Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/9/2020
09:00 AM
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
By Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Sponsored Article
50%
50%

Is Smishing the New Backdoor?

Scammers are adding smishing attacks to their arsenal and for good reason, the open rate for text messages is an alarming 98%. So, what exactly is smishing?

What Is Smishing?
Smishing is a combination of the words SMS and phishing and is a type of social engineering attack orchestrated to obtain personal information such as credit card details, banking info, Social Security details, or passwords.

Smishing differs from traditional phishing attacks in that it targets text messages instead of emails. Smishing attacks happen more often than you may think. In 2019, 84% of infosec professionals reported that their organization experienced a smishing attack.

More recently, Amazon customers reported texts that they genuinely believed were sent out from FedEx, asking them to set up delivery preferences for receiving packages, complete with a bogus tracking code. When the unsuspecting victims clicked on the link, they were asked to enter their Amazon credentials, which were then harvested by the scammers.

Hackers are always on the lookout for new techniques, particularly on mobile devices that are notoriously unsecured. SMS messages make perfect targets since they appear more personal and are trickier to detect.  

How Smishing Works  
Scammers pose as banks or online retailers sending you a "legit-looking" text message that creates a sense of urgency, asking you to update your account or information because it might be "compromised."

Once you click on the embedded text link, you will then be redirected to a page that is nearly identical to your bank's website or other trusted sites that appear familiar to you.

Hackers use this technique to obtain sensitive information such as credentials, credit card info or Social Security details, or to deploy the latest malware on your smartphone.  

SMS Phishing Attacks — The New Foothold into Corporate Wi-Fi Networks
Organizations are at high risk from smishing attacks due to employees that have BYOD or Bring Your Own Device, policies. Since BYOD devices aren't strictly controlled by an organization, company information can become vulnerable to malicious attacks.

What's even more troubling is that they might not even be aware of it until it's too late.  

Here's how it works.  

Smishing provides hackers a way to bypass the security controls of a secured infrastructure by targeting a connected mobile device of an employee or guest. A weaponized SMS can compromise the mobile device providing the initial foothold into the corporate Wi-Fi and giving the hacker total control of the device.

The next step of the attack would be to move laterally to a corporate endpoint, completely bypassing perimeter security controls.

Once inside the network, hackers can steal sensitive company information and trade secrets, capture user ID and passwords, or infect the network with ransomware and a plethora of worms. The end results can be crippling to an organization, especially when the breach goes public.  

How to Protect Yourself from Smishing Attacks
Endpoint security controls are considered the last bastion or layer of defense, so you need to be sure that they are working at full effectiveness against infection and lateral movement. Testing endpoint security controls must be continuous vis-à-vis new attack tactics and techniques.

And given the fact that the open rate for a text message is an alarming 98%, it should come as no surprise that this simple point of entry will become the next backdoor into a corporate network.

We have already seen how hackers stole a casino's database from a connected thermometer in a fish tank, so why not through a BYOD phone? That said, here are a few additional ways to minimize the risks of a smishing attack:

Security Controls

  • Place security controls between guest and BYOD Wi-Fi networks and the corporate Wi-Fi and LAN.

  • Make sure your endpoint security settings are continuously up to date.

  • Set up an effective and continuous endpoint security assessment program to ensure that the settings are operating at maximum efficacy.

  • Deploy mobile security management solutions where possible.

Employee Education

  • Never click on links from anyone you don't know or trust.

  • Never install software promoted via text message.

  • Think twice before sharing credentials and other sensitive information.

  • Don't open messages that appear spammy and be wary of words such as "Congratulations" or "Urgent" and "Free." If it sounds too good to be true, it's most likely a smishing attack. 

Endpoint Security Assessment
Read more about how Cymulate's comprehensive endpoint security assessment checks that your systems and apps are properly tuned to defend against signature and behavior-based attacks.

Cymulate also provides you with a risk score and detailed report showing exactly where and how your company is exposed with directions for closing security gaps using your existing security controls.

About the Author: Avihai Ben-Yossef, Co-Founder & CTO, Cymulate
Avihai Ben-Yossef is the co-founder and CTO of Cymulate. At age 26, Avihai and co-founder Eyal Wachsman established Cymulate in 2016 to transform security testing for companies. Ben-Yossef has been recognized by Forbes Israel 30 under 30.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.