Stealthy Smishing Attacks by Fraudsters using Geofencing to Evade Detection
At Openmind we’re constantly confronting the dynamic nature of SMS fraud attacks and are always on the lookout for new trends in Smishing. Recent discoveries include an increased use of geofencing by fraudsters attempting to hide their tracks, and we research the use of well-known link shortener tools in Smishing attacks.
Prior to 2020 Smishing messages were a nuisance that went under the radar, they didn’t cause too much of a stir with subscribers, mobile operators or large enterprise organisations . As the pandemic took hold, our habits changed – working from home became the norm and as we were confined to our houses, deliveries to our homes, grocery shopping, takeouts and parcel deliveries became more common. This resulted in a shift in the type of content consumers were used to receiving via SMS – delivery tracking, shipping confirmations, dispatch notices, appointment acknowledgements – received via our devices. Consumers got used to this shift very quickly. However, with a change in consumer habits comes new vulnerabilities for fraudsters to exploit. Here was a golden opportunity to pounce, the fraudsters started to send delivery confirmation, tracking and dispatch notices – all of this with the usual intention, to fool individuals into exposing personal & financial credentials.
In 2021, Flubot malware came into the limelight and consumers, mobile operators and the media were all suddenly very focused on these campaigns. Flubot tricked consumers into clicking a URL which downloaded malware to their device. Subscribers’ personal and financial data was at risk and the device became part of a botnet communicating with a host, and spreading the malware to other consumers across Europe through millions of SMS’s. Flubot spread quickly because consumers’ SMS habits had changed, they would click on a URL in an SMS almost from muscle memory. Flubot caused a major headache for mobile network operators trying to protect their network and their subscribers, while responding to regulator and media pressure to control the issue. Thousands of man hours were put into updating SMS Firewalls and encouraging subscribers to rid their devices of malware.
But that’s 2021’s story. By its nature, fraud is dynamic and the fraudsters consistently try to be one step ahead of any mitigations, it’s a fast paced industry and mobile operators struggle to keep up. Here at Openmind, we’re observing some changes in Smishing attacks which we believe will be of note in 2022.
We’ve discovered the use of geo-fencing is much more widely employed in Smishing campaigns this year in attempts to bypass URL checking processes introduced by Operators. Geofencing is a virtual boundary, which indicates the device’s physical location. Geofencing is used very legitimately by consumers and businesses – for instance tracking a device location, alerts for national attention, securing boundaries for equipment or personnel – all great reasons to have a geofence!
But, what does this mean in terms of Smishing? The fraudsters are continuing the game of cat and mouse with the Mobile Operators, geofencing is another way of trying to bypass any checks the Operator has in place. Mobile Operators employ methods to verify URL links, but these are usually fairly basic, and wouldn’t include a geofencing check. It adds another layer of complexity for the Mobile Operator to verify URLs which have geofencing, and adds many hours of resources and more technology to identify the problem URLs and block them down. The fraudsters will have moved on to the next technique by the time this one is shut down.
We’ve also been researching the use of URL shorteners in Smishing messages. URL shorteners have been used by legitimate enterprises and subsequently in Smishing messages for quite some time now, there’s no news there. For legitimate Enterprises URL shorteners are a handy way to fit the full URL into the SMS character limit, and for Fraudsters a shortened URL does a great job in hiding the intended URL destination. However, more recently, we have noticed an accelerated use of well-established URL shortener providers such as t.co, bit.ly, cut.ly and t.ly in Fraudulent SMS. These lend further legitimacy to the message, especially for those used to receiving tweets via SMS. Savvy consumers may notice that the URL is redirected to an unexpected domain in China or Russia, however the fraudster is relying on consumers who don’t check this, and fall victim to their scam.
Our research has also highlighted that even though fraudsters are getting more and more stealthy spreading Smishing messages and fake websites, the traditional everyday Smishing campaigns are still ongoing under the radar, a few hundred messages at a time. These aren’t high profile campaigns like Flubot, but this shows that there is still money to be made in conventional Smishing.
The constant variety of attacks highlights the issues faced by mobile operators to keep up to date with an ever changing threat landscape. Openmind have built a dynamic Smishing Detection Service which combines machine learning which is used to detect suspicious SMS traffic, with our team of expert fraud analysts. We ensure our customers and their subscribers are always protected from the latest Smishing campaigns and new emerging threats.
