M-Commerce Security Tipping Point: SMS Phishing Toolkit in the Wild
Tuesday, June 3, 2008 at 7:23PM Looks like m-commerce finally reached a tipping point! Although its not the tipping point advocates where hoping for. M-commerce systems have gained enough popularity that criminals are now developing custom toolkits specifically to attack them. Earlier this week the Internet Storm Center had a diary entry on a software package that automates SMS spamming and phishing attacks. Details on the toolkit can be found here.
This is not surprising, at my FSTC presentation last year I predicted attacks on m-commerce systems would increase. Criminals go where the money's at and m-commerce systems finally have enough money flowing through them for criminals to take note.
Luckily carriers can take steps to stop folks from sending SMS spam and phishing messages. At least in the US carriers are pretty good about keeping spam off their networks. Sadly carriers in other counties aren't always as diligent. Overall I do not foresee bulk SMS phishing becoming a large issue in the US.
However I do see two scenarios where SMS phishing could become a problem. The first scenario is a spear phishing attacks. During a spear phishing attack criminals target specific high value targets such as an executive. These messages could be low key enough to slip past the carrier's filters. In the second scenario a carrier owned system could be compromised and used to launch a phishing attack. In this instance the malicious traffic would originate from within the carrier's network. In this case the traffic would by-pass any perimeter controls the carrier has in place.
Presently there is no easy way for end user to differentiate a legitimate SMS message from malicious SMS message. Below is a reproduction of two SMS messages I sent to my mobile phone years ago. (I couldn't get a clear screen shot so I needed to do some Photoshop magic) Which message is the legitimate message?
The one on the left is the real message. The other message is a spoofed message I sent using an open mail relay. Its worth noting that this SMS spoofing trick no longer works on US carriers.
I wonder what other toolkits like this are in the wild? If anyone know of any other toolkits that specifically target m-commerce systems I would love to hear about them.
Cheers,
Matt
M-Commerce
Reader Comments (1)
We have developed and launched a mobile search tool called www.Barcle.com There is a great NBC news piece that explains it in less than 2 minutes.
http://www.youtube.com/watch?v=AZEjzk4r-JI
www.Barcle.com is a barcode driven mobile search tool that allows you to use a products barcode to check names and prices of over 17 million US products 50 thousand brands from over 1200 stores. We have over 40 millions other live product codes for other national markets and will be launching them shortly.
The idea is the convergence of low online prices with the touch, see, feel, experience of being in (any) store: The ability to comparison shop from your mobile telephone with an easy method of accessing realtime data and is quite different than other mobile CSEs. Barcle is free
to use, and there is nothing to join.
Ted Baltuch
ted@barcle.com
www.barcle.com
mobile.barcle.com