The typical malware writer has gradually shifted the intent of malware from pure fame and geek curiosity to more diabolical ends. A few months ago, Kaspersky reported a trojan that can steal your money by exploiting a vulnerability in the SMS implementation on your phone. Such phishing attacks are called by a new term called “smishing”. Then again F-secure has earlier demonstrated another vulnerability in Series 60 phones that allows for a privilege escalation attack that allows complete access to the underlying file system. This vulnerability has been addressed in a firmware upgrade since.Smishing attacks are not that prevalent in the United States as it is in Europe or Asia, since SMS is not the preferred way of communication yet. This is changing though… Carriers are now including unlimited SMS plans for under $10 and this is encouraging SMS phishing. The also exist legitimate services out there that facilitate bulk SMS tranmission.
Traditional phishing attacks which can be easily identified by their broken links or non-rendering images or plain bad spelling (think Nigerian 419 emails), however these shortcomings are not that evident on SMS. Typically the messages themselves are concise and are usually entirely composed of text. It is also relatively easy to spoof the sender name, so that it may look like a legitimate source. This attack has been recently demonstrated in the Blackhat conference albeit on a jailbroken iPhone.
So how does one guard against this attack? Truth be told, there isn’t a single reliable way. Most brick-and-mortar legitimate companies will not use SMS to communicate with you (exception being your carrier). If you get an SMS from your bank, utility company or even your friend, soliciting for any information, simply ignore it and try to reach them offband (i.e. from another phone or email etc.). The cell phone industry has not developed standardized and robust protocols to guarantee the security of the SMS channel. Hopefully that will change soon.
Securing the Mobile Enterprise 