Smishing and Vishing attacks

In my last post, I had discussed about mobile phishing attack and how we can protect ourselves from these attacks. I came across another interesting article recently, that explains about few other kinds of phishing attacks on mobile phones. They are called Smishing and Vishing attacks. These attacks also tricks the user to provide sensitive and confidential information like credit card details by sending SMSs or voicemails.

Smishing attack

SMS + phishing = Smishing. Like any traditional phishing attack, this attack also goes after sensitive information like bank or financial institution data. In such kind of scams, the attacker sends a panicky SMS to your mobile device and tries to extract credit card or password information. The SMSs will warn you that something wrong has happened to your bank account, credit card or purchase and you need to take certain actions immediately. These attacks urges the user to call a particular phone number or click a link to solve the problem.
However, if you make a call to the phone number provided by SMS then you are asked to provide your bank details or credit card number, which in future will be used by the cyber criminals without your knowledge. Similarly, when you click on any kind of  link , you will be directed to a spoofed website of your bank and will be asked to enter your account details or you might end up downloading a malicious code that will infect your mobile device.

Examples of fraudulent SMiShing messages:

1. Credit Union N.A. Please call us immediately at 1-888-xxx-xxxx regarding a recent restriction placed on your account. Thank you
2. Alert!! Honolulu City & County Employees has limited your account pending verifications. Contact us NOW at 213-xxx-xxxx.

Vishing attack

Another kind of phishing attack is "vishing" or  "voicemail phishing" attack. Here the vishers sends a voicemail to you saying they represent your bank or financial institution and you need to call them back immediately or send some important information regarding your bank account to perform some operations. Some attackers will not even send a voicemail. They will call you directly and trick you to provide sensitive and confidential information.

If we encounter such kind of situation, we should directly contact the bank or financial institution  to determine if they had sent such request or not, rather than responding back to the fraudulent  SMSs or voicemails.

Mobile Phishing Attack

With the tremendous growth in the technology field, it is safe to say that the smartphones have taken over the desktops in terms of popularity and usability. The smartphones are being used to perform all the tasks that we used to do with our static PC. If we take into account the convenience factor, no body can beat the mobile phones. Millions of users are using their phones to access internet, pay bills, shop or socialize. Another reason behind the popularity of smartphones are the amazing apps. A recent statistics show that mobile users around the globe download over 67 million app everyday. As a result, these devices have become extremely vulnerable to cyber attacks. The mobile devices are extremely prone to phishing and malware attacks.

Mobile phishing attacks are on rise these days. The cyber criminals take advantage of this platform and tries to extract as much personal and sensitive information from the users as possible. There are various reasons why this platform is targeted for attacks. Firstly the mobile users are less careful and less aware of the security options available for mobile phones. They are used to providing their credentials to the mobile interface. Secondly, it is very difficult to differentiate between a legitimate and spoofed website on a small device. Last but not the least, downloading apps without doing much research about their developers, allows attacker to install malicious code in the mobile devices.

In early August this year,  a mobile phishing attack was discovered that not only attempts to steal user's login details but also asks them to upload an image of their government issued ID. This attack involves  spoofed website of bank's mobile online login site and an URL that closely mimics the legitimate bank site.

Although the website resembles very closely with the legit site but it lacks certain things that needs to taken into account while providing personal details to such sites. The website was not supported by SSL protocols. As a result the phishing site does not have any security symbol or https:// protocol. Here is a screenshot of the spoofed site and actual site.

The spoofed site asks user to enter his login details and once the user enters the login details he is directed to another spoofed page. Now the attacker needs user's email and password information, so that when the user changes his login details to recover his account the attacker will be notified and still be able to access his account. The scam does not stop here. After extracting so much personal details, the attacker asks the user to upload an image of his government issued-ID. Assuming if that information is provided by the user, the user will be asked to continue to their account via a link but the link leads to a dead website.

Phishing site asking to enter e-mail address and password.

Phishing site asking to enter government issued IDs.

Now the question is what can we do protect ourselves from such kind of attacks or what are the lessons learnt from this particular Phishing attack. Well there are few things we can do to be safe. First and foremost, bookmark the frequently visited sites. This eliminates the chance of landing up in phishing websites through typos in the URL bar. Secondly, verify the website first before providing personal information. Check if it is supported by SSL protocol, has any security symbol or HTTPS:// protocol. Lastly, use a secure solution. The secure solutions blocks phishing sites and prevents users from accessing them unknowingly.