Saturday, September 02, 2006

BEWARE Of SMiShing Attacks On Cell Phones & PDAs

SMiShing is the newest form of cyber attack.

Like Phishing, from which it gets half its name (SMS + Phishing = SMiShing), SMishing attacks rely on social engineering.  They attempt to convince the unsuspecting user to do something that ultimately leads to the theft of personal information or financial fraud.

These attacks have already begun.  Users of cell phone services in Australia were recently sent an SMS message that told them to confirm a $2.00 p/day charge for an online dating service.  When alarmed users logged into the web site mentioned in the SMS message, the site attempted to infect their computers with a Trojan virus!

A new virus, VBS/Eliles has been identified by major anti-virus vendors.  In addition to its Trojan functions, the virus is designed to send SMS messages through cell phone service provider gateways.

The insidious part of this virus is that it actually offers the Cell Phone/PDA user with a free antivirus download for their device.  The software is allegedly from the recipients cell phone provider.  People who downloaded and installed the "antivirus" software on their phones were quick to discover that they had loaded malicious software instead!

Despite the other social malfunctions that plague Virus writers, they are good at sharing. Although SMiShing is new, the code to carry out this type of attack is already spreading on web sites and discussion forums used by would-be virus writers.  This means that we can expect to see more and more of these attacks in the near future.

eBay & PayPal Mobile Users @ Risk

Although no SMiShing attacks aimed at eBay or PayPal users have been documented, they will likely be future targets.  Both eBay Wireless and PayPal Mobile have mobile tools that make it convenient to manage auctions and pay vendors / sellers using a Cell Phone / PDA.  It won't take long for criminals to identify this pool of tempting mobile targets and start their attacks.

Users of newer converged devices are doubly at risk.  The current generation of cell phones like the Nokia 6265i, Motorola Razr (Razor) or LG Chocolate as well as PDAs like the Palm Treo 650 / 700 or HPs iPAQ running Windows Mobile Edition offer both SMS and Internet Web browsing and eMail, giving criminals multiple ways to target these devices.

Staying Safe

Start by following all the same rules that apply to other online communication tools like email and instant messaging;

  1. Never Open/Respond to messages from unknown sources.
  2. Verify the source/content of all unexpected messages.
  3. Don't send text messages in response to Ads for free ring tones, jokes, horoscopes, etc.
  4. Never provide any form of financial or personal information in response to an unsolicited message.

Companies like Norton and MacAffee, as well as freeware antivirus vendors are already developing new antivirus software for cell phone / PDA devices.  Versions of this have already been made available for PDA users.  Like the war that has raged over desktop computers for years, the war against portable devices will likely be just as brutal.