is that on your smartphone, it’s harder for you to see on what link you’re clicking
    1. And in many ways, it’s true that it IS harder to see where a link in an SMS text is actually This is DEFINITELY what the scammers are hoping!
  2. We have our smartphones with us all the time. Chances are, we are going to be checking our email, and using the Internet much more on the smartphone than we normally would do on a computer. Again, that’s what the hackers or aiming for: that you will click on a well-crafted malicious link in an SMS text message for this very reason.
  3. ‘Voice-over-IP’, or VOIP, which is technology that’s been around for around for 25 years, has helped digitize our telecommunications. But by using VOIP/SMS, it is also very easy for hackers to spoof a caller ID coming in on your smartphone screen, and therefore spoof or fake where texts are coming from as well. So be very aware that just as hackers can spoof an email and make it look like it’s coming from, for example, PayPal or Ebay, they can do the same thing with SMS texts and Caller IDs.
    1. What I am saying to you, essentially, is please do NOT believe everything you see on your phone screen.

To make things easier, let me show you some visual examples:

OK, as you can see, it says on the top, “iCloud

  • Please note: this sender name is COMPLETELY made up!
  • I hate to say this but NEVER 100% trust what it says for the sender’s name

Now that I’ve scared you, let’s keep moving down the SMS message…Next they’re telling you that your “Apple ID has been locked due to unauthorized login attempts”, which is a common tactic to trigger your emotion of fear, so that you do what comes next…

Here is the most important part, the SMISHING:  they want you to click on the Bit.ly link right below the message!

And when you do, it’s GAME OVER!

For the record, Bit.ly links are what we call ‘URL shorteners’ which are a way of presenting a long URL web address inside a short URL web address.

As a simple example, I will change this URL:

https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

Into a Bit.ly shortened URL:

http://bit.ly/2MNJUrm

Bit.ly links are VERY popular with the bad guys, because they can hide their malicious link inside a Bit.ly link that looks completely benign.

What’s important to note here is that Apple will never ever send you a Bit.ly link, or any other kind of URL shortener for that matter. And they’re definitely not going to send you a link, in an SMS text message, telling you to go and verify your information on a website!

They might ask you to check your account yourself, but they will never send you a shortened Bit.ly link. THIS IS A VERY IMPORTANT POINT.

Here’s another example:

This one looks alarming right??

Bank of America has ‘apparently’ detected unauthorized transactions, and has been kind enough to warn you that you should click on this link to “avoid suspension” of your account.

Again, as you see, this address they’ve sent you is a ‘Bit.ly’ shortened URL

Keep in mind though, that not ever malicious SMS link will be Bit.ly. There are other URL shorteners, but the important point is that legitimate businesses ESPECIALLY banks, Amazon, EBay, Paypal etc do not send official correspondence like this using URL shorteners. They may warn you of something, but ask you to log in, or call in to their offices without clicking a link.

And a final example, which really is a bit of a joke once you analyze it:

Check out all at the SMS spoofed buzzwords they’ve put at the top: APPLE.VERIFY.COM.@ICLOUD.COM. They really laid it on thick in this text message!

All these are there in order to get you to respond, to believe the message is coming from someone of authority.

They even put a little Apple logo in the message! Wow

Anyways, the messages is telling you “Your iPhone has been found” – Well, great news right?!

Mind you, they’re notifying you of this great news on the iPhone that they found, WHICH YOURE HOLDING IN YOUR HAND. It’s ridiculous, and that embedded link should definitely not be clicked on.

One last thing: notice the link URL: hxxp://www.apple.verify.com.de

The website is not Apple, but actually verify.com.de, which is registered in (DE) Germany, obviously not Apple’s official website.

So again, when it comes to smishing, it’s always the same thing: they want you to click on a link.

I understand what you might be thinking right now: how can I be 100% safe when it’s hard to see what’s going on with my phone due to the small screen. My best advice to you is, if you receive something like this, to remember that government agencies, IRS, banks, and tech companies are NOT going to send you these links asking you to verify your information. They might call you (even then you must be very careful about Vishing, which I will blog about very soon), or if they send you a warning text they will not include a link to verify your account.

So be very careful about this. Especially when it comes to:

  • password resets
  • Requests for extra information/account updates

NEVER click on a link to do either of these is my best advise to you. Log into the corresponding business website yourself, or call them, or walk into their branch to see what is going on with your account.

Please be safe 1:M Secure out there everyone.

***

#ClickGameOver

Leave a Reply