SMiShing is happening right now. Watch out!

Penetration Testing Experts


So, criminals are SMiShing phones now!

Don’t be fooled by the daft sounding name, this is an attack right where many are very, very vulnerable.

You see, we’ve been barking on at you all for years now about not clicking anything in, or replying to, emails unless you are certain of their authenticity. By now businesses should all have well set out security policies, covering every conceivable interaction that could take place involving your computer. And of course all your software is patched up to date and virus definitions are current.

But while we do all know that what we’re carrying around in our pockets are very compact, yet very powerful computers, and no doubt we apply the same caution to accessing emails on our smartphones as we do at our computer, for that moment when we’re making calls or sending / receiving text messages, they somehow become just phones again.

It’s just a text message

Yet those 160 or less characters can easily be just as harmful as any phishing attack you might receive by email. And as with any phishing attack, they prey on our weaknesses.

They know that the chances are we have let the big chain store have our phone number at some point, and probably missed a marketing opt-out tick box somewhere, so it’s quite plausible we did just receive a free gift card to tempt us back. All we have to do is tap the link to claim it.

They know we’re all terrified of our unscrupulous mobile carriers sneakily allowing huge bills to build up, so if we’re told we’re going to be charged £2 a day for some service we don’t want unless we tap the link to cancel it, we’ll probably tap the link, just to be sure.

But if you do tap that link, you’ve left 90s SMS land behind, along with its perceived lack of danger, and seamlessly jumped into your modern web browser on your modern smartphone, and here be malware.

Have we learned nothing?

Having reached this point, they’re also far more likely to succeed than if this was on your computer – estimates range that between 40% and 95% of all smartphones are being operated without any anti-virus protection installed whatsoever.

But that’s not entirely the users’ fault. Even now, many “experts”, including Android security chief Adrian Ludwig, are still making statements like:

  • “Do I think the average user on Android needs to install [antivirus apps]? Absolutely not. I don’t think 99 percent plus of users get a benefit from [anti-virus apps].”

Shame on him! There are never any virus threats to a system, until there are. And, well, there are.

Apple and Linux advocates used to scoff at their Windows counterparts from behind their supposedly safe, virtually virus free operating systems. In fact many still do, though they are horribly misinformed. Apple finally took down the claim on their website that OS X “doesn’t get PC viruses” in 2012. Red Hat recently had to do the same, removing the “virus-free” claim from the Fedora Linux feature list. Windows gets Windows viruses. OS X gets OS X viruses, Linux gets Linux viruses. You’re system is a target as soon as it’s popular enough to be worth someone’s time targeting.

And Smartphones, by the way, are popular enough.

Amusingly we are also once again in the same position where, due to a couple of recent high-profile Android security threats, Apple are calling out Android as unsafe, while their own product is of course impervious to such issues.

The upshot is that unless you are one of the very few with security measures in place, you are likely totally unprotected from malware that could start logging your inputs, siphoning off your data, joining your device up to some zombie botnet, or even worse.

But it’s not just Malware

While there is no doubt that our vulnerability to malware attacks on our phones is a serious concern, the other type of attack most often associated with traditional phishing remains as much a danger as ever – social engineering.

Attackers also know that many of us now use our phones directly as a line of security, for example receiving authentication codes to our phones by text or app when carrying out banking transactions, or when logging in to secure accounts with two-step verification. But while we’re all for added security measures, how secure can they be if we don’t fully understand them?

Here’s how it’s meant to work – If I set up a new payment using my banks online banking service, when I hit confirm I am asked to wait until I receive a text message containing an OTP (One Time Passcode, a code that will only ever be used once) which I must then enter onto the banking website before that payment will actually be made. This sounds very secure, it appears to prove that not only am I in possession of all the relevant details in order to log in to my online banking account, but I am also in possession of my phone.

My bank in particular actually appear to get quite a lot of this stuff right – for example when logging in, not only am I proving who I am to them, they also make the effort to prove who they are to me: After I enter my username but before I enter my password and PIN, they display a picture and phrase that I chose when setting up the account.

The trouble with all of these measures is that they are vulnerable to what is called a Man-In-The-Middle attack. Suppose, for example, that I am in fact logging in to a faked online banking website. I enter my username and am presented with my image and phrase. How? Well I just gave them all the details they needed in order to request the information from the genuine site. It will add mere milliseconds to the response time for them to take my entered details, enter them into the genuine site, retrieve the genuine response, and display them to me as if they came directly.

What does that have to do with SMiShing?

It was recently reported that a man lost £22,700, and the bank, the same one I bank with, will not reimburse him because he was tricked into actively authorising the transaction.[1]

The victim received a text message from his bank stating that a payment had been set up to BT (a perfectly legitimate organisation) and that if he had not authorised this then he would need to call the fraud prevention number included in the message. Of course the message was not really from his bank at all, the attackers had simply spoofed the message origin causing his phone to place it in the existing thread with other legitimate messages from the bank. Our victim made the mistake of believing this was proof enough that the message was genuinely from the bank and so, rather than looking it up independently, he called number given – our Man-In-The-Middle.

The fraudster on the other end of the phone advised that in order to reverse the transaction the account holder simply needed to prove his identity – an OTP would need to be sent to his phone and read back to them. The OTP, again appearing in the same message thread, genuinely was from the bank, and in this case the transaction was flagged and a follow up phone call, also genuinely from the bank, was also made to the victim to confirm it, but because it appeared to authorise a payment to himself for £2,700, and not understanding the system, he confirmed that it was genuine. In fact, the payment he had authorised was simply to an account that the fraudsters had opened in the same name. The way this particular bank works is that once a first payment had been made and authorised the fraudsters were then able to complete a further payment for £20,000 without the need for another OTP. After this the bank contacted the victim yet again, but, while the fraudulent transactions were finally recognised, the money had already gone.

It actually appears, then, that the bank genuinely did a great deal right on this occasion. The victim was socially engineered into committing multiple security no-nos, he called a number without confirming it was genuine, he must have given out other security details in order to compromise his online account, he provided the OTP over the phone, and he blindly confirmed the transaction even when it was questioned again by the bank. All because of a text message.

SMiShing is on the rise

Don’t get me wrong, SMiShing is not new. In fact it’s been increasing at an astronomical rate for years. This is likely primarily due to that fact that more and more of us bring our own smartphones into our work environment, often even when we also have a company issued device. In doing so we risk carelessly sidestepping many of the measures that the business has put in place, and making ourselves very ripe targets indeed.

Of course that’s not the only reason either – we use our phones for everything now, many people far more than they ever used computers. We bank on them, shop on them, store our entire schedule on them and of course the full contact details of everyone we know, including our own. That is a lot of data.

How can you tell it’s a scam?

With an email, if you suspect a scam there are quite a few things to look for. But text messages don’t have, for example, any of that useful header data to look in for inconsistencies. And there genuinely are plenty of large companies sending texts that originate from a plain standard phone number, so that’s hardly a red flag either. Actually all you really can do is simply be much, much more cautious about what you tap.

[1] – “Bank customers targeted in new ‘smishing' scam: Warning after one customer lost £23,000 (and Santander won't refund his cash)”,,,  9 February 2016

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top