SMS phishing is here

Phishing attacks are no longer limited to email: researchers have uncovered phishing scams using SMS, and mobile experts say enterprises should be wary of these so-called SMiShing scams.

It was only a matter of time before short message service (SMS) became a target.

Last week, researchers at the McAfee Avert Labs uncovered a new form of attack, which hits through SMS and can milk a mobile user's wallet dry. On the surface, this new threat -- dubbed SMiShing (a combination of SMS and phishing) -- may appear to be only a consumer problem, but some mobile experts say enterprise mobile managers should be on their guard.

Deepa Karthikeyen, a wireless services analyst with Current Analysis, said last week's announcement was the first she had heard of SMiShing but noted that it is new, uncharted territory that mobile managers should be ready for.

She said that "it could be threatening to the enterprise if mobile devices, which employees use to access their network daily, are hacked."

A SMiShing attack could introduce viruses or other malware to the network or add massive charges to corporate cell phone bills. An attack could also expose the network to other hacks. Since SMiShing is so new, however, the network impact or costs that may be associated with an attack are unclear.

So far, SMiShing attacks have targeted users abroad, but because they are a threat to mobile systems, there is no reason they couldn't jump the seas into the U.S. And though full-scale attacks in the U.S. may not necessarily be imminent, some mobile experts caution that it's better to be safe than sorry.

David Rayhawk, senior researcher at McAfee Avert Labs, which recently went public with SMiShing information, said SMiShing "is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams."

In a blog entry, Rayhawk detailed a SMiShing ploy where users received a text message such as "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order." Following the message is a Web link that would route the user to the main phishing page.

"Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message," Rayhawk wrote. "Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software, … steal personal account information and [perform] other malicious activities."

Rayhawk said understanding how far SMiShing reaches is difficult.

"Because monitoring botnet activity is complex, it is challenging to know the current scope of the problem," he wrote.

Once hackers learn to fully exploit SMiShing techniques, the threat to enterprise users will grow.

"Most large enterprises have thousands of employees, using a variety of devices to access their networks," Rayhawk wrote in his blog. "Despite their best efforts to issue safety guidelines, IT security staff cannot control human behavior, especially in light of the fact that mobile users have not yet learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks."

Daniel Taylor, managing director of the Mobile Enterprise Alliance, said enterprises allowing the use of numerous devices should set strict rules and policies to avoid falling victim to SMiShing.

"Yes, enterprises should be concerned," he said. "They should be concerned about committing to support too many types of mobile devices. If an IT department agrees to support more than two or three different device types, they're overcommitting."

According to Taylor, best practices for mobile devices should provide three things: a set of policies that help to address phishing, security software to address viruses and other forms of malware, and a way to use over-the-air updates to re-image devices and recover data.

"An infected device should never be allowed to connect to the corporate network," he added.

Taylor continued: "Like support, security is a set of policies that reinforces the constraint that IT departments can only support a homogeneous combination of devices and software loads."

Karthikeyen said that with the growth in messaging service subscriptions and cell phone providers looking to compete against the Internet, mobile device users are increasingly becoming targets for hackers, spam and other attacks.

For more on mobile security

Learn more about mobile viruses in this Crash Course

Download a
mobile virus handbook

Find out why
mobile security starts with policy


"Cell phone users have to learn to exercise caution when they use their cell phones," she said, adding that there are now PC-based viruses on cell phones and that virus-scanning tools for cell phones could be on the horizon.

In an interview shortly after his blog posting, Rayhawk said SMS and mobile device attacks could become as commonplace as PC-related threats. Some mobile malware can destroy devices; worse, it could cripple a corporate network.

"Eventually," Rayhawk said, "we should see everything you expect to see on the PC …."

Because SMS is widely popular and available to almost anyone with a cell phone, SMiShing threats could eventually surpass email-related attacks, Rayhawk said, especially because many users are now more cautious about emails.

"If you got an email message like this, you should know better than to open it," he said.

Another threat to an enterprise, according to Rayhawk, is an attacker who obtains a corporate phone list and can target a SMiShing attack at a specific set of users.

Current Analysis analyst Kathryn Weldon agreed.

"Clearly there would be not only a huge annoyance factor for consumers and enterprises alike for this kind of forced service/spam," Weldon said, "but McAfee implies [with its SMiShing announcement] it opens them up to a scenario where peddlers can find them and text them at will."

Rayhawk suggests that mobile managers deploy some form of mobile anti-virus protection to quell potential SMiShing threats and other attacks. McAfee, Symbian and Symantec, among others, offer products to secure mobile devices, he said.

"Enterprises would be wise to keep a close eye on the issue," Rayhawk said, "think about policies for securing their mobile devices ahead of time -- rather than playing catch-up when it hits them -- and begin to educate their employees about the potential risk now."

Read more on IT risk management