You?ve been SmiShed!
An alert netizen identified the latest threat - SmiShing or phishing via SMS - writing it on a blog, reports Ravi Srinivasan.
Very few people outside of the net security community may have heard of David Rayhawk. Yet, he can probably be credited with identifying and christening, the latest addition to the growing array of weaponry used to attack unsuspecting consumers over communication networks.
Back in August this year, Rayhawk, in a post on the internet and computer security firm McAfee’s blog, identified the latest threat faced by mobile phone users: phishing attacks loaded into an SMS. He called it ‘SmiShing’ – short for ‘phishing via SMS’.
The acronym may not have been very original, but the threat he identified was. In his post, Rayhawk warned users of scam SMS messages containing a hyperlink to a website which would inject a malicious ‘trojan’, or hidden software, into their handsets. Why would anybody do that, it may be asked. Simple.
The SMS warned recipients that they had been signed up for a dating service, and would be charged $2 (Rs 90) per day, unless they went to the website indicated and unsubscribed. Most people did.
Within months, SMiShing has spread like wildfire. A Google search on ‘smishing’ threw up 110,000 results, including several from India. A mass-mailing worm called VBS/Eliles has been identified, which attacks the gateway used by cellular service providers for sending SMSs to blast all mobile phones within range. Antivirus software for mobile platforms are also available.
In India, third-party malware attacks over wireless networks are still comparatively rare. That’s because most of the 3-4 million subscribers being added to the mobile telephony base in the country use it only for basic telephony.
Web-enabled handsets are rare and subscribers to full-spectrum services, including mobile internet, even rarer.
That doesn't mean that most of us have not been attacked already. It is just that such attacks are still largely seen as a nuisance, rather than a threat. All of us receive unsolicited commercial communications on a daily basis. From helpful chaps simply dying to lend us money or give us free credit cards, to those peddling stocks or insurance.
The biggest offenders, though, are those who are supposed to be protecting cellular subscribers from this menace: cellular service providers. Users are flooded with messages daily, urging them to download ringtunes or wallpapers or participate in ‘contests’ where the real winner is the service provider, who pockets a handsome premium for providing this ‘service’.
The situation is worse if you are ‘roaming’ outside your home circle. Network congestions and poor quality means that your phone is constantly switching to the strongest available signal.
You then get not one but two messages – one ‘welcoming’ you to the new network, and the other from the earlier one, urging you to switch back.
In a bid to nip this menace, the Telecom Regulatory Authority of India (TRAI) has proposed bringing in regulation, and has asked for the industry’s views to be submitted by December 8.
The industry, apart from making soothing noises, has so far not been proactive. That is perhaps the reason why TRAI included a succinct quote from Indira Gandhi in its consultation paper: “Let’s see something happen now. You can break that big plan into small steps and take the first step right away.”
It’s high time cell companies took that first step.
Email Ravi Srinivasan: firstname.lastname@example.org