Schneier on Security
A blog covering security and security technology.
« Playmobil Security Checkpoint |
| Passport Required to Use the Internet in Italy »
October 17, 2005
Phishing Without Computers
Here's a phishing scam using an SMS message and a telephone call.
Posted on October 17, 2005 at 7:54 AM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Although a new wrigle, on Phishing smilar things have been done in the UK.
One simple scam was to send out an "Itunes" confirmation message, saying that your "tune had been sent". If you then used any of the contact info you where either stung for a very expensive phone call or you registered yourself for some SMS service where you would quickly be hit with a hundred or so SMS adverts that you payed a premium rate for.
Didn't the Paris Hilton hackers use SMS messages as part of their ploy?
Yes, they did, but the point here is you can phish without using a computer at all, which is what this scammer did.
You don't like SMS, right?
Paraphrasing Bruce Schneier, sms is just another tactic to commit frauds :)
Isn't this just plain ol' Phreaking ?
Or like the method they used in earlier days:
Make a call in cafe/restaurant and use some numbers (redirect code from provider) to just redirect calls. So when the number of the restaurant is called you can make free long distance calls. Very old trick.
Considering that cell phone are really small computers (some even run Windows!), the whole "phishing without computers" claim looks a little strained.
A friend of mine's business fax used to get phishing trolls in the very early 90s.
And I don't mean cheap vacations and cigs- he was getting "open a bank account so I can put 20 million in it"
Phreaking used special knowledge to defraud the telepohne companies by making calls for free, but didn't expose the "host" to liability. This hack actually exploits human nature to rob the unsuspecting individual.
"A large purchase has been made on your credit card. Please leave your cc# and password in the blog so we can check your account". I don't think anybody here would fall for that. I don't think most anybody would fall for that. I think this is more likely a new technology in newbie hands (no offence to any newbie). Even if I did recieve what I believe to be an honest SMS, I would still call my bank directly and not use the supplied number, and only would have given the guy on the other end of the phone my cc# (bad enough) and ask him my account transactions. I wouldn't have it frozen because that's a knee jerk, save my baby response. Something like this has to be mass messaged because only a small percentage would fall for this.
"Something like this has to be mass messaged because only a small percentage would fall for this."
Luckily, computers are really good at boring repetitive tasks.
"Luckily, computers are really good at boring repetitive tasks."
Now find a way to use that to our advantage. It looks like scammers already have.
Well, fortunately for us, mass messaging on SMS generally isn't as easy or as cheap as it is for electronic mail. It will cost money for a normal mobile phone line to send a message, and given the number of people you need to contact the cost could very quickly go beyond the potential payoff. Another tack might be to set up a mobile service to do this, but, in my country anyway, there are laws that require the mobile carriers to excercise some due diligence in seeing to it that mobile service providers don't provide "services" that are designed to scam people or are otherwise misleading. I imagine that any country where mobile services are anywhere near as popular as they are here in the Philippines (widely considered to be the SMS capital of the world, with close to a billion messages a day among all the carriers), would very quickly develop regulation to stifle such mischief. A third tack might be to break into some mobile service provider's own network and use their infrastructure to send illicit messages, but this requires careful and targeted cracking work, and will probably be very quickly noticed and stopped by the carrier and victimized provider (though not before enough damage may be done).
But indeed, scams using SMS similar to the one described in the article have been known and reported to happen here too. We've been getting that kind of nonsense for years that it's no longer even news in the Philippines. Of course, since they require a token investment, they require a much higher response rate than Internet-based scams else they become unprofitable, and as such tend to be much more subtle.
Like you always say, Bruce, security is a people problem, not a technical problem.
My bank has sent me messages asking me to call them on a certain number. I phoned them back on a number that I got from elsewhere and when I found it was them I had a rant at them, explaining why it was such a bad idea.
When I later spoke to a line manager she said that they had had so many complaints that the technique was probably going to be shelved.
I wonder how many people were complaining because they had to call back on their phone bill, rather than out of security considerations though.
@ Dido Sevilla
Unfortunatly the cost of bulk SMSing can be very very cheap, especially to a targeted audiance.
Basically the telcos charge in an apparently funny way for phone calls and SMS. Each time you use a service you pay (atleast) two sets of charges, one to the originating network, and one to the destination network (and sometimes to the carrier). You normally do not see the seperate charges, just one agrigate charge on your bill.
Usually the destination network charge is very very small, and as something like 95% of SMS traffic travels over an IP network at some point, it is also very easy to get a gatway connected to one or more Mobile Operators systems.
It is for this reason you see adverts for ridiculously cheep SMS services using a computer over the Internet.
Well a lot (but not all) of these gateway providers regard themselves as "common carriers" and are therfore very much exempt from the "due diligence" asspect that you refer to as they carry but not originate the traffic... They also give very very cheep rates to anybody who signs on the dotted line (usually to cross subserdize another business model they have).
As long as "common carrier" status exists, then scams of this sort will happen. Also the Scammers know that if they operate from a different jurisdiction and excersise a little caution then they are very unlikley to be caught...
Oh and targeting the "marks" well you can get all sorts of marketing info for next to nothing as has been discussed on this blog in the past.
The scam I'm waiting to hear about is what I'll call passive phishing:
1. Mark connects to malicious open WiFi hotspot, where Internet traffic is routed normally...until:
2. DNS requests to select hosts (bankone.com, amazon.com, capitalone.com, etc.) are redirected to a server somewhere in Uzbekistan, where:
3. Complete spoofs of the legit sites are constructed (sans SSL, which might clue the mark in to what's going on), much as we see with current phishing schemes.
4. Account data are collected and exploited or sold.
This is a pretty easy proposition, particularly in mixed urban settings where illicit access to network and power infrastructure are pretty easy to come by. You just load a LinkSys router with modified code and stash it above the ceiling tiles near a window at some small business that doesn't have much in the way network monitoring. It could sit there for years without being found. With a modest amount of additional code, the rogue router could also pull down configuration updates from a pre-determined web or IRC repository, in case the collecting server has to be relocated or new sites are targeted.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.