Skip to main content
SMiShing

SMiShing Attacks in the News 

SMiShing Attacks in the News

In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always malicious. Some spam texts are from legitimate businesses, albeit unauthorized, looking for new ways to connect with their customers. However, lurking within those daily spam texts is a more sinister threat; SMiShing texts. SMiShing texts have the specific purpose of tricking recipients into revealing personal/financial information and/or downloading malware to their phone. Bad actors are taking full advantage of our reliance on text communication for business and personal use. Let’s look at a couple of recent smishing examples.

Smishing attacks in the news

Federal Communications Commission (FCC) Employees Targeted in Mobile Device Phishing Attack

Researchers recently discovered a phishing kit using novel tactics targeting FCC employees and cryptocurrency platforms. Bad actors are using this kit to build carbon copies of single sign on (SSO) pages. These pages are being distributed via text message, email, and vishing (voice phishing), using the pretext of securing their account after an attack.

What is the novel tactic the attackers use? The victim is asked to complete a Captcha using Captcha. This tactic prevents automated analysis tools from crawling and identifying the phishing site. It’s also a clever social engineering tactic. How so? It may also give the victim a sense of trust, and lend credibility to the process, since typically only legitimate sites use Captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page.

Listen to Chris Hadnagy, CEO at Social-Engineer, LLC discuss this scam during Podcast 252, Crypto, Phishing and SMiShing…Oh My!

Smishing Attack Uses Amazon Web Services’ Simple Notification Service (SNS) to Impersonate the United States Postal Service

In this attack, victims receive a text message from the United States Postal Service alerting them to an undeliverable package. The goal is to steal the victim’s payment card details and other personally identifiable information. This is the four-step flow after the victim clicks the link in the text message, according to the researchers who discovered the attack:

  1. The Landing Page: A webpage explaining why the package is undeliverable. A “Click Update” button leads to the next step.
  2. Tracking Page: The victim is prompted to enter their name, physical address, phone number and email address.
  3. Card Verification Page: The victim is prompted to enter a credit card number for a $0.30 redelivery fee.
  4. The server forwards the details to a card checker.

SNS Sender represents a narrower approach that relies on the actor having access to a properly configured AWS SNS tenant. However, as you can see, attackers are using social engineering tactics in this scam. They use messages that create a sense of urgency and fear in their victims, which prompt them to tap on the “Click Update” button, initiating the scam.

Test. Educate. Protect.

Are you concerned about the security of your company’s sensitive information? Imagine the consequences if your staff fell victim to a SMiShing scam, resulting in a data breach. The repercussions could be devastating. The solution? Protect your company from the dangers of SMiShing with our Managed SMiShing Service. This innovative and fully managed service not only tests and educates your employees on how to spot SMiShing texts, but also the more important act of reporting these attacks properly, helping to ensure the safety of your organization. Please contact us today for a consultation.

You May Also Like

SMiShing Attacks Target the Healthcare Sector

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now