Smishing is the latest and growing version of phishing, the act of impersonating some person or organization in electronic communication. In this case, it is using text messaging platforms to gather passwords and identities and deliver malware.
The term came into being around 2006 but was not a problem until recent years. For example, security researcher Proofpoint reported that SMS-based scams rose 328% in the middle of 2020 alone. a lot of the problem is because few people know about it. For older mobile users, authenticating a text message is difficult. Proofpoint’s data shows only 23% of users over 55 correctly defined smishing. More than 34% of people 23-38 years knew about it.
This lack of knowledge makes Facebook, and all other social media sites, a profitable hunting ground for scammers. Facebook is the biggest breeding ground for this form of cybercrime because most of its users are clueless. The platform employs about 35,000, to find and delete groups and users. It does little good. The platforms have very weak security in place, and reducing the number of accounts cuts into their revenue. MIT found Eastern European troll farms, ran 19 of the top 20 Facebook pages targeting American Christians to influencing the 2020 Presidential elections process
Moreover, in 2019, Facebook deleted 74 cybercrime groups with 385,000 members from the platform. With 16 percent of the 2.89 billion accounts estimated to be fake, that was a drop in the bucket.
The enemy is us
Social media provides information about people publicly like where they work, who they hang out with, email addresses, phone numbers, where they go for vacation, hobbies. If a perfect stranger started asking for any of that they would run in the opposite direction. On social media, it’s standard practice. All a scammer needs are to “steal” photos and information from your account, get a burner phone number and email address, and they can create a fake account in a few minutes. And it is all done through legitimate businesses.
There are subscription apps that will create a phone number or URL that will exist for seven days. They describe themselves as useful for “salespeople, dating or Craigslist.” (We won’t tell you who they are. Look it up yourself). Using these services, scammers can set up a seemingly legitimate account where they can start mining your friends list sending connection requests, links to malicious websites or infected pdf or jpeg files. They don’t even have to send them to all your contacts. All they have to do is post a meme or a video targeted at a particular group of people (like American Christians) and the group does all the work of sending it out.
It’s not cute. It’s a scam
For example, there is a popular Facebook group that posts lots of animal rescues that tug on heartstrings through the cloud provider Netlify. I regularly get notifications that websites on that service are trying to infect my network with malware. (So far, nothing has gotten through because my security settings are high.)
A scammer uses freely available information, that users publish to see who works in a company, what their job is, and who they are friends with professionally and privately.
Phishing for fun on social media
It isn’t just Facebook. A 17-year-old hacked the Twitter accounts of Barack Obama, Bill Gates, Elon Musk, and others with millions of followers by who social-engineered a Twitter employee into giving him internal system controls.
Sometimes, you can even keep your private information safe and a good friend can screw it all up for you. Congratulating someone on their birthday or a new job allow a scammer to stitch together a profile of their target and craft realistic scams. Quizzes and questionnaires are fun … and are designed to coax confidential information users base their passwords or security questions on.
But getting back to “smishing,” Email has become such a bloated and constant annoyance that many people are avoiding it. I know I often miss legitimate messages because they are obscured by so many requests, offers, etc. that I have no interest in. Managing my inbox is a major piece of work. That’s why many people are turning to messaging services like SMS texting and Facebook Messenger. The former is taken care of by a new FCC regulation called STIR/SHAKEN.
The acronym stands for Secure Telephone Identity Revisited/Signature-based Handling of Asserted information using toKENs, which is a mouthful. It’s a framework to reduce caller ID spoofing on robocalls and fake text senders. It blocks unwanted calls and allows carriers to assess the reliability of caller ID information. This went into effect in April 2021.
There is, however. no standard for social media platforms. Those are “walled gardens,” according to Tim Callan, chief compliance officer for the security firm Sectigo.
“They (Facebook) own the end-to-end experience. I would be stunned if Facebook didn’t take action much faster than the international telephony industry did with STIR/SHAKEN does. However, as walled gardens go, their ecosystem is about as complicated as anybody’s in the world.”Callan is being optimistic. Facebook had a breach in 2019 that resulted in millions of users’ contact information and it went on sale on the dark web in June 2020. Since then smashing has risen exponentially on social media platforms with no effective defense. So what are users to do?
“The best thing is education,” Callan said, but followed up with, “Yeah, like Sorry, I hate that. Because we all try education. We’ve been trying education for 25 years, that only goes so far. We still have this training at Sectigo and it’s mandatory. Just opening employees’ eyes to that kind of thing can go a long way.” (Hear the conversation with Callan at the Crucial Tech podcast.)
Sectigo is part of the security issue that issues “certificates” to validate the identity of people accessing networks, but that has a limited application. Mostly it’s to make sure the wrong people don’t access your network. Callan said the problem is that both email and telephony are largely self-identified and not independently verified. STIR/SHAKEN is helping with that, but, as we said before, it doesn’t help with social media.
Early this summer, video conference giant Zoom introduce Bring Your Own Key (BYOK) providing end-to-end encryption from their service. Users get their own identification code to validate who they are. That minimizes scammers’ ability to zoom bomb conferences, but that is still being rolled out. Recently, a city council election district public meeting was overwhelmed by bombers filling the public chat room with pornography and obscenities. Effective moderation prevents that, largely, but public-meeting laws prohibit banning citizens from participation.
So while legislation and technology develop, forewarned is forearmed,. And remember: nothing is free on the internet.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.