SMS phishing is here

By Andrew R. Hickey, News Writer 07 Sep 2006 | SearchMobileComputing.com

Digg This!     StumbleUpon     Del.icio.us

Last week, researchers at the McAfee Avert Labs uncovered a new form of attack, which hits through SMS and can milk a mobile user's wallet dry. On the surface, this new threat -- dubbed SMiShing (a combination of SMS and phishing) -- may appear to be only a consumer problem, but some mobile experts say enterprise mobile managers should be on their guard.

Deepa Karthikeyen, a wireless services analyst with Current Analysis, said last week's announcement was the first she had heard of SMiShing but noted that it is new, uncharted territory that mobile managers should be ready for.

She said that "it could be threatening to the enterprise if mobile devices, which employees use to access their network daily, are hacked."

A SMiShing attack could introduce viruses or other malware to the network or add massive charges to corporate cell phone bills. An attack could also expose the network to other hacks. Since SMiShing is so new, however, the network impact or costs that may be associated with an attack are unclear.

So far, SMiShing attacks have targeted users abroad, but because they are a threat to mobile systems, there is no reason they couldn't jump the seas into the U.S. And though full-scale attacks in the U.S. may not necessarily be imminent, some mobile experts caution that it's better to be safe than sorry.

David Rayhawk, senior researcher at McAfee Avert Labs, which recently went public with SMiShing information, said SMiShing "is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams."

In a blog entry, Rayhawk detailed a SMiShing ploy where users received a text message such as "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order." Following the message is a Web link that would route the user to the main phishing page.

"Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message," Rayhawk wrote. "Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software, … steal personal account information and [perform] other malicious activities."

Rayhawk said understanding how far SMiShing reaches is difficult.

"Because monitoring botnet activity is complex, it is challenging to know the current scope of the problem," he wrote.

Once hackers learn to fully exploit SMiShing techniques, the threat to enterprise users will grow.

"Most large enterprises have thousands of employees, using a variety of devices to access their networks," Rayhawk wrote in his blog. "Despite their best efforts to issue safety guidelines, IT security staff cannot control human behavior, especially in light of the fact that mobile users have not yet learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks."

Daniel Taylor, managing director of the Mobile Enterprise Alliance, said enterprises allowing the use of numerous devices should set strict rules and policies to avoid falling victim to SMiShing.

"Yes, enterprises should be concerned," he said. "They should be concerned about committing to support too many types of mobile devices. If an IT department agrees to support more than two or three different device types, they're overcommitting."

According to Taylor, best practices for mobile devices should provide three things: a set of policies that help to address phishing, security software to address viruses and other forms of malware, and a way to use over-the-air updates to re-image devices and recover data.

"An infected device should never be allowed to connect to the corporate network," he added.

Taylor continued: "Like support, security is a set of policies that reinforces the constraint that IT departments can only support a homogeneous combination of devices and software loads."

Karthikeyen said that with the growth in messaging service subscriptions and cell phone providers looking to compete against the Internet, mobile device users are increasingly becoming targets for hackers, spam and other attacks.

"Cell phone users have to learn to exercise caution when they use their cell phones," she said, adding that there are now PC-based viruses on cell phones and that virus-scanning tools for cell phones could be on the horizon.

In an interview shortly after his blog posting, Rayhawk said SMS and mobile device attacks could become as commonplace as PC-related threats. Some mobile malware can destroy devices; worse, it could cripple a corporate network.

"Eventually," Rayhawk said, "we should see everything you expect to see on the PC …."

Because SMS is widely popular and available to almost anyone with a cell phone, SMiShing threats could eventually surpass email-related attacks, Rayhawk said, especially because many users are now more cautious about emails.

"If you got an email message like this, you should know better than to open it," he said.

Another threat to an enterprise, according to Rayhawk, is an attacker who obtains a corporate phone list and can target a SMiShing attack at a specific set of users.

Current Analysis analyst Kathryn Weldon agreed.

"Clearly there would be not only a huge annoyance factor for consumers and enterprises alike for this kind of forced service/spam," Weldon said, "but McAfee implies [with its SMiShing announcement] it opens them up to a scenario where peddlers can find them and text them at will."

Rayhawk suggests that mobile managers deploy some form of mobile anti-virus protection to quell potential SMiShing threats and other attacks. McAfee, Symbian and Symantec, among others, offer products to secure mobile devices, he said.

"Enterprises would be wise to keep a close eye on the issue," Rayhawk said, "think about policies for securing their mobile devices ahead of time -- rather than playing catch-up when it hits them -- and begin to educate their employees about the potential risk now."

This article originally appeared on SearchMobileComputing.com.

Tags: Industry,  Mobile Devices,  Phishing and Email Fraud Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Tackling the social messaging dilemma Microsoft drops free migration tool for Exchange 2010 Microsoft reverses support plan for Exchange 2007 on Windows Server 2008 R2 Virtualize Exchange Server 2007 -- without losing your job Exchange Server 2007 SP2 adds auditing, backup Avoid these Exchange Server migration pitfalls Microsoft readies Exchange Server 2010 release candidate Virtualizing Exchange Server 2007 -- Where it works Microsoft updates Exchange Server 2007 SP1 Microsoft fortifies Exchange Server with archiving Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Phishing and Email Fraud Protection Exchange 2007 out-of-office (OOF) feature adds usability and security Microsoft Outlook and Exchange Server 2003 Email Security Guide A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Microsoft Office 2007's native security and antiphishing tools New tools fight fraud and phishing Phishing protection primer Three ways phishers are hooking you Phishing: A whale of a problem for enterprises New phishing threat outpaces Netsky-P PhishTank casts its net for malicious email

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) Sender ID  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary