Smishing : the new social media attack

No one likes change, except seemingly internet attackers who have made a profession out of rapid change of a multitude of factors - attack vector, sophistication, volume and approach. The malware market has been monetised  and we are seeing the strongest ever driving forces to come up with new approaches to beat security products and users  common sense.

Phising is a good example of how the Cybercriminal utilises Social Engineering techniques combined with technology to Grift money from an innocent Internet bystander. Send an email to the victim purporting to be from someone else, be it a bank, paypal or from a spyware infected machine disguising the email in the form of a genuine email from a friends address. Wait on the susceptible user to click on it believing it to be genuine, enter their private details into a fake site and hey presto the attacker has hoodwinked you and has financial or personal login details of yours. The average phishing site only online 5.9 days before it has done enough damage to afford to change (stat from APWG.com – the Anti-Phishing Workgroup).

Users have however read again and again in articles, in warnings on bank sites, in email services and from friends not to click on such links (but they still do!) Mail solutions have gotten better at discerning Phishing attacks and putting them correctly in to anti-spam filters. Even in free webmail solutions such Phishing attacks are put into the junk folder the majority of the time. So users are getting more trusting in Phishing attacks not reaching them in email and in thinking twice before they click.

So have the criminals sat on their laurels!? Have they heck. When they noticed the traditional Phishing approaches returning a lower response rate they rapidly adjusted to new mediums and we now have Smishing (Social Media phishing) as a progression of their approach. Instead of sending the advert, fake link, or message in email they are utilising social media messaging and advertising to direct the user through to their fake site location.  Getting a posting onto your Facebook page for example or receiving a Social Media message seemingly has more trust equity with users than email , with users believing that fakes only come to them in email as Spam. On Social web sites they seemingly enter into a different mindset of trust.

You can cheaply buy lists of Facebook login details on the web - for example a recent site was seen offering 1000 facebook account login details for £16.50, very affordable at the worst of times. With such easy ammunition it is not a big step for someone to utilise each of these accounts and to send personal looking messages to all linked friends of the individual, sending a ‘have you see this site’ message , an advert or simply a link to a fake site.

So buyer beware – What you see may not always be what you get, particularly in the world of the cyber transaction and when you see a message from someone you know, don’t assume it was them who sent it from their account, look once, think twice before you click.