Systal’s Digital Forensics and Incident Response Consultant Calum Baird highlights the steps individuals and businesses can take to protect against smishing attempts this Black Friday.
With the prevalence of mobile phones in modern society it is no surprise that smishing continues to be a popular attack vector for cybercriminals. Recent years have seen an increase in smishing campaigns with a 328% increase in 2020 and 76% of businesses reporting being the target of these attacks.
In this article, I will discuss the use of smishing by cybercriminals and what to look out for to avoid falling victim to these scams using a real-life example seen by individuals and organisations every day. This article will touch on the following topics and techniques:
- Smishing
- Phishing
- Social engineering
- URL shorteners
- URL expanding
- Cybersquatting/domain squatting
- Domain Name System (DNS)
- Browser sandbox
What is Smishing?
The word smishing comes from two combined terms:
- Short messaging service (SMS): The technology used for “text messages” on mobile phones.
- Phishing: A social engineering tactic used by cybercriminals using fraudulent communications (typically emails) to deceive victims.
Social engineering in the context of cybersecurity is the psychological manipulation of people to make them reveal confidential information or perform an action such as downloading malware or transferring money.
Social engineering is a common tactic used by cybercriminals, as humans are still one of the weakest links when it comes to information security.
Common Smishing Scams
Last week I received an SMS message from an unknown United Kingdom mobile phone number claiming to be a missed delivery from the popular courier company Evri.
Like many people I receive a few deliveries each month, so an SMS about a missed delivery wasn’t surprising. This is one factor which makes social engineering scams so effective: they provide circumstances which are plausible.
Social engineering often makes use of current trends, which in this case is the recent rise in ecommerce popularity, but has also included sending messages relevant to:
- Global Events: Phishing campaigns about COVID19 and other global conflicts.
- Regional Events: Phishing campaigns about current regional trends, such as elections or natural disasters.
- Annual Events: Phishing campaigns that include messaging around the end/beginning of a tax year, Christmas, and commercial events like Black Friday or Cyber Monday.
How can you spot a smishing message?
There were a few aspects of this message that made it stand out as suspicious:
- Generic Content: It was not addressed to me and did not contain an order number.
- Unrecognised Sender: It was sent from an unknown United Kingdom mobile number which produced no results when I searched it online.
- Unrecognised Website: It directed me to a domain (rb[.]gy), when a quick online search reveals that the Evri website is https://www.evri.com.
Whilst I had my suspicions that this was a scam from the outset, I wanted to do a brief investigation to confirm this was a smishing attempt and raise awareness.
How to identify a scam?
First, I searched the mobile phone number online. There are many platforms to search, but on this occasion, I used Google to keep it simple which produced no results.
Next, I searched for the domain rb[.]gy as it was not one that I had encountered before. This revealed that the uniform resource locator (URL) provided in the message was a shortened URL. URL shorteners are legitimate services which can be helpful in reducing lengthy URLs to a user-friendly size but are often used by cybercriminals to obscure the final URL destination.
I then put the shortened URL into a URL expander which revealed the true URL as https://ev.ri-findorder[.]com.
From a closer inspection of this URL we can see that the domain is ri-findorder[.]com with the subdomain being ev.ri-findorder[.]com. Whoever has setup this domain and subdomain has taken steps to make it appear associated with Evri, through the use of “ev.ri” at the start of the URL. This is a technique known as cybersquatting or domain squatting, where cybercriminals will register domains with the intent to make use of an existing brand reputation. Cybercriminals will often use this tactic to take advantage of current trends, with July 2024 seeing an increase in domains registered with “Amazon” for Amazon Prime day, and an increase in domains registered with “CrowdStrike” following their service outage.
Next, I input the URL into a browser sandbox. An online browser sandbox is an isolated environment which allows suspicious websites to be visited without posing a risk to your computer. Opening the URL on my computer would mean the possible risk of malicious code being executed or malware being downloaded.
The browser did not successfully connect to the website, so I was unable to examine it in depth.
I then used a Domain Name System (DNS) tool to examine the URL. DNS is essentially a phone book for the internet, translating the URL typed in by a user to the address of the physical infrastructure where the website content is hosted. To facilitate this, DNS servers hold records about URLs.
As you can see from the above results, the domain was registered on 23rd June 2024. This is recent which is suspicious given that Evri has been around for years.
The above results show that DNS servers for the ri-findorder[.]com website are located in China and Hong Kong. Again, this is suspicious as Evri use Amazon DNS in the United States of America (USA).
The A record, which stands for “address” and provides an internet protocol version 4 (IPv4) address for a record, is also listed as 127.0.0.1. This is an address reserved in IPv4 addressing called a loopback/local host address which points back to the local system. This is, again, suspicious as it does not provide a clear IPv4 address for users to visit the website.
As you can see above, there are plenty of red flags which indicate the SMS message I received was suspicious and not a genuine message from Evri.
Evri are aware that their brand name is used by cybercriminals without permission and provide some helpful information on how to spot phishing/smishing messages claiming to be from them: https://www.evri.com/faqs/receiving-a-parcel/is-this-evri-text-email-genuine.
How can you avoid smishing?
There are several steps that you and your organisation can take to avoid falling victim to smishing scams:
- Know what to look for: Be aware of the signs of a smishing message.
- Verify the sender: If you are unsure, contact the alleged sender directly using details you have for them or details on their official website to confirm if the message is genuine.
- Spread awareness: Educate colleagues on the risk of smishing and other social engineering tactics used by cybercriminals.
- Implement additional protections: Utilising a Security Operations Centre (SOC) and additional security methods can provide a defence-in-depth approach for your organisation and additional security when users fail to identify phishing/smishing.
For information on how Systal Technology Solutions can strengthen your cybersecurity posture and help keep your organisation safe from smishing scams, contact us.
Contact Systal's Experts