Cisco: SMS, Smartphone Attacks on the Rise

New research released today by Cisco warns criminals are rapidly adapting to a more modern economy and continue to find new ways to exploit people with mobile phones and through social networks and text messages. The Cisco 2009 Midyear Security Report finds that much like a successful business, the criminal underground works together to understand and take advantage of the evolving behaviors of the demographic they are trying to fleece. As part of this strategy, cyber criminals quickly seize upon current events, such as swine flu and the recent death of Michael Jackson, in order to fool people into phishing scams or to spam advertising for preventive drugs and links to fake pharmacies.

“The bad guys were pumping out more than 2 billion spam messages the day after Michael Jackson died with all kinds of trickery,” said Patrick Peterson, Cisco fellow and chief security researcher.

The report also notes an increase in the use of SMS text messages as an attack vector. Since the start of 2009, at least two or three new campaigns have surfaced every week targeting handheld mobile devices, according to Cisco, which describes the rapidly growing mobile device audience as a “new frontier for fraud irresistible to criminals.” (See also: Mobile Malware: What Happens Next?)

The report also references a new technique called “smishing,” which Cisco predicts will increase in the coming months. A smishing attack involves sending a phishing link to a smartphone that is sophisticated enough to actually click on a link contained in a text message. However, the more common SMS attack these days involves a fraudulent text message that appears to be from a trusted source, such as a bank, and prompts the user to call a phone number and reveal private information. The tactic makes use of an older, yet more trusted mode of communication, said Peterson.

“One of the most interesting innovations we have seen is the use of audio channel to phish the victim,” he said. “What we see in a majority of these types of phishing attacks is the SMS will tell the cell phone owner to call a phone number. Some lovely recorded voice answers and asks you to enter or speak your account number, your social security number. It will keep asking as long as someone is gullible enough to give out that information. And all of that gets captured on voice over IP (VOIP) on standard open source audio file.”

The technique is proving successful in many instances, said Peterson, because users have not yet learned to be wary of audio scams.

“A lot of people don’t have the defenses against the audio channel. We’ve heard “Check the URL!” and “Don’t click the link!” But I don’t think a lot of people have heard “Don’t enter your name into a touch-tone handset.””

Peterson said while SMS attacks are still new in the United States, they are more common in other countries, such as Japan, where SMS technology is more pervasive and has been popular for much longer.

The report also points to an increase in vulnerabilities that are being uncovered in smartphone operating systems since the market for victims has increased with widespread smartphone adoption (See also: 3 Simple Steps to Hack a Smartphone).

“The market size dictates the investment. Five years ago in the U.S., the handset market was not very big. Now with that growing, it becomes a primary device and absolutely the amount of criminal focus around those exploits will increase.”