As we wrote about in the previous article about our phishing campaign, it's a similar story with the smishing campaign. Cybersecurity is one of the most important aspects of any business. However, regularly training employees on how to operate safely online and deploying quality antivirus protection is often not enough. Employees, and internet users in general, are easily lured by fraudulent SMS messages that try to look credible and engaging. Making mistakes is human, it's just that sometimes one wrong click on a fraudulent link can have serious consequences. In our smishing campaign, the intention was not to obtain sensitive data from users, as is usually the case. The goal was to find out how many users react to the messages in any way, i.e. try to open the spoofed links or even enter their personal data. In this case study we will present the various procedures in our campaign and the final evaluation of the success rate.
What is smishing?
Smishing is a cyberattack that is carried out using SMS messages. It is a type of social engineering attack that relies on human trust and carelessness rather than technological vulnerabilities. Like phishing attacks, victims are tricked into disclosing their personal information, only instead of email, SMS text message communication is used. Attackers try to obtain sensitive data from users, which they then try to use. Incoming SMS messages often pretend to come from the bank where the user has a bank account and try to steal bank details.
Smishing attacks are performed in the following ways
- Using malware - An enticing link with a URL leading to the download of malware and subsequent installation on a mobile phone. This malware attempts to masquerade as a legitimate application, tricking the user into entering confidential information to send data to the attackers.
- The second way is by linking to a malicious website that asks the user to enter personal information. Cyber attackers always try to create malicious websites that most closely mimic the real ones to facilitate data theft.
The targeted groups are usually employees of the companies concerned, customers of a specific institution, subscribers to mobile networks, university students or residents of the area. The attacker's disguise is usually related to the institution they are trying to access.
How to identify an attack?
- The text message comes from a suspicious number that is not common - for example, 7000
- Hyperlinks in the message lead to a different address than the one in the text
- A suspicious executable attachment is present or linked to
- Generally, an SMS message that purports to come from a banking institution is a clear sign of smishing; banks never ask for personal information from customers in this way
How best to defend against such attacks?
- Regular staff training in cybersecurity
- Avoid storing sensitive information such as payment card details
- Do not click on links in text messages from unknown users
- Do not disclose your phone number on support forms and websites
- Never disclose account numbers, PINs, passwords, etc. to anyone
How we did it
In the first step, we created a fake trusted website that was a faithful copy of the original XY website. It was a domain where the name differed only minimally from the original one. No data was stored at this stage, we just looked at how many employees opened the email, or even the page linked to in the email.
The second step consisted of creating several fraudulent and plausible SMS messages. The linked websites have deliberate typos in the title, in an attempt to redirect the victim to the fraudulent website. In total, we created five templates, namely:
- A message informing the recipient of a transaction for CZK 5,000. A link to cancel the transaction leading to a fraudulent website.
Content of SMS message: You can cancel a transaction for CZK 5,000 by entering the code 58vuk67 at www.mojebamka.cz/zrusitansakci
- A message informing the recipient of an ongoing cyberattack on the company. Prompting the recipient to enter the security code to the website under the attached link.
Content of SMS message: A cyberattack is underway on your company. Prevent attackers from gaining access by entering the code 58vuk67 at www.zamezutoku.cz
- A message informing the user of a successfully completed order and the possibility to download an invoice at the attached address.
Content of SMS message: Your order number 15791387 has been accepted. Details and invoice at www.stahnufakturu.cz
- A message informing the user that they have won an employee competition. To collect the reward, the user is enticed to open a fraudulent link and enter a code.
Content of SMS message: Congratulations! You can claim your prize by entering 57jnjv61 at www.vyhravsoutzi.cz
- Informing the user that their account has been blocked. To unblock, you must enter the code at the attached address.
Content of SMS message: Your account has been blocked, to unblock it enter the code 51Gfv37 at www.sezman.cz
The third and final step was to plan the campaigns. In total, five campaigns were created, using a different template for each one. The campaigns were not sent all at once, but sequentially over the course of a day and always to a certain number of users. A total of 305 campaigns were sent as follows:
- 1st Campaign – 61 users – SMS message with information about cancellation of the transaction
- 2nd Campaign – 61 users – SMS message with information about a cyberattack
- 3rd Campaign – 61 users – SMS message with information about a successfully completed order
- 4th Campaign – 61 users – SMS message with information about winning a competition
- 5th Campaign – 61 users – SMS message with information about account blocking
A unique identification code was generated for each targeted user, based on which it was possible to track when they visited the fake site and when they submitted the login form. No other data was collected. After completing the login form, users were redirected to the company's official website.
Based on our work, we have identified the findings presented in the next section. In the smishing campaigns conducted, it was found that 5.57% of employees opened the fraudulent links and attempted to enter personal information.