Anatomy of a SMSishing Attack
SMS phishing (“SMSishing”) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details. Although SMSishing first started a few years ago, a couple of recent SMSishing attempts directed at some colleagues of mine provided a good opportunity to document the attack.
The attacks start when attackers use automated services that allow sending many SMS messages at once and send messages such as the following:FRM:3106******@*********.com
MSG:H*****FCU Notice: Please contact us immediately at 6366******
MSG:F****** Alert. Unusual activity - Call now at 1-(888)3**-****
In the above two cases, the bank names and phone numbers are censored, but the messages typically follow the same pattern of specifying a bank and that there is some type of urgent need for you to contact them. When you call the number you will get a recorded message asking you for details such as your debit card number and PIN code. Once you enter those details, the message thanks you and you are disconnected. Moments later, you can expect money to be withdrawn from your account.
In our testing, some of the automated collection systems actually checked credit card number validity. Entering fake numbers such as all 1s failed, whereas entering a number with the proper issuer identifier number (the first few numbers) and a proper check digit (the last digit) worked.
At the same time, some of these attacks are not all that sophisticated. For example, in one test we attempted to dial the number from multiple phones and received busy signals—meaning the system could only handle a single call at a time. In another, the recorded message appeared to be driven by some text-to-speech interface and the connection was so poor that we had to call multiple times to understand what was being requested. You can listen to that exchange here:
The system introduces itself as a 24-hour telephone banking system and requested our debit card number, expiration date, PIN number, and then thanked us. The drops in the recording were actual drops on the line, except when we were typing and it repeated our fake debit card number.
Based on the phone number called, the poor line quality appears to be due to the fact it is a hacked PBX (private branch exchange—the telephone exchange systems used in offices or businesses) that has been forwarded to a phone number that is likely hosted in another country. The phone number is actually registered to a home in the small community of House Springs, Missouri.
If you receive such a message and it isn’t from any bank you deal with, just delete it. Otherwise, the best piece of advice is to simply call your bank directly using the number on the back of your card. If the message is an SMSishing message, they can assist in getting the number shut down.
One of the numbers we received was later replaced with a message from the Federal Trade Commission (FTC), which you can hear here: