It was only a matter of time before short message service (SMS)
became a target.
Last week, researchers at the McAfee Avert Labs uncovered a new
form of attack, which hits through SMS and can milk a mobile user's
wallet dry. On the surface, this new threat -- dubbed SMiShing (a
combination of SMS and phishing) -- may appear to be only a
consumer problem, but some mobile experts say enterprise mobile
managers should be on their guard.
Deepa Karthikeyen, a wireless services analyst with Current
Analysis, said last week's announcement was the first she had heard
of SMiShing but noted that it is new, uncharted territory that
mobile managers should be ready for.
She said that "it could be threatening to the enterprise if
mobile devices, which employees use to access their network daily,
are hacked."
A SMiShing attack could introduce viruses or other malware to
the network or add massive charges to corporate cell phone bills.
An attack could also expose the network to other hacks. Since
SMiShing is so new, however, the network impact or costs that may
be associated with an attack are unclear.
So far, SMiShing attacks have targeted users abroad, but because
they are a threat to mobile systems, there is no reason they
couldn't jump the seas into the U.S. And though full-scale attacks
in the U.S. may not necessarily be imminent, some mobile experts
caution that it's better to be safe than sorry.
David Rayhawk, senior researcher at McAfee Avert Labs, which
recently went public with SMiShing information, said SMiShing "is
yet another indicator that cell phones and mobile devices are
becoming increasingly used by perpetrators of malware, viruses and
scams."
In a blog entry, Rayhawk detailed a SMiShing ploy where users
received a text message such as "We're confirming you've signed up
for our dating service. You will be charged $2/day unless you
cancel your order." Following the message is a Web link that would
route the user to the main phishing page.
"Fearful of incurring premium rates on their cell phone bill,
they visit the Web site highlighted in the message," Rayhawk wrote.
"Once they arrive at the URL, they are prompted to download a
program which is actually a Trojan horse that turns the computer
into a zombie, allowing it to be controlled by hackers. The
computer then becomes part of a bot network, which can then be used
to launch denial of service attacks, install keylogging software, …
steal personal account information and [perform] other malicious
activities."
Rayhawk said understanding how far SMiShing reaches is
difficult.
"Because monitoring botnet activity is complex, it is
challenging to know the current scope of the problem," he
wrote.
Once hackers learn to fully exploit SMiShing techniques, the
threat to enterprise users will grow.
"Most large enterprises have thousands of employees, using a
variety of devices to access their networks," Rayhawk wrote in his
blog. "Despite their best efforts to issue safety guidelines, IT
security staff cannot control human behavior, especially in light
of the fact that mobile users have not yet learned to treat their
phones with the same level of concern that they apply to their
laptops. Mobile devices present a serious challenge to data
security, with the potential to infect both carrier and enterprise
networks."
Daniel Taylor, managing director of the Mobile Enterprise
Alliance, said enterprises allowing the use of numerous devices
should set strict rules and policies to avoid falling victim to
SMiShing.
"Yes, enterprises should be concerned," he said. "They should be
concerned about committing to support too many types of mobile
devices. If an IT department agrees to support more than two or
three different device types, they're overcommitting."
According to Taylor, best practices for mobile devices should
provide three things: a set of policies that help to address
phishing, security software to address viruses and other forms of
malware, and a way to use over-the-air updates to re-image devices
and recover data.
"An infected device should never be allowed to connect to the
corporate network," he added.
Taylor continued: "Like support, security is a set of policies
that reinforces the constraint that IT departments can only support
a homogeneous combination of devices and software loads."
Karthikeyen said that with the growth in messaging service
subscriptions and cell phone providers looking to compete against
the Internet, mobile device users are increasingly becoming targets
for hackers, spam and other attacks.
"Cell phone users have to learn to exercise caution when they use
their cell phones," she said, adding that there are now PC-based
viruses on cell phones and that virus-scanning tools for cell
phones could be on the horizon.
In an interview shortly after his blog posting, Rayhawk said SMS
and mobile device attacks could become as commonplace as PC-related
threats. Some mobile malware can destroy devices; worse, it could
cripple a corporate network.
"Eventually," Rayhawk said, "we should see everything you expect
to see on the PC …."
Because SMS is widely popular and available to almost anyone
with a cell phone, SMiShing threats could eventually surpass
email-related attacks, Rayhawk said, especially because many users
are now more cautious about emails.
"If you got an email message like this, you should know better
than to open it," he said.
Another threat to an enterprise, according to Rayhawk, is an
attacker who obtains a corporate phone list and can target a
SMiShing attack at a specific set of users.
Current Analysis analyst Kathryn Weldon agreed.
"Clearly there would be not only a huge annoyance factor for
consumers and enterprises alike for this kind of forced
service/spam," Weldon said, "but McAfee implies [with its SMiShing
announcement] it opens them up to a scenario where peddlers can
find them and text them at will."
Rayhawk suggests that mobile managers deploy some form of mobile
anti-virus protection to quell potential SMiShing threats and other
attacks. McAfee, Symbian and Symantec, among others, offer products
to secure mobile devices, he said.
"Enterprises would be wise to keep a close eye on the issue,"
Rayhawk said, "think about policies for securing their mobile
devices ahead of time -- rather than playing catch-up when it hits
them -- and begin to educate their employees about the potential
risk now."