Fraud Intelligence Newsletter

February 2008

SMS Phishing, aka SMiSing

SMS Phishing (aka SMiShing or text phishing) is a new method of phishing that attempts to scam users via SMS (short message service) text messages over mobile phones versus traditional phishing by email.

SMS phishes have inundated cell phones in southern Texas and have been identified in other areas of the country as well. The text message brought mobile phone users to a fraudulent banking website which asked users for their usernames and passwords.

It has been reported that many of the messages appear to have been sent to Sprint mobile phones. The fraudsters may be randomly spamming known Sprint telephone number ranges for the southern Texas area or may have gained possession of a list of Sprint customers.

Some institutions have suffered attacks that combine SMS phishing with phone phishing. A text message phishing lure directs recipients to call a phone number where a recorded message solicits their personal information.

Another possible facet of this style of attack is a spoofed text message from a mobile phone user’s mobile phone carrier company. A spoofed text message from T-Mobile to a T-Mobile customer requesting the user to click on a link in the text message would be a great social engineering tool.

The financial institution sector is not the only sector that must diligently defend against phishing attacks.

Since January 2008 several major institutions of higher learning have been targeted including Boston University, Columbia University, Duke University, Princeton University, Purdue University, Rice University and the University of Notre Dame. The email attacks usually pose as the school’s help desk and request confirmation of usernames, passwords and other personal information.

Email accounts that have been compromised have been used to conduct further attacks by sending fraudulent spam back to the university’s community and the Internet at large. Nigerian 419 scams have been spammed out of compromised accounts.

Proper defensive planning and a solid response for when it does happen are critical. At least one reaction from one university broke one of the basic rules of proper phishing response. That university’s IT department sent out a blast email to all of its staff and student community explaining the attack, with a link in the email to visit so that they could immediately change their system wide password. This practice could plainly lead to future attacks.

Princeton University illustrated an impressive security response. Although they suspected no more then a dozen victims, they automatically denied an online request to the universities human resources database to change personal information about one of the known phishing victims.

Mirko Zorz of Help Net Security (HNS) recently interviewed Nitesh Dhanjani and Billy Rios for an article titled “Spies in the Phishing Underground.” Dhanjani and Rios have performed considerable intelligence gathering and analysis about the phishing underground. In our opinion, the interview is an excellent background article on “how the phishing world works” and we encourage you to read it. Neither the article’s author, Zorz, nor Dhanjani or Rios are affiliated with Internet Identity.

From Internet Identity’s own experience, we caution that the phishers are not as unintelligent or unsophisticated as Dhanjani and Rios have opined. The researchers’ analysis was apparently based on what they “stumbled onto”, which, as described, reflected the beginner level of the phishing underground. The researchers observed unsophisticated phishing because they were only observing the more public entry level where the phishing experts are taking advantage of the phishing neophytes. When you are attracting neophytes you've got to make yourself relatively easy to find.

Phishing has become its own marketplace with its own society. As they learn, the phishing neophytes that become more skilled and refined are invited to move up into the circles that are not publicly visible. The neophytes that remain ignorant, and continue to trade credentials of little value and/or allow themselves to get back-doored, will not progress up through this complicated society.

Several industry leading experts have reported a recent rise in targeted phishing attacks against more wealthy and influential online users, often referred to as “whale phishing.”

Fraudsters use ever-increasing sophisticated means of collecting information against well-to-do online users and use sophisticated social-engineering methods to deploy their attacks. Attacks may often occur in multiple stages with no discernible tie between them until it is too late.

In January 2008’s edition of the Fraud Intelligence Newsletter, Internet Identity reported major international credit bureau’s had been the target of several high volume phishing campaigns. See “Serious Implications Following Attacks on Credit Bureaus.” It is quite possible that attacks such as these are designed to collect specific information against individuals with a greater net worth to the fraudsters. Successful attacks could glean real estate and mortgage information, known addresses, telephone numbers, and high or no-limit credit card accounts.

This social engineering gold mine could lead to round after round of targeted spear phishing attacks against those same victims, specifically targeting wealthier persons.

In addition, fraudulent websites that the users are brought to are often infested with keyloggers and/or Trojans giving the fraudsters another independent angle of attack.

Internet Identity cautions that potential targets of whale phishing might also see a greater risk of attack as we are nearing the peak of tax season.

E-mail authentication technology offers a powerful tool against phishing. Institutions that routinely authenticate all outgoing e-mail make it much more difficult for phishers to successfully spoof their brands in e-mail. eBay has seen a significant drop in phishing attacks since it implemented e-mail authentication.

DKIM (DomainKeys Identified Mail) is a method for e-mail authentication. It helps to verify senders and to ensure message integrity from a signing to a verifying mail server. In most cases the signing mail server acts on behalf of the sender by inserting a DKIM-Signature header, and the verifying mail server acts on behalf of the receiver, validating the signature by retrieving a sender's public key through the DNS (domain name system).

DKIM is based on DomainKeys by Yahoo and Identified Internet Email by Cisco. The IETF (Internet Engineering Task Force) has worked since 2004 to combine these two protocols.

BITS, a consortium of 100 of the largest financial institutions in the United States, recommends that its members adopt DKIM, along with Transport Layer Security (TLS) and Sender Authentication (Sender ID or SPF), by October 2008.

"I do feel that 2008 is the year when things are going to come together for DKIM," says Patrick Peterson, vice president of technology for IronPort. "What BITS is doing here, with all of its members speaking in one voice with such a massive impact, gives people confidence in DKIM," Peterson says. Ironport is a leading e-mail appliance vendor that is pushing hard for DKIM adoption.

ISPs are also starting to adopt DKIM to protect their users against spam and phishing scams. Not surprisingly, Yahoo is the largest ISP to have implemented DKIM.

As financial institutions and ISP’s start to adopt DKIM and other e-mail authentication technologies, they will become harder targets for phishers. Internet Identity expects to see a major shift of attention from these larger organizations that have adopted these standards to those that haven’t.

Look to future editions of the PowerShark FIN for more information about e-mail authentication, including TLS, Sender Authentication and DKIM.

If you want to learn more about protecting your organization from phone phishing, phishing, spear phishing, targeted malware and other attacks against your customers, please contact Internet Identity.