Inside Text Message Phishing Attacks
Not all phishing takes place online.
Text message-based phishing, called smishing, is still out there, and though on the decline, a report from security vendor Internet Identity (IID) shows it is still being used to target credit unions.
In smishing, scammers use text messages to impersonate companies and lure victims into calling a fake interactive voice response (IVR) system designed to steal personal data like account credentials and social security numbers.
"The most common text phishing is text-to-phone, where text messages are sent to potential victims with the goal of getting those victims to call a phone number provided in the message," explained Lars Harvey, CEO of IID. "When a victim calls the number, they are presented with an interactive voice response tree that often mimics the target institution's own system. This system draws out and collects account access credentials from the victims."
Less common is text-to-Website, where the text message lures the victim to a traditional phishing Website, he added.
"The text lures are generally sent in a shotgun style to all numbers in a particular area code, or area code-exchange, through the e-mail-to-text gateways offered by the mobile carriers...From a technical perspective, the attacks are automated much like phishing attacks in that the attacker e-mails their phishing spams to the victims' mobile numbers via the mobile carriers' e-mail-to-text gateways," he continued. "So the criminals could scale the sending of text messages to much greater quantities than they currently send. However, they are limited by their capacity to cash out the victims' accounts."
According to Harvey, the attack patterns suggest there are no more than a few groups perpetrating text phishing attacks as opposed to several dozen perpetrating other forms of phishing. The good news is that IID reported the prevalence of the attack dropped 62 percent during the first quarter of 2010.
"Credit unions are targeted usually by geography," he said. "Smaller CUs (credit unions) often serve a single state or single metro area, so it is relatively simple to target the right area codes to reach the targeted institution's members.
"The cost of text phishing is a small portion of the cost of overall phishing," he continued. "Specific numbers are hard to get from institutions, and can vary widely...text phishing is very visible to users, however. It causes their phones to beep and demand their attention, so attacks can cause great confusion and worry among the targeted institutions' account holders. This worry generates significant customer service costs for the institutions."