Aren’t SMSes dead? Aren’t they just plain old text anyway? Surely they’re of no interest to cybercriminals any more?
Well, SMSes aren’t dead at all – they’re still widely used because of their simplicity and convenience.
Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.
If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.
Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.
You can see why SMSes work for crooks.
With just 160 characters per message, it’s easy for them to avoid the grammatical and stylistic blunders that they often make when they’re forced to produce longer-format email messages in a language they don’t speak well.
Better yet, business SMSes generally use URL shorteners to save space, giving the criminals an excuse to do the same.
URL shorteners convert lengthy but meaningful web addresses such as
https://brandname.example.com/pizza-order.html?lang=en-US into a compressed but cryptic format such as
https://xx.test/ABXt that frees up characters for the rest of the SMS, but disguises where the link is going to end up.
Hovering over a shortened link doesn’t help because the link denotes the actual website you’ll visit. The link shortening site uses the characters after the website name (
ABXtin our made-up example above) as an index to look up the real destination and then sends an HTTP
301 Moved Permanentlyreply to tell your browser where to go next. You need to click through to the shortening site first before you find out where you are supposed to end up.
The SMS system, of course, doesn’t know anything about URLs or even about the internet – but it doesn’t need to.
Your phone’s operating system will happily recognise when the text in an SMS looks like a URL and automatically make it clickable for you.
So, when the crooks use shortened URLs in their smishing scams, they don’t look unusual or out of place, even though the crooks are doing it specifically to be treacherous and not to save space.
As a result, text messages that contain one short, clipped sentence that wouldn’t look right in an email, and that contain deliberately disguised links that we might be suspicious of anywhere else…
…look surprisingly natural when they show up in an SMS.
Like this one we received earlier this week. (We’re not called Christopher and we don’t live in Derry, which is in Northern Ireland. The incomplete address given is a genuine suburban street, presumably plucked from a map to make it seem realistic.)
The message is meant to look as though it was sent to the wrong number, so the crooks are relying on you being intrigued enough to click through, whereupon they use some sneaky “reverse authentication” psychology to lure you in further.
The scam first shows you some cheery messages from a fake Apple chatbot to tell you why you – actually, to tell you why Christopher – had enough luck to be chosen to take part in an iPhone 12 trial, and then it invites you – actually, it invites Christopher – to join in:
Here, the link looks genuine, but the blue characters are simply the clickable text of the link, not the URL that is the destination of the link.
At this point, you’re no longer in the SMS messaging app but have clicked through into your browser, so you can see where the fake link leads if you hover your mouse over it. (On a phone, tap-and-hold on the link until the destination pops up.)
But if you aren’t cautious, you might wonder whether “Christopher” really was part of some Apple pre-release group.
What if you claim Christopher’s promo for yourself?
In fact, what’s stopping you from simply clicking through as if you were Christopher and finding out for yourself?
Well, one thing is stopping you, namely that you have to “prove” yourself by by giving your full name and address – except, of course, that the crooks helpfully leaked that information to you in the original text, making the “test” easy to pass.
You can guess what happens next:
In case you’re wondering, the name-and-address answers above in part 3/5 don’t matter a jot. We tried clicking numerous different combinations and, unsurprisingly, the crooks let us through anyway. The questions are there just to provide a plausible connection back to the SMS that was meant for “Christopher” but that reached you instead. It’s as though the criminals are trying to “authenticate” themselves to you, rather than the other way around.
As you see above, if you do click through the questions then you end up on a scam site (there were several variations, all similar – we tried the smish repeatedly) where you find there’s a courier delivery charge for the “free” phone, typically between £1 and £2.
Then you end up on a credit card payment form that’s hosted on what looks like a “special offers” website with a a believable enough name, and with an HTTPS security padlock if you take the time to look.
Of course, if you try to pay your modest delivery charge, you are simply handing over your personal data to the crooks, including your full card number and security code:
How bad is this?
Is this really a big deal, given that most of us would back ourselves to spot this as a scam right from the start?
Yes, it is.
Many of us have friends or family – perhaps even an at-risk relative who has been scammed before – who wouldn’t be so sure, and for whom the reverse authentication trick of asking for “Christopher’s” name and address might be convincing enough to draw them in further.
And friends don’t let friends get scammed, so if ever you get asked by someone who relies on you for cybersecurity help, “So what would happen if I clicked through?”…
…you can show them the short video above and let them see how these scams play out – without having to click through yourself.
What to do?
- There is no free phone. And if there were a free phone, you wouldn’t have to hand over your credit card details and pay £1 for it. You’re not getting something for nothing – you’re handing over something for nothing, and the crooks will use it against you. If you’re in any doubt, don’t give it out.
- Keep your eyes open for clues. The crooks have made numerous spelling and visual blunders in this scam. We’re not going to help them by listing them all like your English Language teacher would have done at school, but there are quite a few things that just don’t look right, even if you assume that there really is a free phone at the end of this. You might not always notice every clue, but always give yourself the time to look and therefore the best chance to catch out the crooks.
- Look at the link before you click. If anything looks wrong, it IS wrong. Even if the crooks don’t make any spelling or grammatical mistakes they almost always need to lead you to a website that they control. Often, that means a bogus link that you ought to spot if you take your time. Never let yourself get rushed into clicking through, no matter how much the crooks play on your fear of missing out.
- Consider a web filter. Network web filtering on your business network isn’t about surveillance, it’s about online safety. This helps you keep the bad stuff out, and helps your users keep the good stuff in, such as passwords and payment card numbers. Setting up a corporate VPN (virtual private network) means that users at home can browse securely back through the office network and enjoy the same protection that’t they’d have on the LAN at work.
This article was first published on nakedsecurity.sophos.com by Paul Ducklin, Principal Research Scientist at Sophos