OFFICIAL SECURITY BLOG
September 7, 2012 | BY Adam Kujawa
A few months ago, I did a series on Phishing, called Phishing 101. In it, I described various ways in which cyber-criminals are trying to steal information by swindling users with fake web sites, social network spamming and even lures in video games. This week I wanted to touch on a method that has been steadily becoming more and more prominent all over the world, phishing through the phone.
Scammers are now posing as well known banks sending SMS messages to people. In these messages, the criminal asks the recipient to either:
If you click the link, assuming you have a web-enabled smart phone, it would take you to a phishing page where it would request you to input either login credentials or credit card information. This is not anything beyond the norm of phishing attacks performed through e-mail. I find, however, that the more interesting approach is through asking the user to call a phone number. If you call the number, it is answered by an automated recording asking the caller to input their credit card information in order to have their account unlocked or obtain some vital information they need to know about.
The methods in which the scammers obtain your phone number include getting them from cyber-criminal databases full of stolen or purchased contact information. Another way is through mobile malware that infects the phone of an unsuspecting victim and either uses their number to send the phishing messages or steal their contacts and send it to a remote server to be input into one of the aforementioned databases.
In a slightly similar incident a few months ago, SMS messages threatening people with death were being sent to people in Australia. The messages informed the recipient that someone had paid the sender to kill the victim and if they wanted to live, they needed to pay the sender $5,000. The Australian police quickly identified it as a fraud, however they received hundreds of phone calls from concerned citizens who received the text messages. In a way you could relate this tactic to being in the same category as Ransomware, wherein something valuable (your life) is held hostage for a fee. The biggest difference is that Ransomware actually does hijack your system while this method only attempts to fool you.
As I had mentioned in my previous blogs, phishing and everything like phishing has not changed since the early days of computers and even the basic concepts reach back to early man. The only thing that changes is the method in which the scam or threat is administered to the victim.
Think about the bank phishing example above, even though the original hook was sent via an advanced technological wonder like SMS messaging, the fact that the victim would call an automated service and willfully give up their credit card information is nothing new. If you received a call from someone you did not know asking you to do the same thing, most people would not think twice about hanging up the phone. Yet because it is over a medium which is new, personal and tightly controlled by large phone companies, the average person will ignore the red flags being sent up if the same thing occurred in a different fashion. As mobile computers become even more rampant in our society, we will begin to see more and more scams like this taking place every day. Cyber criminals are opportunistic and at the same time creatures of habit, they will try the same things in as many ways as they can possibly think because it has worked so well in the past.
Avoiding these types of scams is as easy as clicking the delete button. If you do get a text message from someone claiming to be your bank, asking you to call a specific number or visit a website and providing the link, call your bank and ask about whether or not the message was legitimate. Do not use the number provided in the message, instead use the number or the web address provided on the back of your bank card.
In addition to that, make sure your friends and family are aware of scams like this going on, do not let them fall victim to something that is so easily avoidable. Also, if you want to take a stand against these types of things, when you receive a phishing text message, get a hold of your bank and let them know, they will most likely ask you to forward it to them. You could also get a hold of your service provider and let them know so they might be able to work with law enforcement to stop any more people from being scammed.