Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Sponsored Article

Is Smishing the New Backdoor?

Scammers are adding smishing attacks to their arsenal and for good reason, the open rate for text messages is an alarming 98%. So, what exactly is smishing?

What Is Smishing?
Smishing is a combination of the words SMS and phishing and is a type of social engineering attack orchestrated to obtain personal information such as credit card details, banking info, Social Security details, or passwords.

Smishing differs from traditional phishing attacks in that it targets text messages instead of emails. Smishing attacks happen more often than you may think. In 2019, 84% of infosec professionals reported that their organization experienced a smishing attack.

More recently, Amazon customers reported texts that they genuinely believed were sent out from FedEx, asking them to set up delivery preferences for receiving packages, complete with a bogus tracking code. When the unsuspecting victims clicked on the link, they were asked to enter their Amazon credentials, which were then harvested by the scammers.

Hackers are always on the lookout for new techniques, particularly on mobile devices that are notoriously unsecured. SMS messages make perfect targets since they appear more personal and are trickier to detect.  

How Smishing Works  
Scammers pose as banks or online retailers sending you a "legit-looking" text message that creates a sense of urgency, asking you to update your account or information because it might be "compromised."

Once you click on the embedded text link, you will then be redirected to a page that is nearly identical to your bank's website or other trusted sites that appear familiar to you.

Hackers use this technique to obtain sensitive information such as credentials, credit card info or Social Security details, or to deploy the latest malware on your smartphone.  

SMS Phishing Attacks — The New Foothold into Corporate Wi-Fi Networks
Organizations are at high risk from smishing attacks due to employees that have BYOD or Bring Your Own Device, policies. Since BYOD devices aren't strictly controlled by an organization, company information can become vulnerable to malicious attacks.

What's even more troubling is that they might not even be aware of it until it's too late.  

Here's how it works.  

Smishing provides hackers a way to bypass the security controls of a secured infrastructure by targeting a connected mobile device of an employee or guest. A weaponized SMS can compromise the mobile device providing the initial foothold into the corporate Wi-Fi and giving the hacker total control of the device.

The next step of the attack would be to move laterally to a corporate endpoint, completely bypassing perimeter security controls.

Once inside the network, hackers can steal sensitive company information and trade secrets, capture user ID and passwords, or infect the network with ransomware and a plethora of worms. The end results can be crippling to an organization, especially when the breach goes public.  

How to Protect Yourself from Smishing Attacks
Endpoint security controls are considered the last bastion or layer of defense, so you need to be sure that they are working at full effectiveness against infection and lateral movement. Testing endpoint security controls must be continuous vis-à-vis new attack tactics and techniques.

And given the fact that the open rate for a text message is an alarming 98%, it should come as no surprise that this simple point of entry will become the next backdoor into a corporate network.

We have already seen how hackers stole a casino's database from a connected thermometer in a fish tank, so why not through a BYOD phone? That said, here are a few additional ways to minimize the risks of a smishing attack:

Security Controls

  • Place security controls between guest and BYOD Wi-Fi networks and the corporate Wi-Fi and LAN.

  • Make sure your endpoint security settings are continuously up to date.

  • Set up an effective and continuous endpoint security assessment program to ensure that the settings are operating at maximum efficacy.

  • Deploy mobile security management solutions where possible.

Employee Education

  • Never click on links from anyone you don't know or trust.

  • Never install software promoted via text message.

  • Think twice before sharing credentials and other sensitive information.

  • Don't open messages that appear spammy and be wary of words such as "Congratulations" or "Urgent" and "Free." If it sounds too good to be true, it's most likely a smishing attack. 

Endpoint Security Assessment
Read more about how Cymulate's comprehensive endpoint security assessment checks that your systems and apps are properly tuned to defend against signature and behavior-based attacks.

Cymulate also provides you with a risk score and detailed report showing exactly where and how your company is exposed with directions for closing security gaps using your existing security controls.

About the Author: Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Avihai Ben-Yossef is the co-founder and CTO of Cymulate. At age 26, Avihai and co-founder Eyal Wachsman established Cymulate in 2016 to transform security testing for companies. Ben-Yossef has been recognized by Forbes Israel 30 under 30.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...