Blog / Have you heard of a thing called smishing?

One thing you should understand about computer people is that we love to give things funny or clever names, and we love our acronyms. Computer hardware storage sizes are a great example. It’s all about bits and bytes (and there’s even an old out-of-use term known as a nibble). These are real terms that I’m sure made the engineers that come up with them chuckle. Of course this behavior has stuck around, especially when it comes to acronyms like TFA/2FA for two-factor authentication or GUI (pronounced like gooey) for Graphical User Interface. Now a new cyber threat is proving that practice is still alive and well, as it’s been dubbed “smishing.”

To explain smishing we first need to talk about phishing. Phishing is when bad actors send email that is intended to take advantage of the recipient in some way. It’s a variant on “fishing” because the hackers are dropping bait in front of users to get them to do something dangerous like open an attachment or direct them to expose their credentials on a fake page. Smishing is pretty much the same thing, but uses SMS text messages rather than using email to bait the users. All it took was for some clever engineer to smash the SM from SMS onto the original word, and just like that, smishing was born.

Fundamentally, smishing works on the same principal as phishing. The message tries to take advantage of assumptions that people make about technology, particularly those about the security and complexity of how these tools work. For some reason the almost magical way modern technology works makes people assume their smartphones are secure and that everything they receive is somehow trustworthy and truthful.

That’s what the bad guys are counting on. They want your trust them and believe what they tell you. After all, although we may be a bit skeptical, most people instinctively trust others at least to a certain degree by default when they meet. Smishers take advantage of this fundamental trust to persuade you to take risks like opening an Office document so they can infect your system, or visiting a website with a fake login page so they can steal your credentials. There are numerous different scams but they all revolve around you taking their bait. (Here fishy, fishy!)

So why use this sort of attack rather then send a virus directly?

It’s a matter of detection. Smishing messages, like phishing emails, don’t actually contain anything that could be considered a virus or other kind of malware. They typically just contain some text with instructions and maybe a link. This makes detecting and preventing smishing messages extremely difficult for automatic detection systems. After all, an Office document with macros to download an attack payload doesn’t actually contain the malware; static scanning will only find a standard document. The same goes for any other kind of bait sent in a phishing campaign. If there’s a link in a message the automated detection systems don’t follow that link, they check it’s rating. In order for the inspection systems to figure out the link is dangerous someone needs to follow it, grab the file, and report it.

These sorts of attacks bypass many traditional cyber security defenses and go straight for the users, which is why they work. The assumption that whatever defenses you or your cellular carrier have in place make every message trustworthy is dangerous, and not at all how to keep yourself, or your devices, safe.

There’s a quote from Shakespeare that’s perfect in this context. It comes from his famous tragedy ‘Romeo and Juliet,’ Act 3, Scene 2: “‘There’s no trust, no faith, no honesty in men; all perjured, all forsworn, all naught, all dissemblers.” It’s a little critical of people in general, but it’s also a good reminder that not everyone can be trusted.

If you have any questions about smishing, please reach out to your TRINUS Account Manager for some stress-free IT.

By Kind,

Courtesy of Your Friendly Neighbourhood Cyber-Man.
trinustech.com