2025 Foundational Application of Social Engineering

SMiShing Attacks in the News 

Smishing attacks in the news

Share This Post

SMiShing Attacks in the News

In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always malicious. Some spam texts are from legitimate businesses, albeit unauthorized, looking for new ways to connect with their customers. However, lurking within those daily spam texts is a more sinister threat; SMiShing texts. SMiShing texts have the specific purpose of tricking recipients into revealing personal/financial information and/or downloading malware to their phone. Bad actors are taking full advantage of our reliance on text communication for business and personal use. Let’s look at a couple of recent smishing examples.

Smishing attacks in the news

Federal Communications Commission (FCC) Employees Targeted in Mobile Device Phishing Attack

Researchers recently discovered a phishing kit using novel tactics targeting FCC employees and cryptocurrency platforms. Bad actors are using this kit to build carbon copies of single sign on (SSO) pages. These pages are being distributed via text message, email, and vishing (voice phishing), using the pretext of securing their account after an attack.

What is the novel tactic the attackers use? The victim is asked to complete a Captcha using Captcha. This tactic prevents automated analysis tools from crawling and identifying the phishing site. It’s also a clever social engineering tactic. How so? It may also give the victim a sense of trust, and lend credibility to the process, since typically only legitimate sites use Captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page.

Listen to Chris Hadnagy, CEO at Social-Engineer, LLC discuss this scam during Podcast 252, Crypto, Phishing and SMiShing…Oh My!

Smishing Attack Uses Amazon Web Services' Simple Notification Service (SNS) to Impersonate the United States Postal Service

In this attack, victims receive a text message from the United States Postal Service alerting them to an undeliverable package. The goal is to steal the victim’s payment card details and other personally identifiable information. This is the four-step flow after the victim clicks the link in the text message, according to the researchers who discovered the attack:

  1. The Landing Page: A webpage explaining why the package is undeliverable. A “Click Update” button leads to the next step.
  2. Tracking Page: The victim is prompted to enter their name, physical address, phone number and email address.
  3. Card Verification Page: The victim is prompted to enter a credit card number for a $0.30 redelivery fee.
  4. The server forwards the details to a card checker.

SNS Sender represents a narrower approach that relies on the actor having access to a properly configured AWS SNS tenant. However, as you can see, attackers are using social engineering tactics in this scam. They use messages that create a sense of urgency and fear in their victims, which prompt them to tap on the “Click Update” button, initiating the scam.

Test. Educate. Protect.

Are you concerned about the security of your company’s sensitive information? Imagine the consequences if your staff fell victim to a SMiShing scam, resulting in a data breach. The repercussions could be devastating. The solution? Protect your company from the dangers of SMiShing with our Managed SMiShing Service. This innovative and fully managed service not only tests and educates your employees on how to spot SMiShing texts, but also the more important act of reporting these attacks properly, helping to ensure the safety of your organization. Please contact us today for a consultation.

You May Also Like

More To Explore

Soft Skills for Cybersecurity Professionals
General

Soft Skills for Cybersecurity Professionals

As cyber threats continue to increase, so does the need for cyber security professionals. Some of the skills needed to succeed in the field of cyber security are programming skills,

Social Engineering

Keeping it Simple in Cybersecurity 

Today, the cybersecurity industry focuses a lot more on complicated solutions and tools. Companies are always looking to improve their security measures with the latest technologies. However, attackers often choose