August 4th, 2017
Phishing has gone mobile! Malicious phishing messages sent out via SMS are often referred to as 'smishing', and it is on the rise.
In June 2017, Facebook mobile users were targeted by a smishing scam using a technique called URL Padding. URL Padding hides a malicious website by masquerading the URL in a legitimate looking domain name and hence tricking users to give out their sensitive personal information. URL padding could be very effective on mobile users as it exploits the much smaller browser address bar on mobile devices. In this specific attack, the perpetrators sent Facebook mobile users fake login pages with URLs padded with hyphens. For instance, following link was received by a victim:
hxxp://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html
When the victim visits this URL on a mobile device, it looks like they are visiting the genuine Facebook site but the link’s actual domain is rickytaylk[dot]com. The landing page will appear like the real login page of Facebook to trick victims into giving out their Facebook credentials to the attacker.
How Can I Protect Myself?
The malicious links described above were sent to users via SMS message. Unfortunately, since there is currently no way to filter incoming SMS messages, and because mobile devices with small screens make it difficult for users to verify links are legitimate, attackers have found that sending smishing messages can be highly effective. The best protection against these attacks is being especially vigilant and thoroughly analyzing any messages with links that arrive via SMS, and contact the sender if you are unsure.
Update - August 15th 2017 - McAfee just released an excellent report on a recent SMS Phishing campaign in the US trying to steal bank account information. Here is a link to the article https://securingtomorrow.mcafee.com/mcafee-labs/smishing-campaign-steals-banking-credentials-u-s/ [1]
Written by: Hanna Guan (Cyber Security Analyst, Information Security)