SMS Phishing

Phishing is when an attacker uses a cleverly crafted SMS, Email, or website to trick a user into sharing their password, identity information, credit card details, or to install malware.

Apple have recently patched three 0-day vulnerabilities that could be exploited with the initial attack vector being delivered via SMS Phishing (SMiShing). The attack had the capability of giving the attacker full remote access to the targets Apple Device. While this attack would more likely have been used on high value targets (0-days are big business), it outlines the importance of installing updates and being cautious when dealing with links in SMS and Email. If you haven’t yet upgraded your iOS devices to 9.3.5 you should do this now to ensure you don’t fall victim to other attacks that may exploit these now known vulnerabilities.

Android devices have also been exploited with SMS being the initial attack vector. While it is not actually SMiShing, the attack, known as Stagefright, requires no user interaction for an Android device to be compromised.

Other SMiShing attacks take advantage of Premium Services on your mobile. Premium services allow mobile users to buy content, such as ringtones or caller tones, purchase credits for games, or sign up for competitions. These all being charged to your monthly bill. Some Premium Services charge a one off fee, while others subscribe you to a daily, weekly, or monthly fee.

Premium Services are also used as a way to make a quick dollar from unsuspecting victims. You receive an SMS explain there is a monetary value being ‘owed’ to you. The message will then go on to say the money can be claimed by replying to the number. Of course this is a scam and replying to the SMS signs you up to a subscription based premium service. You may not even notice until your next bill.

ACMA have a good write up regarding Premium Service and can be found on their website.

How to protect yourself

Avoid opening links in SMS received from unknown sources. If the source is known to you confirm the validity of the link with them.

Avoid replying to unknown numbers – although premium numbers often start with 19, mobile numbers can also be used. Important contacts such as ATO, Banks, and Insurance companies are not going to use SMS as their first point of contact or to ask for information, or provide links.

If premium services are not required, they can be blocked from your service:

  • Telstra allow you to block Premium Services on your account via their website.
  • Optus also allow you to block Premium Service, with instructions to do so found on the Optus Website.