What is smishing?

SMS (Short Message Service) is a system that uses mobile phones to exchange messages with phone numbers as destinations. Many of you may be familiar with this convenient mechanism that allows you to send messages to other parties even if you have a different mobile carrier contract.

In fact, phishing scams that exploit this SMS have become popular in recent years, and there are concerns about the spread of damage. To give an example of someone pretending to be a telecommunications carrier, a URL is attached along with a message saying, "Your phone bill is high, so please check it." You will be redirected to a fake site. It is a malicious technique that makes you enter personal information on the site and steals and misuses the information.

Phishing, which originally exploited e-mail, sent e-mails pretending to be from financial institutions such as banks and credit card companies, and sent e-mails containing personal information such as addresses, bank account numbers, credit card numbers, and IDs and passwords used for web services contracted by the user. It is widely recognized as an act of stealing authentication information. Similar to this phishing method, SMS messages are abused to get users to click on URLs to obtain various personal information, or to install malicious apps that can remotely control smartphones, so-called malware. It's smishing.

"Smishing" is a coined word that combines SMS and phishing, and is said to have originated around 2006 when it appeared on a security vendor's blog. It is also called text scam overseas, and it is said that smishing was observed for the first time at the end of 2017 in Japan.

Indistinguishable! Examples of smishing phrases

What makes this smishing so clever is that it arouses the anxiety of the recipient of the SMS and sends them content that makes them want to click on it. There are too many examples to list, including those claiming to be courier companies and financial institutions, current affairs related to the COVID-19 and notices of unpaid bills. There is also a method of exploiting a phone book in a malware-infected smartphone, sending a message such as "There is a picture of you on this SNS" pretending to be a friend, and making you click on the URL. If you think about it normally, the actual situation is that you can't tell the difference because of the content that you would click without a doubt.

What we are introducing here is an example of smishing against an individual using a smartphone, but it involves acquiring employee IDs, authentication information for unauthorized access to the company, and malware infection for remote control. There is also smishing that targets companies.

However, Macnica views attackers targeting individuals and companies as having different attributes. What is popular in Japan is mainly targeting individuals for financial purposes such as credit card numbers and savings accounts, while for businesses, ransomware and BEC (Business Organized criminal groups often use business email scams such as ``Email Compromise'' to trick people into transferring money. Even though smishing is the same, the current view is that criminal groups targeting individuals and corporations are different.

The realities of smishing, where damage spreads

Unfortunately, the damage caused by smishing, including phishing, is on the rise. According to the information released by the Anti-Phishing Council, the number of phishing reports is about 30,000 every month, and will reach 53,177 in August 2021. Regarding recent smishing, there are many reports that talk about e-commerce sites such as Amazon and Rakuten, and since it tends to be more easily misidentified as real compared to e-mail, industry groups have issued warnings. .

Source: Anti-Phishing Council HOME > Reports > Monthly Reports > 2021/08 Phishing Report Status
https://www.antiphishing.jp/report/monthly/202108.html

In the Metropolitan Police Department's cybercrime countermeasure project, there have been many reports of fraudulent remittances and credit card damage, indicating that personal assets are mainly targeted. The Metropolitan Police Department's materials show that the damage has decreased in 2020, but according to the information issued by the Japan Credit Association, the amount of damage caused by unauthorized use of credit cards has decreased. In particular, the amount of damage caused by stealing credit card numbers has increased since the beginning of the Reiwa era. It can be read from the materials that smishing has never died down.

「到達率」「開封率」が仇に…スミッシングが流行るワケ

Why is smishing, in addition to traditional phishing, a popular fraud method worldwide? In fact, the characteristics of SMS have created a situation where damage can easily spread.

One of them is that the "delivery rate" of the message itself is high. Since the message is delivered based on the phone number, it is possible to deliver the message directly to the person who has the phone number, compared to the e-mail address that cannot be delivered unless the account or domain matches. From the point of view of a malicious attacker, messages can be delivered efficiently.

In addition, the high "open rate" is also behind the spread of smishing. Originally, many of the emails that arrive at the email address contain advertising emails, and many people leave the emails unopened. However, since the message received by SMS is directly contacted to the phone number, there is no end to the case of confirming without doubt. Of course, many people unintentionally click on fake URLs that they want to be lured to because they skillfully use wording that seems to be related to creating a sense of danger as mentioned above.

The high delivery rate and open rate of SMS have been valued as a convenient mechanism for many attackers.

Two Approaches by Smithing

Although smishing can lead to serious damage, it can be roughly divided into two approaches. One is to lure you to a fake website and steal valuable information, and the other is to download malware to remotely control your smartphone.

1. Induction to fake site

The former is a method of stealing information by sending a message via SMS, leading to a fake site prepared by the attacker, and having the user enter bank account numbers, credit card information, etc. on the fake site. By using stolen information to impersonate the user and make a large purchase on an EC site or illegally transfer savings to another account, financial damage spreads. The fake site you visit is made to look exactly like the real thing, and there are cases where it is difficult to identify it as a fake site. In fact, there are cases where the message appears to be from a delivery company, and when you click on the attached URL, you are redirected to the bank's fake website. There are many people who trust the SMS linked to the number and do not notice the discomfort.

2. Malware downloads that allow remote control

The latter approach, which uses malware that enables remote control by attackers, involves sending messages via SMS and injecting malware into smartphones when URLs are clicked. By downloading malware, criminals can remotely control the smartphone without the owner's knowledge. For example, impersonating the owner and sending a large amount of smishing to the mobile number registered in the smartphone or the phone number not registered in the smartphone, or personal information such as the phone number and password saved in the mobile phone. There is a risk of being taken out. Because they can be not only victims but also perpetrators, they can play a part in increasing the damage. These days, this approach has taken a very serious turn for the worse.

In particular, if the phone number registered on a malware-infected smartphone is stolen, the user will be sent a message pretending to be an acquaintance, such as "I saw your video on SNS." There have also been reports of skillful use of tempting phrases. It is devised so that it will not remain in the transmission history, and sometimes you will only realize that you are infected with malware when an acquaintance contacts you. It can be said that it is a very troublesome approach, such as spreading infection gradually without noticing the existence of malware.

It's hard to tell if your computer is actually infected with malware. Even so, the number of incoming calls from unknown numbers increases, a large amount of SMS arrives, notifications about fraudulent payments are displayed many times, and SMS communication charges that you do not know cause high mobile phone charges. If you are experiencing a different situation, your smartphone may be infected with malware. It's important to recognize the signs.

The only thing you should be aware of to prevent smishing damage

What should we be aware of in order to avoid smishing damage that abuses SMS? For example, in phishing that exploits e-mail, it is possible to blacklist the e-mail addresses used by attackers and the URLs of fake sites to prevent them from receiving e-mails. At present, it is difficult to take appropriate countermeasures. Given that receiving messages is unavoidable, you should be aware that you should never click on URLs contained in SMS. I want you to be fully aware of this as an effective way to avoid smishing damage.

• Damage caused by smishing increases every year
• Illegal remittances and methods of stealing credit card numbers are also expanding
• The text is wide-ranging, including current affairs, and fuels people's anxiety.
• Information sharing will continue to accelerate in society → There is a high possibility that they will take advantage of the trend and target
• Victim of smishing → becomes a perpetrator and spreads

Smishing is a cross-industry phenomenon, as it involves not only mobile phone carriers who deliver SMS, but also companies whose names are used to lead people to fake sites, and financial institutions that are the target of unauthorized access. countermeasures are essential. However, there are some difficulties in connecting industries and companies with different interests.

The background behind Macnica 's current efforts to counter smishing is that it originally worked in security and provided security measures and consulting to various organizations, and is in a position where it can act as a bridge for cross-industry collaboration. This is because it was. We would like to continue to mobilize Macnica 's security knowledge and engineering power to eradicate smishing as a social issue.