by Peter Dietrich
3:30 min read
Human behavior is a huge issue in network security, and it's one of the hardest to manage. Technical protection is important, but the human security risk is the mistakes people make that can undo it. People tend to be trusting. This makes for good social relationships but is a problem for network security.
Phishing attacks prey on people's trust. When we think of phishing, we usually think about email. Criminals don't stop there, though. SMS phishing, called SMiShing, makes up a rapidly growing proportion of the threat. Trojan Horse attacks delivered by SMS were one of the fastest-growing forms of malware distribution in 2017. Many phones have no SMS spam protection, so it's easier to get through.
People haven't had as many years of experience with deceptive SMS messages, so they aren't always as alert to them. Text messages are normally terse, so the lack of personally identifying information isn't as obvious a clue as with email. People usually deal with them more hastily than they do with email, and it's easier to catch them off guard with a text message.
The pattern isn't much different from email phishing. Typically, it's a fake notification of a payment or invoice, or some other supposedly urgent message. The victim taps on the link and opens a Web page that's designed to cause trouble.
Varieties of SMiShing
The link may lead to what looks like a legitimate business site, claiming some issue needs to be resolved. The victim is asked to enter personal information, such as a Social Security or credit card number. After getting the information, the site will probably express polite gratitude. It now has a lot more to be grateful for than the user realizes.
Sometimes the linked site tries to download malware. It might claim that an application or plug-in is needed to see some important content. It might try to exploit a browser bug and install the malware directly.
Phones are often the weakest link in a business network. BYOD policies let employees use personal phones that may not have any security software. Getting malware onto a phone with access to a VPN is the first step to getting at the company's confidential data.
If the criminal is targeting a particular individual, the message can use techniques to appear more plausible. It can forge the sender ID to impersonate someone the recipient knows. It can add personal details.
If someone's phone is infected by malware, it can send out text messages without the owner's knowledge. They don't just appear to come from someone the target knows, but really do come from there.
The first line of defense is user awareness. Employees need to be as aware of the dangers of SMS spam as they (hopefully) are of email spam. Their awareness needs to be a habit, not just a fact they can recite. A training program in security practices is the best way to accomplish this. Followup testing with SMiShing messages can attest to how well employees have incorporated the information, as well as reminding them they need to stay alert.
Even smart people will sometimes be fooled, though. Security measures that protect the whole network are necessary. Spam filtering is as important for text messages as it is for email. A BYOD policy should require phones to meet certain standards before they get VPN access or custom applications. IT departments need to keep software patches up to date. Network monitoring is necessary to detect suspicious traffic.
Check Point SandBlast Mobile provides comprehensive mobile security. It filters SMS messages, using dynamic security intelligence, and blocks malicious ones. It checks downloaded applications for malicious behavior, keeping them in a sandbox environment till it has verified them. Users continue to use their phones the way they always have, but with fewer annoying text messages and less risk. SandBlast is designed for EMM deployment, so it can easily be installed on all devices on a network.
People make mistakes, and nothing can eliminate them all. However, a multi-layered approach to security can sharply reduce their consequences. It needs to include training, network maintenance, and high-quality security software.