Smishing, a Growing Cyber Security Threat

Episode Notes

Transcript

Digital Detectives

Smishing, a Growing Cyber Security Threat

02/14/2017

Intro: Welcome to ‘Digital Detectives’, reports from the Battle Front. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 76th edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon D. Nelson:, President of Sensei Enterprises.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is “Smishing, a Growing Cyber Security Threat.”

Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We would also like to thank our sponsor PInow.com., need a private investigator you can trust, visit  HYPERLINK “http://www.pinow.com” pinow.com to learn more.

John W. Simek: We are delighted to welcome as today’s guest Joe Hamblin:, director of IT operations for Sprint’s emerging platforms. Joe has more than 25 years of IT experience. In his current position he is responsible for end-user platform engineering including collaboration, Identity Access Management (IAM) and device engineering/management.

Thanks for joining us today, Joe.

Joe Hamblin: Oh thanks John and Sharon, I really appreciate it and it looks like a great topic and I am glad you have invited me to participate.

Sharon D. Nelson: Well, let’s get started by some of the confusion I think our listeners will have because most of them will not be familiar with the term smishing. Can you explain what it means in an easy to understand language?

Joe Hamblin: Well, I will give you the official definition first that you would Google, if you ever Googled it, this is what you’d find out on the Internet and it’s simply puts, smishing is the act of using a mobile phone text messaging service to lure victims into immediate actions such as downloading mobile Malware, visiting malicious websites or calling a fraudulent phone number.

So basically what they’re doing is they’re preying upon us as victims in many cases to use something that we trust giving our attachment to our mobile devices to elicit an immediate response out of us. So they’re trying to get us to give our personal information, some type of identity or account information and that’s really what it comes down to, it’s that simple.

John W. Simek: So besides these unwanted phone calls that we are getting all the time Joe and I’ve noticed myself personally too that there’s been an increase in these text messages from folks that I have no clue who actually they are but can you tell our listeners why is smishing growing so rapidly?

Joe Hamblin: Well John I think that’s a great question and where I sit, as an IT owner and operator, what I think has happened in our spaces, we have put so much reinforcements into the enterprise space, specifically, we’ve done a lot of education around phishing, we’ve got tools in place to protect our email from phishing such as advanced threat protection, next-generation firewalls, we’re doing a lot of web filtering, so when we do get tricked, we are able to catch a lot of the websites that a user might click on to go to.

So we’ve put a lot of things to protect the enterprise, so now we’ve allowed, we’ve kind of put ourselves in a position to where the bad guys, the predators, they’re going out and they’re finding other solutions because the ones that they’ve used in the past have now been kind of bullet-proofed, if you will.

Now don’t get me wrong, we still fight phishing every day, and we still have folks trying to attack us every day and we see those through our tools in our advanced threat protection reporting software that we have, we see those things going on, but our users are more educated now, when they see these emails that they’re not as apt to click on that.

Now the same thing that’s happened in there has not yet moved over into the mobile space. People are a little too comfortable I would say with their mobile devices.

Sharon D. Nelson: Well that kind of leads into my next question which is, I was thinking about why smishing works so well for cybercriminals? Is it just that we are more careless with text messages on our phones? Is that really the explanation?

Joe Hamblin: I think that’s exactly spot on Sharon, you know these cybercriminals this is very easy to set up for them too. So when you think about it what’s it take to put on a cyber campaign for smishing, well you need VoIP server, Burner cellphones, a method to spoof your phone number, and then you just need a good story, all right?

What’s going to compel you so people respond and they react to things, greed and fear typically so either I am going to text you and you automatically have discomfort level because you use this device so much, you have this comfort level that you automatically assume that anyone contact me I know.

(00:05:04)

They got my information because I gave it to them. So we have this comfort level of this device that we automatically become a little bit more susceptible to these text messages coming in that I think it really does set us up for a little bit more vulnerability in that space.

John W. Simek: So Joe, how can these smishing attacks, how can they affect a business? Is that going to be any different than impact on the consumer?

Joe Hamblin: Well I think first and foremost the consumer is probably at the most risk, but there is no doubt that there are attacks going on every day to try to solicit information from the enterprise user. So my customers, I manage a large IT environment, I have got a lot of end users that I support nearly 70,000 both contracted and employees and they are always being attacked in some fashion. We know that.

We are trying to solicit on some type of response and this is just one other method that they have moved to. And it’s really about how can they compromise our systems, how can they gain information about our users, our employees that might allow them to somehow gain some financial benefit and that’s really what most of these things come down to.

Now one of the things that I am concerned about from a business perspective is the ability to put a smishing campaign on that it targets my employees to potentially give up their user credentials for whatever reason and then that opens another threat for me which could be some type of cyber attack, because if you have like my ADID and credentials along with my password for whatever reason now you can really attack my enterprise and potentially cause some major harm to the IT environment.

And what we worry about is if my user was susceptible to being spoofed into believing that I would for some reason and I would never do this nor would any IT group that I can think of would reach out to one of my users over SMS messages and ask for their user credentials. It wouldn’t happen, but that is one of the fears that we have.

Sharon D. Nelson: It is amazing how often they fall for that, I agree.

Joe Hamblin: Well absolutely and these guys are good. They come up with great stories and they’re able to mimic and they’re able to create web pages that look official and they’re very good at what they do.

John W. Simek: So is it fair Joe that the attacks on the businesses then they’re essentially they’re targeted attacks then, right?

Joe Hamblin: Absolutely, absolutely! And you can come up with a number of different ways, right? So let’s say, one of the things you can start thinking about is LinkedIn to me is a big concern. When my employees, when the folks who work for me they got a lot of capabilities and a lot of power inside the IT environment so they can access all the systems, when they post their information out onto LinkedIn or Facebook the bad guys are able to see what they do, what their jobs are.

So if I see a guy that’s an active directory engineered at Sprint I get concerned if he has an information inside of his LinkedIn profile because he automatically becomes a target for the bad guy. They want to find out his credentials, they want to get his information because armed with that they can do a lot of damage.

Sharon D. Nelson: What I don’t understand and I think a lot of folks don’t is why can’t the security application you have on your smartphone, why can’t that protect you against smishing?

Joe Hamblin: Yeah, I think the biggest challenge you run into there is most of the environments you’re dealing with today are all bring-your-own-device. There are a few industries that focus on providing company liable devices, but we’re trying to take advantage of consumerization of IT. You guys are very familiar with that term, but it really means hey people can bring their personal devices into the workspace and leverage them.

So when you think about SMS it’s pretty much the simplest form of communication in the simplest form of use case that is used on the cell phone itself. When you look at some of the research they say on average the adult user will send over 2,000 messages and receive over 1,800 messages every month, so we’re very comfortable whether it’s a very, very simple form, it’s been around for a long time, it’s not really easy to put security around particularly in a BYOD type of environment.

Now there are some things inside of Apple’s iOS. You can go out there in block text messages from certain numbers, but the challenge you’re fighting here is when you’re looking at these predators, the perpetrators out there they’re able to by simply spoofing their number they just change it one digit and they’ll attack you again the next day or the next week, so it’s hard to stay ahead of them using these mobile devices.

John W. Simek: Well, Joe as a business owner what’s the best way to protect my business against these simishing attacks, let’s say on my employees?

(00:10:00)

Joe Hamblin: Yeah, I would say John that the thing that I have discovered just doing my own research is there’s not a lot of enterprise owners who are thinking about smishing. We’re all familiar with phishing. We’re all familiar with trojans and malware, but there’s not a lot of folks who are really thinking about the vulnerabilities that can come from smishing, but I think it always starts with education.

You have to educate your folks that you know what if it doesn’t look right if somebody’s contacting you via your SMS text messaging and asking for personal information and claiming as your bank or claiming as part of the company or a vendor that’s not typically the type of message you’re going to get, it’s probably one you want to steer away from, so I think education is the first key.

There are some solutions out there that can help do simulated attacks to help your baseline and we can talk about those as we get further into the conversation if you like.

John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: At least 80 of the 100 biggest law firms in the country have been hacked since protect 2011. Protect your firm and your clients from cyberattacks with SiteLock. Their industry leading, cloud-based suite of website security solutions includes website scanning, web application firewall, including distributed denial-of-service mitigation and 24X7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digitaldetectives.

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation pinow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on pinow understand the legal constraints of an investigation, are up-to-date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a prescreened private investigator today visit  HYPERLINK “http://www.pinow.com” www.pinow.com.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Smishing, a growing cybersecurity threat. Our guest is Joe Hamblin, Director of IT operations for Sprint’s emerging platforms. Joe what are the red flags that the text you’re looking at is a smishing attack?

Joe Hamblin: I think there’s several things when you look at it is when it comes in and I don’t recognize the number or if it doesn’t look like a valid number or if it’s asking me for some type of information that just doesn’t feel right, trust your instincts and really start to question where that information is coming from and maybe make a phone call, check make sure web links and those types of things especially if there’s web links and then make sure that they match. If it’s coming from your bank make sure it matches your bank because that’s not typically how they’re going to reach out to you.

John W. Simek: Yeah that’s right, I just got one — Sharon when was it a couple months ago where it said it was a friend of mine who I’ve never heard their name before and then they had a link in it and said here’s photos from our get together but they’re going to expire in 24 hours so you better hurry and click on it.

Joe Hamblin: They’re trying to get a response from you and they’re trying to get you to read respond and it’s going to usually take you somewhere and then it’s going to ask you to login and it’s going to probably ask for some type of your personal information and then from there they start building a method of how to attack you so.

John W. Simek: Yeah, well I have to thank the person because I used that screenshot and when we do presentations about the stuff.

Sharon D. Nelson: Well I think I read somewhere that the reasons that people click so often and I don’t remember the order, but it’s fear, curiosity and urgency, like what you said John that the link is going to expire very quickly that really apparently works a lot.

Joe Hamblin: Yeah you’ll typically see things that I even worry about it as we move into the taxis and a lot of folks trying to do phishing and smishing campaigns, claiming to be the IRS and I to be honest with you guys, I don’t know that I’ve ever had the IRS reach out to me over text for my personal information if they’re asking, you guys know more about me than anybody, you already have my personal information so why are you asking me for it.

John W. Simek: Well they would probably be a little more clever click here to begin your audit.

Joe Hamblin: Yeah, exactly, exactly.

(00:14:55)

John W. Simek: Well Joe, should you report these attacks to authorities and if so how do you go about doing that?

Joe Hamblin: Yes, so there are several ways to do it, so obviously if you just being spammed then you’re pretty comfortable to spam, you can forward those complaints to, just text them to 27726 and your carrier just about every carrier I know of has some type of spam team in place that will pick that up.

Obviously you guys are dealing with the legal side of this and you’re more familiar than I am, but you can also report these to your local law enforcement agencies. And in many cases depending upon where they’re at and what their comfort level is, they’re probably going to say well is there intent to commit a crime or was there a crime committed is going to determine how much they’re going to and how much they’re going to work on it and how much effort they’re going to put into it and do they have the resources to deal with cyber crime.

So that’s probably the next phase and you always start with your local authorities and then finally you can go out to the FCC consumer complaints and you can go to their website and you can put in a formal and informal complaint to the FCC for these types of devices. Those are the three methods that we take advantage of that we know about.

Sharon D. Nelson: I have kind of a follow up question to something we talked about before and that is you were talking about BYOD but of course there are a lot of law firms that have mobile device management, how can that help protect against the smishing attacks?

Joe Hamblin: Yeah that’s a good question because I was doing my research. I use a one of the largest providers of MDM and they primarily protect my retail environment so where we have our point-of-sale solutions over our devices and that was one of the questions and as I was digging in theirs, how can I leverage MDM to help me? And the biggest challenge you have particularly in my case and I think a lot of my peers are in the same situation is not all of our devices, we don’t manage all of your devices.

Again, I have folks who bring in their own iPhones and iPads and they want to sign up for mobile device management until they find out hey, I’m going to have these types of controls in place and then it’s like, well, not really don’t want to do that. So we don’t force them to join the MDM environment, but there’s a few things you can do.

Let’s say you are managing that device, well, I can go out and I can be very, very hard lined and I can actually stop SMS texting as one of the apps. So that’s one of the things that I can do, very dictatorship type of an environment, you’re probably not going to have a lot of success doing that. So you would want to do that with company liable devices. So that’s one of the things. You can put a lot of parameters around it.

The other thing you can do to help reduce that attack surface is you can look at the apps that are already on the devices. If you’re using many of the mobile device solutions, have it’s own mobile access gateway so you can set those devices up where they have to come back into the Enterprise and you can then use your other filtering tools, whether it’s a Blue Coat WebFiltering, those types of things to prevent your internal users from going back out to these fraudulent sites.

But overall if you sit down to your MDM manufacturers and you talk to them you are kind of limited. The MDM tool itself really doesn’t bring a whole lot of benefit unless you really start locking the devices down. So that’s one of the things that probably even the bad guys were trying to keep from attacking us.

They’re well aware of these things. These guys are not dumb, they’ve got a lot of time on their hands and they’ve done their research and they know what type of protections are in place and as we talked earlier a lot of it simply comes back to educate your folks, hey, this is the latest threat, it’s the next threat and it’s things you’ve got to be thinking about and putting the protections in place to help you stay ahead of the curve.

John W. Simek: So Joe, does the employer test their employees out and do these pretend smishing attacks or campaigns and see how many folks click or fall for the things? I think I know the answer. There is that yeah, you probably can’t do that, but how would they go about doing such an event?

Joe Hamblin: Yeah absolutely, you can’t John. We’ve been doing it for years with phishing and there’s a lot of tools out there to help you do phishing campaigns from an email perspective. Now you take that same type of solution and they have to risk of making this a product endorsement and throwing a name out there.

There is SmishGuru from Wombat Security Technologies, works the same way as the phishing tools, what it is really intended to do is you load up your database with your users information base, all you really need is their phone numbers and you’re going to put in a webpage that you’re going to have them to test them, right, as part of your baseline testing.

You’re going to text them, you’re going to put some type of campaign together that says, hey, this is, make up your story if you will, but this is, you are an IT, or this is a financial and just to see if you can get your users community to click on that webpage and you’re going to collect counts on how many of them come back there.

(00:20:06)

And from that now you can start put an education plan, so there are tools out there to do it, but it all is going to lead back to educating your users to be diligent, not to be so trusting, not to be so eager to jump in and give information out.

At the end of the day taking no action is your best safeguard to preventing phishing and smishing, but these are tools that you can use to help educate your user team. Again, I think this is an area that’s going to be growing as more and more people unfortunately probably get taken advantage of and smishing becomes more prevalent out there and people are aware of it, I think you’re going to have to see the education curve catch up.

Sharon D. Nelson: Well that’s one reason why we are really happy to have you on the show today, Joe, because when we ask people about swishes – see, I feel like I am drinking every time I say that word when we ask them about our topic of the day which is smishing, if we find that they often don’t know what that is, if we ask for show a hands we hardly ever see one. So, it just hasn’t got what phishing has, everybody seems to know phishing now, but not smishing, I have to say it carefully.

So you’re really kind of on the leading edge here for a lot of, particularly, the lawyers who tend to be listening to us, they just don’t know about the subject. And so this has been a concise and very useful and practical drill for them. And I thank you very much for taking time out of your day to be our guest.

Joe Hamblin: Well, Sharon and John, thank you. I really appreciate it. I think it’s a great conversation and I hope your listeners really appreciate the information.

John W. Simek: Well, that does it for this edition of ‘Digital Detectives’. And remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and security services at  HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on ‘Digital Detectives’.

[Music]

Outro: Thanks for listening to ‘Digital Detectives’ on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.