Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Sponsored Article

Is Smishing the New Backdoor?

Scammers are adding smishing attacks to their arsenal and for good reason, the open rate for text messages is an alarming 98%. So, what exactly is smishing?

What Is Smishing?
Smishing is a combination of the words SMS and phishing and is a type of social engineering attack orchestrated to obtain personal information such as credit card details, banking info, Social Security details, or passwords.

Smishing differs from traditional phishing attacks in that it targets text messages instead of emails. Smishing attacks happen more often than you may think. In 2019, 84% of infosec professionals reported that their organization experienced a smishing attack.

More recently, Amazon customers reported texts that they genuinely believed were sent out from FedEx, asking them to set up delivery preferences for receiving packages, complete with a bogus tracking code. When the unsuspecting victims clicked on the link, they were asked to enter their Amazon credentials, which were then harvested by the scammers.

Hackers are always on the lookout for new techniques, particularly on mobile devices that are notoriously unsecured. SMS messages make perfect targets since they appear more personal and are trickier to detect.  

How Smishing Works  
Scammers pose as banks or online retailers sending you a "legit-looking" text message that creates a sense of urgency, asking you to update your account or information because it might be "compromised."

Once you click on the embedded text link, you will then be redirected to a page that is nearly identical to your bank's website or other trusted sites that appear familiar to you.

Hackers use this technique to obtain sensitive information such as credentials, credit card info or Social Security details, or to deploy the latest malware on your smartphone.  

SMS Phishing Attacks — The New Foothold into Corporate Wi-Fi Networks
Organizations are at high risk from smishing attacks due to employees that have BYOD or Bring Your Own Device, policies. Since BYOD devices aren't strictly controlled by an organization, company information can become vulnerable to malicious attacks.

What's even more troubling is that they might not even be aware of it until it's too late.  

Here's how it works.  

Smishing provides hackers a way to bypass the security controls of a secured infrastructure by targeting a connected mobile device of an employee or guest. A weaponized SMS can compromise the mobile device providing the initial foothold into the corporate Wi-Fi and giving the hacker total control of the device.

The next step of the attack would be to move laterally to a corporate endpoint, completely bypassing perimeter security controls.

Once inside the network, hackers can steal sensitive company information and trade secrets, capture user ID and passwords, or infect the network with ransomware and a plethora of worms. The end results can be crippling to an organization, especially when the breach goes public.  

How to Protect Yourself from Smishing Attacks
Endpoint security controls are considered the last bastion or layer of defense, so you need to be sure that they are working at full effectiveness against infection and lateral movement. Testing endpoint security controls must be continuous vis-à-vis new attack tactics and techniques.

And given the fact that the open rate for a text message is an alarming 98%, it should come as no surprise that this simple point of entry will become the next backdoor into a corporate network.

We have already seen how hackers stole a casino's database from a connected thermometer in a fish tank, so why not through a BYOD phone? That said, here are a few additional ways to minimize the risks of a smishing attack:

Security Controls

  • Place security controls between guest and BYOD Wi-Fi networks and the corporate Wi-Fi and LAN.

  • Make sure your endpoint security settings are continuously up to date.

  • Set up an effective and continuous endpoint security assessment program to ensure that the settings are operating at maximum efficacy.

  • Deploy mobile security management solutions where possible.

Employee Education

  • Never click on links from anyone you don't know or trust.

  • Never install software promoted via text message.

  • Think twice before sharing credentials and other sensitive information.

  • Don't open messages that appear spammy and be wary of words such as "Congratulations" or "Urgent" and "Free." If it sounds too good to be true, it's most likely a smishing attack. 

Endpoint Security Assessment
Read more about how Cymulate's comprehensive endpoint security assessment checks that your systems and apps are properly tuned to defend against signature and behavior-based attacks.

Cymulate also provides you with a risk score and detailed report showing exactly where and how your company is exposed with directions for closing security gaps using your existing security controls.

About the Author: Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Avihai Ben-Yossef is the co-founder and CTO of Cymulate. At age 26, Avihai and co-founder Eyal Wachsman established Cymulate in 2016 to transform security testing for companies. Ben-Yossef has been recognized by Forbes Israel 30 under 30.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.