Select Page

Cyren Security Blog

Smishing Campaign Hijacks Bank SMS Notifications

by Maharlito Aquino

Before we dive deeper into our main topic, let us first define Smishing. Smishing, a term that combines SMS and Phishing, is a form of phishing, which is delivered via Short Message Services (SMS) or better known as text messages on the mobile platform. Like phishing in general, smishing attacks are executed with an intent to steal personal information or credentials such as social insurance, credit card numbers and/or online banking login information. It often involves social engineering attacks, which exploit human trust, since people are more likely to trust messages received through SMS on their phone than from other online platforms such as emails or social messaging apps.

Smishing attacks commonly use messages disguised as notifications from legitimate companies such as banks, credit card companies or even government agencies. These messages often include clickable links that lead to phishing websites in attempts to lure victims into exposing non-public personal information or even login credentials.

Below are examples of recent Smishing campaigns targeting mobile banking users in the Philippines.

Figure 1. Smishing message spoofing Philippine National Bank (PNB)

Figure 2. Smishing message spoofing Union Bank of the Philippines

Figure 3. Smishing message spoofing Robinsons Bank Philippines

As shown in the SMS screenshots above, both attacks use deception and fraud as the attacker assumes an identity that a user would trust. In these cases, both are banking institutions known in the Philippines. Social engineering tactics are used by attackers to manipulate a person’s decision making by:

  1. Masquerading as a legitimate individual or organization to gain trust. By doing the attack through a more personal communication platform, a person is more susceptible to lowering their guard against possible fraud.
  2. Appealing to human’s greedy nature by offering benefits, such as rewards in the form of vouchers as shown in Figure 2.
  3. Heightening one’s sense of urgency, affecting the person’s critical thinking and driving them into panic to quickly take action, such as a possible security breach as shown in Figure 3.

Let’s take a quick look into the links contained in the recent messages shown above.

Union Bank Loyalty Reward Voucher Scam

Enticing one’s interest with cash rewards is one way that cyber criminals lure mobile banking users to fall prey to their scams. In this campaign, the link hxxps://online[.]unionbankph[.][email protected][.]in/eyks7Ynm, appears to be the legitimate link to Union Bank’s website. However, the real destination is the portion of the URL after the “@” character, which has been shortened with LinkedIn’s URL shortening feature. At the time of this writing, the shortened URL redirects to the legitimate banking website but using the developer tools network panel in the browser reveals a brief visit to a suspicious server before the user is redirected to the legitimate Union Bank web site:

Figure 4 Initial redirection from LinkedIn shortened URL from UnionBank Smishing Campaign

Robinsons Bank Security Breach Scam

In this campaign, the attackers engage in fearmongering tactics to frighten the recipient of a “recent security breach” that may lead to accounts being disabled if they do not take action within a specified period of time. Apparently, this campaign also takes advantage of LinkedIn’s URL shortening service and initially redirects to the same third-party host used in the Union Bank campaign:

Figure 5 Initial redirection from LinkedIn shortened URL from Robinsons Bank Smishing Campaign

We were able to get a screen capture of the landing page for this campaign. It is clearly a phishing page masquerading as the bank’s login page:

Figure 6 Phishing Page Imitating Robinsons Bank Login Page

Understanding a Smishing Attack

One would ask how could someone, in this day and age, fall victim to an obvious scam? Let’s break down the Smishing message into parts to learn how such an attack may prove effective to some users.

Figure 7 Smishing message broken into parts

As shown in the images above, a Smishing message can be broken into the following parts:

  1. Sender ID – In most cases, when you receive an SMS from an unknown sender, the Sender ID would show phone number in either an international (country code-area code-phone number) or a domestic (area code-phone number) format. However in this case, the Sender ID is shown to be using the bank’s name or what we call a custom word or brand id.
  2. Smishing Message – a socially engineered notification that entices a user to click on a malicious link included in the text message.
  3. Legitimate Messages – notifications that are actually sent out by the legitimate organizations, which in this case are banking institutions.
  4. Disabled Response – recipients of the message cannot reply to messages to this type of SMS.

SMS text messages are generally classified into two (2) categories:

  1. Person-to-person (P2P) messaging – defined as a two-way messaging conversation between two (2) or more persons.
  2. Application-to-person (A2P) messaging – refers to any kind of messaging traffic where a person receives messages from an application, which includes marketing messages, chat bots, notifications, one-time-passwords (OTP) or pin codes, appointment reminders and more.

In this case, the banking institutions are using A2P messaging to send OTP, advertisements, promotions and/or notifications to their clients. Now you might wonder, how did cyber criminals hijack banking notification messages in this smishing campaign? This is where the Sender ID comes into play.

When you receive an SMS message, you would usually see the sender ID as a phone number if you haven’t saved and named it in your phone book. However, in A2P messaging, a sender ID can be viewed as any of the following Sender ID types:

  1. Custom Sender ID – custom alphanumeric words that can use up to eleven (11) characters. This could be any word or phrase a business deems suitable for their purpose such as business/brand name.
  2. Dedicated Numbers – a virtual number consisting of up to 16 digits, which is unique to a certain business/organization.
  3. Shared Numbers – similar in format to a dedicated number but it is not unique to one business/organization.

In this smishing campaign, cyber criminals took advantage of using custom Sender IDs to slip their malicious messages into existing A2P message history from legitimate banks in a person’s mobile phone by simply using the same custom sender ID used by the banks they are spoofing. By doing this, the cyber criminals can easily manipulate bank clients into trusting their messages and eventually lure them into their malicious scheme. There are several methods to accomplish this scheme, but the most common and widely available is to use a paid SMS gateway service that allows the use of custom sender ID and sending of bulk SMS messages using an API.

Summary and Recommendations

During these times where mobile/online banking is no longer available just for convenience but more for necessity, more and more people are relying on online mobile devices for day-to-day transactions. Naturally, cyber criminals keep finding ways to abuse these situations to get their hands on people’s hard-earned money.

With the information we have discussed in this post, we hope to encourage more people to be vigilant and think twice before clicking on links in SMS or text messages, even if they appear to be coming from legitimate sources. Avoid clicking on embedded links, especially those that use URL shorteners to obfuscate their true intent.

Indicators of Compromise

  • hxxp://lnkd[.]in/etiYT6vd
  • hxxps://testing[.]hotwork[.]ag/vendor/vlucas/?00o00o0=1
  • hxxps://online[.]robinsonsbank[.]com[.][email protected][.]com/%20/online[.]robinsonsbank[.]com[.]ph/?
  • hxxps://online[.]unionbankph[.][email protected][.]in/eyks7Ynm
  • hxxps://testing[.]hotwork[.]ag/tmp/?isndjxma=1

Update April 22, 2022

We alerted both banks to the campaign. Below is an alert that RobinsonsBank sent to its customers shortly after we told them about the scams. It’s nice to see organizations taking action to protect their customers.

You might also like

The Resurgence of Emotet

by Kervin Alintanahim Password Protected Docs One of the most recent Emotet samples we received were emails with password protected attachments. Although the malicious document needs an extra step to be accessed compared to just being attached as it is, the additional...