SMS phishing: how cloud migration has opened the door to a new cyber-foe

On the 10-year anniversary of the Shamoon virus attack on Saudi Aramco that downed more than 30,000 workstations, the Middle East Institute observed in a commemorative essay that “[it] began with a phishing attack.” And earlier this year, a phishing campaign impersonated the UAE Ministry of Human Resources in an attempt to defraud job seekers and recruiters. The victims were exposed to BEC (business email compromise) attacks and so-called 419 scams, a term referring to the part of the Nigerian criminal code that deals with advanced-fee fraud. Yes, this is the classic Nigerian Prince scam. It is alive and well and as of 2018, raking in an estimated $700,000 a year in the US alone.

Every day, across the Middle East, people and businesses are exposed to phishing campaigns. They are the opening salvo in ransomware and a range of other cyberattacks. So many major incidents start with identity theft; and so much identity theft is done through phishing because the technique is scalable, cheap, and has a track record of success. And the phishing family has a new addition. Through SMS phishing, or “smishing,” even multifactor authentication systems can be compromised.

As the region becomes increasingly cloud-resident and employees work under conditions that are more and more difficult to monitor, we must assess how the cloud has impacted our ability to detect and mitigate phishing attacks. The interconnectivity of cloud environments and the soup of services they offer makes it easier for attackers to initiate lateral movement — hopping from endpoint to host to application to crown jewels. BEC — where attackers pretend to be colleagues to illicit unsafe behaviour from targets — may be around for some time to come, but mobile-computing vectors are becoming more and more popular among threat actors.

Trust me, I’m a vector
The weak link has shifted from the devices in our backrooms and on our desks to those in our hands. Mobile endpoints make such attractive targets because of the trust placed in them by potential victims. Even the best-trained employee, who knows the dangers of clicking on a link in an email, may only follow best-practice guidelines on laptops and desktops. They will be more inclined to relax when using their personal smartphone. And if the phishing campaign sends an SMS, people are more likely to trust it than they would an email. Factor in that mobile interfaces make it more difficult to find the telltale information that would indicate nefarious activity, and you can see why threat actors favor handheld endpoints as their beachheads.

Phishing kits are a popular product in the malware-as-a-service market, and their capabilities evolve just as any other cloud products would. As a cloud-native offering, phishing-as-a-service is cost-effective and allows rapid entry because all the technical work has been done. Today, even the most inexperienced script kiddie has the ability to target the organisation of their choice with a sophisticated campaign.

The success of a phishing expedition lies in the bait. When the cosmetics are right, attackers hook more prey and enjoy a more lucrative payday. Phishers have greatly improved their capabilities in dressing up messages to appear genuine even to IT admins and cybersecurity analysts. And disguises work even better on smaller screens without mouseover functionality or status bars that can display true URLs.

Red alert
But signs are still there if you know where to look. For example, if location information is included with a text from a colleague and it is from a location other than where the recipient knows them to be, that is a clear red flag, and the IT department should be notified. A similar warning sign would be texts sent at odd or unsociable hours.

In the general case, any SMS that asks an employee to verify their credentials when they know they have not tried to log in should be treated with extreme caution and indeed, default suspicion. IT and security teams should be notified in all such cases so they can send an organisation-wide alert. Mobile security should be a part of all IT and security training. Employees should be urged to treat SMS messages the same as emails — to always examine them for signs of malicious intent. While providing an exhaustive list of such indicators may be impractical, the basics would be timing anomalies, location discrepancies, grammatical and typographical errors, and suspicious URLs.

The main problem with smishing attacks is jurisdictional. As a byproduct of cloud migration and the stay-at-home workplace, employees are regularly using many more channels that lie outside of corporate IT’s control. This includes SMS. But we should also remember social media and third-party messaging platforms like WhatsApp. These are, strictly speaking, part of shadow IT and should be treated as such.

Staving off disaster
Mobile phishing is now among the most common methods of credential theft and one of the quickest infiltration paths into an organisation’s cloud. Once inside, the threat actor can do anything they want. They can plant malware or spyware. They can copy, exfiltrate, or encrypt sensitive data. The infrastructure is theirs to do with as they wish.

Attacks such as ransomware do not discriminate on the size or industry of the target. They strike without mercy or restraint. Every cloud security platform should be capable of alerting organisations to these attacks through the automatic detection of anomalous behaviour. All businesses need these capabilities to stave off disaster.

We no longer work within the predictable confines of traditional networks. Attackers are notorious for their ability to adapt. They are agile enough to move across devices, networks, and apps to do us harm. We must move as they do — with shrewd foresight and decisive aggression.

Bahaa Hudairi is the regional sales director – META at Lookout

Read: Attention CISOs: Getting buy-in requires a solid business case