SMS phishing is here

By Andrew R. Hickey, News Writer 07 Sep 2006 | SearchMobileComputing.com

Lotus Notes and Domino tips, tutorials and how-to articles Digg This!     StumbleUpon     Del.icio.us

Recently, researchers at the McAfee Avert Labs uncovered a new form of attack, which hits through SMS and can milk a mobile user's wallet dry. On the surface, this new threat -- dubbed SMiShing (a combination of SMS and phishing) -- may appear to be only a consumer problem, but some mobile experts say enterprise mobile managers should be on their guard.

Deepa Karthikeyen, a wireless services analyst with Current Analysis, said last week's announcement was the first she had heard of SMiShing but noted that it is new, uncharted territory that mobile managers should be ready for.

She said that "it could be threatening to the enterprise if mobile devices, which employees use to access their network daily, are hacked."

A SMiShing attack could introduce viruses or other malware to the network or add massive charges to corporate cell phone bills. An attack could also expose the network to other hacks. Since SMiShing is so new, however, the network impact or costs that may be associated with an attack are unclear.

So far, SMiShing attacks have targeted users abroad, but because they are a threat to mobile systems, there is no reason they couldn't jump the seas into the U.S. And though full-scale attacks in the U.S. may not necessarily be imminent, some mobile experts caution that it's better to be safe than sorry.

David Rayhawk, senior researcher at McAfee Avert Labs, which recently went public with SMiShing information, said SMiShing "is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams."

In a blog entry, Rayhawk detailed a SMiShing ploy where users received a text message such as "We're confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order." Following the message is a Web link that would route the user to the main phishing page.

"Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message," Rayhawk wrote. "Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software, … steal personal account information and [perform] other malicious activities."

Rayhawk said understanding how far SMiShing reaches is difficult.

"Because monitoring botnet activity is complex, it is challenging to know the current scope of the problem," he wrote.

Once hackers learn to fully exploit SMiShing techniques, the threat to enterprise users will grow.

"Most large enterprises have thousands of employees, using a variety of devices to access their networks," Rayhawk wrote in his blog. "Despite their best efforts to issue safety guidelines, IT security staff cannot control human behavior, especially in light of the fact that mobile users have not yet learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks."

Daniel Taylor, managing director of the Mobile Enterprise Alliance, said enterprises allowing the use of numerous devices should set strict rules and policies to avoid falling victim to SMiShing.

"Yes, enterprises should be concerned," he said. "They should be concerned about committing to support too many types of mobile devices. If an IT department agrees to support more than two or three different device types, they're overcommitting."

According to Taylor, best practices for mobile devices should provide three things: a set of policies that help to address phishing, security software to address viruses and other forms of malware, and a way to use over-the-air updates to re-image devices and recover data.

"An infected device should never be allowed to connect to the corporate network," he added.

Taylor continued: "Like support, security is a set of policies that reinforces the constraint that IT departments can only support a homogeneous combination of devices and software loads."

Karthikeyen said that with the growth in messaging service subscriptions and cell phone providers looking to compete against the Internet, mobile device users are increasingly becoming targets for hackers, spam and other attacks.

"Cell phone users have to learn to exercise caution when they use their cell phones," she said, adding that there are now PC-based viruses on cell phones and that virus-scanning tools for cell phones could be on the horizon.

In an interview shortly after his blog posting, Rayhawk said SMS and mobile device attacks could become as commonplace as PC-related threats. Some mobile malware can destroy devices; worse, it could cripple a corporate network.

"Eventually," Rayhawk said, "we should see everything you expect to see on the PC …."

Because SMS is widely popular and available to almost anyone with a cell phone, SMiShing threats could eventually surpass email-related attacks, Rayhawk said, especially because many users are now more cautious about emails.

"If you got an email message like this, you should know better than to open it," he said.

Another threat to an enterprise, according to Rayhawk, is an attacker who obtains a corporate phone list and can target a SMiShing attack at a specific set of users.

Current Analysis analyst Kathryn Weldon agreed.

"Clearly there would be not only a huge annoyance factor for consumers and enterprises alike for this kind of forced service/spam," Weldon said, "but McAfee implies [with its SMiShing announcement] it opens them up to a scenario where peddlers can find them and text them at will."

Rayhawk suggests that mobile managers deploy some form of mobile anti-virus protection to quell potential SMiShing threats and other attacks. McAfee, Symbian and Symantec, among others, offer products to secure mobile devices, he said.

"Enterprises would be wise to keep a close eye on the issue," Rayhawk said, "think about policies for securing their mobile devices ahead of time -- rather than playing catch-up when it hits them -- and begin to educate their employees about the potential risk now."

This article originally appeared on SearchMobileComputing.com.

Tags: Industry,  Lotus Notes Domino Phishing and Email Fraud Protection,  Mobile Devices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Lotus makes mobile partnerships and Notes Traveler top priorities IBM Lotus to end Notes/Domino 7.x support Are you ready for LotusLive hosted email services? Getting ready for Lotusphere 2009 Managing and maintaining mobile devices on Lotus Notes Domino Considerations for deploying mobile devices on Lotus Notes Domino Admin2008: administrators and developers speak up Developers mixed on direction of IBM Lotus R&D IBM showcases Notes/Domino 8.5; new products at Lotusphere Looking forward, IBM Lotus needs back-end improvements Lotus Notes Domino Phishing and Email Fraud Protection Phishing protection primer for Lotus Notes and Domino New tools fight fraud and phishing Hooked: Phishing is luring more and more of your customers Fight spear phishing Phishing: A whale of a problem for enterprises Three ways phishers are hooking you New phishing threat outpaces Netsky-P Phishing secrets revealed PhishTank casts its net for malicious email Online crime as ugly as ever Mobile Devices Lotus makes mobile partnerships and Notes Traveler top priorities Lotus Notes/Domino and mobile device management An introduction to iNotes for Lotus Notes/Domino 8.5 Approve Lotus Notes documents using a BlackBerry mobile device SaaS and collaboration set the stage at Lotusphere Collaboration on the run with Lotus Notes and Domino Solving your Lotus Notes Domino and BlackBerry problems Install Lotus Traveler for Windows Mobile device synchronization Exploring Lotus Notes Domino 8.0.1 and beyond Configuring Lotus Sametime on a Blackberry mobile device

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary