SMS phishing can be too easy
Ricardo Beharano, a site reliability engineer (SRE) at network equipment maker Cisco, warns that using SMS makes
SMS phishing is way too easy
https://www.bejarano.io/sms-phishing/
The following two SMSs were issued by Mr. Beharano as specific examples. Both look like delivery notifications from FedEx. However, in reality, the first (top) is genuine and the second (bottom) is fake. It's hard to understand at first glance, but the first URL is 'https://www.fedex.com/en/delivery~~' and the second URL is 'https://fedex.delivery/~~'. I am. This 'fedex.delivery' is a domain that can be purchased when Mr. Beharano publishes the article.
The problem is that both genuine and fake are treated as 'SMS from FedEx'.
There is a sender ID column in SMS, and SMS that is the same here is grouped as 'SMS from the same sender', but the sender ID is set by the sender to the last, and identity verification Anyone can pretend to be a message from any number.
In addition, the message itself does not contain the sender's phone number, so the device that received the SMS cannot distinguish between a genuine message and a fake message.
As a countermeasure, Mr. Beharano cites that the sender ID is first linked to the mobile phone carrier. This has already been done in some countries. The second is that the terminal side issues a warning for unconfirmed sender IDs. The third point is that companies will stop sending URLs via SMS.
Related Posts:
in Security, Posted by logc_nt