The latest scary new malware scam.
Last week I talked about a (relatively) new form of malware: the purchase of online hacking kits that even a computer novice can learn to use so they can steal people’s identities, hack into banks, etc. I mentioned that these kits are now being used in phishing scams so as to accomplish the same types of things via e-mail.
This week, ladies and gentlemen, may I present to you: Smishing. Actually, it’s SMiShing (SMS phishing), but who wants to bother with capital letters?
Let’s review, shall we?
Phishing is when an attacker sends (usually by e-mail) a legitimate looking offer from a supposed highly reliable source (banks, PayPal, etc.). The phishing message usually falsely notifies the recipient of an “urgent” matter that requires their immediate attention” (or something equivalent) and to contact the entity to enter personal information such as social security numbers, account numbers, bank account details, etc. in order to resolve the issue. Such messages will even include something like, ‘If you do not respond to this within 3 days, you are in danger of having your account suspended.” Phishers are even smart enough to use themselves as the reason to disclose personal information: “If you feel that this could be a fraudulent website and you have been the victim of a phishing attack, please click on the link below, enter your user name and password, and report the violation.” Of course, by the time the victim has finished entering their user name and password, everything is all over and who knows what has been stolen. Phishing has become much more advanced, so that an unsuspecting victim can lose all of their personal data (passwords, credit card numbers, bank account details, and even their identity just by clicking on the provided link.
Okay, now take everything you have just read, and apply it to text messaging. If
you follow through on a looks-like-the-real-thing-but-it’s-not text message, you have
now become a victim of smishing. Smishing has been around for a couple of years,
but with the sudden Android/Windows (mobile) Phone 7/iPhone craze, attackers have
gotten a little more sly and a lot better at what they do.
Smishing takes the form of text messages like, “There is possible fraud alert on your
credit card. Enter your credit card number and the last 4 digits of your social security
card to prevent possible fraud. This is for your protection.” Sometimes the attacker
will ask you to call an 800 number and give your credit card number, last four digits
of your social security number (for protection against unauthorized access to your
account!) to the first representative, You may be asked to validate your subscription
to an Adult website at $49.95 per month, and unless you cancel this request by
clicking on the attached link, you agree that you ordered this service and will be
billed accordingly. Most people have not heard of smishing yet and tend to trust text
messages more than e-mail, thus they respond and become immediate victims.
Smishing is almost exclusively a threat for smart phone users. Here are some tips to
help protect you if you own one:
#1: Get a reliable anti-virus program. Look for ones that have great reviews
and solid recommendations. Smart phones are like hand-held computers, and if you
have a Windows Phone 7 or an Android phone, you have a handheld computer with
a real operating system. And what is the first thing you do after you have installed
Windows, Linux, or Apple on your computer? Why, put on an anti-virus program, of
#2: Don’t click on it! And don’t call the number! I can’t state this enough. If
there’s a link included and you don’t know who it is – and now, apparently, even if
you think you know who it is – don’t click on it! Don’t call the number they instruct
you to call – don’t do anything but delete it.
#3: Try not to have any really personal information stored on your phone.
Notice I say to try not to do that. What I want to say is don’t do it no matter what
but I realize that it might be impossible to not have some information on your
phone. Just try to keep the real personal stuff to a minimum.
#4: Make sure that you have strong passwords for your financial accounts.
If you do have to (or like to) do your banking, etc. on your phone, make sure you
use a strong password. If you don’t know how strong a password should be, just
Google “how to make a strong password” or something like that and you’ll get
results that will help.
I think that’s enough scary malware for these past couple of weeks. I would really
like to inform you about nice things, too, but if they keep making all of this creative
malware junk fast enough, I may have to change this to ‘In the Security News.”
Text carefully, and have a good week!
~ Lori Cline