Trends & Predictions 2022 | Combating SMS-Based Phishing Attacks


Spotlight on Cybersecurity |

Entering 2022, WMC Global expects to see threat actors and malicious parties continue to change their tactics, techniques, and procedures (TTPs) as the security marketplace shifts and old TTPs cease to be effective. Security teams must be diligent in their monitoring, intrusion detection, and incident reporting operations to keep up with a rapidly changing threat landscape and to avoid being reduced to playing whack-a-mole with threat actors.

One of the biggest ongoing threats to consumers is SMS-based phishing attacks. The bulk of the scams we are tracking take place over SMS messages sent from both shortcodes and ten-digit long codes (10DLC).

WMC Global

New Phishing Methods

Continued attack surges indicate that two-factor authentication (2FA) is no longer enough to secure accounts against traditional or SMS phishing attacks. Threat actors will need to develop new kits and TTPs to keep up with private sector security adaptations. We may also see changes to credential phishing operations that correlate with social engineering objective changes.

The Escalation of Puppeteer Kits

Microsoft recently announced that they now offer users the ability to login directly using Microsoft Authenticator or other multi-factor authentication methods. Eliminating passwords allows Microsoft to drastically reduce the attack surface that’s exposed against traditional and SMS phishing attacks. However, this decision, and any other changes additional companies make that follow suit, will likely drive threats actors to employ puppeteer kits more heavily.

Puppeteer kits are dynamic phishing kits that enable threat actors to adapt their phishing pages and insert themselves into the user login process, automatically triggering 2FAand prompting the user to enter their security code into the attack website rather than the legitimate institution.  As WMC Global previously reported, threat actor Kr3pto has already implemented puppeteer kits using SMS lures in an attempt to bypass multi-factor authentication security on UK banks. The kits currently use a manual process, requiring an individual to be involved each login process which is costly and low-volume, but exceedingly effective.

Phishing Kit Sophistication

As new authentication methods gain traction, kit sophistication will increase out of necessity. Threat actors do not need to become more sophisticated—they only need to purchase increasingly sophisticated kits. Spammers and low-level scammers will continue to implement these kits, making the kit developers the linchpin of these operations.

Pandemic-Themed Scams

One of the most troubling trends that we have seen at WMC Global is the exponential growth of pandemic-related scams. Threat actors are posing as international government bodies, such as US state governments and the UK National Health Service (NHS)  use SMS phishing to lure victims into providing personal information in exchange for pandemic relief grants, unemployment payments, and digital Covid-19 vaccine passports. These types of scams are extremely lucrative for threat actors, with total US scam losses estimated at between$87 to $400 billion and will continue to grow as a challenge as the pandemic persists.

Law Enforcement Challenges

Despite a robust toolset for cybercrime analysis and management, many law enforcement agencies are struggling to keep pace with SMS-based cybercrime, primarily because of a lack of understanding of the SMS ecosystem and how threat actors are able to operate on the channel. These agencies are often preoccupied with combating many forms of crime at once, so they have little bandwidth to build defenses specifically designed for mobile-oriented and SMS phishing scams. The most important future actions of law enforcement agencies are continued education of their personnel, building alliances with key cybersecurity organizations that can share their knowledge of the mobile space, and encouraging intra-organizational information sharing.

Growth in Business Email Compromise (BEC) / Ransomware

BEC has grown substantially over the last year and looks poised to continue on this path. Malicious actors spoof company email addresses and act as though they are a user’s boss, HR representative, or other trusted member of their organization providing a surprise bonus or needing assistance transferring funds. The threat actor’s email will always aim to encourage a user to input their login information for the company network or divulge their personal bank details in order to move forward in the scam.

Why Are These Methods Effective?

  1. SMS phishing works particularly well because SMS messages have a 98% open rate (compared to only 20% of emails) and 60% of end-users answer texts within one to five minutes of receiving them.
  2. Since the onset of COVID-19, attackers have optimized the rapid digitalization of workplaces and lack of in-person interaction to drive vulnerable end users to make quick, underinformed decisions about suspicious scenarios they are experiencing online and on their mobile devices.
  3. Mobile phones are a massive security grey area and end users generally expect
    “someone else” to be responsible for their digital security, including the phone manufacturer, their workplace IT department, their financial institution, or any other common service for which customers provide financial information. But who is really in charge of securing mobile devices and the actions taken on them? Manufacturers have put some model protections in place, but they do not cover “user error,” and employers can pay for employee cell phone plans, but the device is most often personal. End-users must understand that they are responsible for securing their own devices, even if an employer requires them to use them for work.

What Now?

Threat actors will always create new ways of reaching potential victims no matter how much protection consumers are offered and it is essential to combat mobile threats from all sides. As the pandemic shows little signs of slowing in 2022 and the world becomes more technologically advanced to combat the new challenges presented, businesses must shore up their defenses against SMS phishing attacks impersonating their brand and affecting their customers. Law enforcement agencies must also expand their knowledge of the mobile messaging space. Additionally, consumers will benefit from becoming more observant and taking primary responsibility for their digital safety on their mobile devices.

This article is published in the December 2021 issue of Disruptive Telecoms