Smishing is nothing new. We’ve been warning readers
of We Live Security about SMS phishing
attacks (also known sometimes as SMSishing) for years.
But even if they’re not new, they continue to pose
a threat to many smartphone owners and – in some cases – have even been seen to
evolve as scammers attempt to trick more users into handing over their precious
credentials.
The widespread popularity of Apple technology, in
particular iPhones and iPads, has made the smishing of Apple ID passwords a
focus area for some criminals.
In a typical campaign, messages are spammed out to
smartphone users, containing a link.
The messages will often suggest that your Apple ID
has expired, or that your account has been temporarily frozen as a security
measure until you have confirmed you are the real owner.
The intent of the scammer is always the same – to
dupe you into clicking on a link which goes to a fake Apple ID login page. On
that phishing page your Apple ID and password will be grabbed, and – in some
cases – the attackers may push their luck even further by asking for your credit card
details and other personal information.
And, the phishing sites aren’t just designed to
entrap English-speaking Apple users.
Even if only a small percentage of users are duped
into following the scam message’s instructions, the rewards for the attackers
can be considerable as they break into accounts, and potentially gain access to
your private photographs and messages.
But that’s not to say that those behind Apple ID
smishing attacks have turned a blind eye to trying out new variations of their
attacks.
For instance, in the following example shared by Twitter user Simon Rae-Scott, the fraudsters seem to
have have attempted to make their scam message appear more convincing by
including instructions to unsubscribe from future alerts.
Some smishing attacks are sent via iMessage to an
iPhone user based in Germany, use as bait a message claiming that a lost iPhone
has been found.
Of course, clicking on the link does not take you
to a real Apple webpage.
What is needed, of course, is for there to be
greater awareness about the problem of Apple ID smishing, and similar phishing
campaigns. Only by educating the public about what can go wrong can we best
hope to prevent innocent members of the public from having their own accounts
hacked.
Which is why I was pleased to see British TV
comedian Al Murray, best known for his “Pub Landlord” character, used Twitter to warn his 400,000+ Twitter
followers about a suspicious text message he had received, asking him to click
on an obfuscated link and enter his Apple ID login credentials.
Fortunately, Murray was savvy enough to know not to
follow the text message’s instructions.
So, if you receive an SMS phish on your smartphone
what should you do?
·
Report the URL included in the scam
message to Google’s Safe Browsing team. If the URL is found to be phishy then
they will ensure that Google Chrome and other browsers are updated to warn
internet users of the risk.
·
If possible,
report the number that has sent you the phishing SMS to your mobile phone
carrier. Some have set up specific numbers through which users can forward any
spam and phishing messages they have been sent. Again, this helps protect other
users.
·
Don’t reply,
and don’t click on the link!
My recommendation for all of those with Apple ID
accounts is that they enable two-factor authentication, for an
additional layer of protection.
That way criminals, even if they have managed to
steal your password, will find it a lot trickier to break into your accounts.
Although there is probably always more that
carriers can do to try to reduce the prevalence of SMS phishing campaigns, and
we can all do our bit in reporting scams to mobile phone operators, raising
awareness of the threat amongst users and being a little more wary of clicking
on links in unsolicited messages seems a great way forward to me.