What Infobip Gets Wrong About SMS Phishing (Smishing)

I've undertaken the task of unraveling the advice offered by SMS Firewall vendors, aiming to empower mobile operators and regulators in making better informed assessments regarding SMS Phishing. To begin this endeavor, I chose to focus on one of the major players in the field - Infobip. By examining their perspectives as presented on their website, I provide my own response to offer unique insights into the matter.

What Infobip thinks

What I think

I could improve this but I’ll leave it because it’s actually better than what some anti-phishing security vendors define phishing - ironically and very annoyingly.

What Infobip thinks

What I think

1. Paragraph 1 - Smishing isn't just the equivalent of phishing. It's phishing by another name. Phishing doesn't solely refer to impersonation within emails (that’s old thinking); it encompasses all forms of impersonation, regardless of the technology, product, marketing channel, or service being used. Restricting phishing to email leads some people to forget about other communication forms. It's 2023, so it's time to stop referring only to email and spelling mistakes.
2. Paragraph 2 - It doesn't mean the receiving device will most likely be mobile rather than a PC (or another type of computer). In fact, the same phishing URL often redirects end-users to a different destination determined by factors like their mobile device, device OS, language, and location. The same phishing URL can redirect a mobile user in London to a different location than a desktop computer user in London or a mobile user in the US. This is an important piece of information that most SMS Firewall vendors don't realize—I know because I've had video calls with quite a few of them. They believe you can open a URL and immediately determine if it’s safe or dangerous.
3. Sticking with paragraph 2—no mobile malware I know of has ever been able to spread automatically via a phone's contacts. This didn't happen with Flubot like some people think - that's technically impossible. What can and does happen, as with FluBot, is that the malware will send the contacts from an infected device, back to its Command and Control Center, where cybercriminals can then target those individuals with more SMS-led phishing attacks.
4. Paragraph 3 is also wrong. Service providers like Twilio that make it easy for banks and brands to build relationships with customers via SMS use the internet—that's the entire point of their API service.

What Infobip thinks

What I think

1. The first paragraph isn’t bad.
2. Paragraph 2 isn't bad. However, I wouldn't label the criminals responsible for targeting and compromising 150+ companies in 2022 as "scammers." I strongly dislike this term because it diminishes the severity of their actions and misrepresents the individuals behind these attacks. It also creates the impression that the majority of cyberattacks worldwide are merely "scams." Would we describe a ransomware attack on a hospital as a "scam"? Certainly not.
3. Paragraph three is incorrect. There aren't three distinct types of smishing attacks as they describe. Additionally, it's utterly inaccurate to label any phishing threat as "borderline-legal." This statement, without the need for further context, indicates a lack of understanding regarding the distinction between phishing and spam. Phishing is strictly illegal under all circumstances. It constitutes a violation of the law to impersonate individuals or entities on the internet with the intention of coercing them into taking actions they would otherwise vehemently avoid. If an action doesn't involve impersonation for illicit calls to action, it cannot be classified as phishing. It might however, be called “satire”. Classification matters, particularly when new regulations compel companies to take action against illegal activities as opposed to activities that mobile operators may prefer to prevent, such as “spam”.

What Infobip thinks

What I think

This is entirely incorrect. Smishing does not fall into a "grey area"; it is a clear-cut issue. Trademarks have no relevance to anti-phishing protection. Bringing up trademarks will only lead to confusion and divert people's attention away from the crucial aspects. It may mislead individuals into thinking they require "trademark protection.” All of this becomes obvious when you’ve studied it for long enough.

What Infobip thinks

What I think

The first paragraph is technically incorrect and needs to be corrected to prevent individuals from seeking the wrong type of solution, which may seem peculiar but is true. No individual in the world had their handset infected with Flubot simply by clicking a link within an SMS message. In reality, what happens is that people open the link contained in the SMS, which directs them to a deceptive webpage impersonating an entity. In the case of Flubot malware, victims had to willingly open the link, trust the presented webpage, download the fraudulent app, and subsequently modify their device permissions as instructed by the malicious app. Only then could the malware infect their device.

What Infobip says

What I think

I don't understand why "fake landing pages” are separated from malware attacks because, even in the case of Flubot, the malware required individuals to click on a link and visit a fake page where they were prompted to download a fraudulent app.

Fake landing pages serve purposes beyond stealing personal information. Most SMS phishing attacks involve a URL that directs victims to a fake or **legitimate** page.

?? It's important to note the mention of a legitimate page.

Infotip's website doesn't include any reference to "reverse-proxy" phishing attacks. The PKI Consortium (CA Security Council) invited me to write an article based on MetaCert's unique insights, skills, and experience in this field. I recommend reading that article for a detailed explanation. You can access it here.

Landing pages consistently employ one-off or very short-lived URLs, rendering them extremely difficult to detect—rather than "almost" impossible. This single chokepoint makes everything else irrelevant. If you cannot detect the URL, what hope do you have in protecting people? You certainly cannot rely solely on the sender ID or copycat text.

What Infobip thinks

What I think

I must admit that I didn't pay much attention to the section above, as the specific numbers or details of how they were obtained don't matter - it’s moot.

There's another section that attempts to explain the different types of smishing one might encounter in the wild. However, it falls short as it fails to even mention the targeted SMS phishing attacks that affected 150+ companies in 2022.

What Infobip thinks

What I think

When you click "SMS Firewall technology," you're taken to the Infobip product page that fails to mention anything about phishing and how they protect mobile subscribers from it. Their focus is solely on the detection of spam to safeguard operators.

1. Infobip has already stated that detecting phishing URLs is virtually impossible. Therefore, merely updating a database with discarded URLs won't prevent the next phishing attack. It would only stop phishing attacks after they have already occurred.?So, it’s virtually useless.
2. Machines are unable to effectively learn to identify phishing attempts because, as anticipated, phishing messages are designed to impersonate legitimate ones. Therefore, unless one wishes to block every message sent by banks and brands—an impractical solution—identifying and stopping phishing attacks becomes a significant challenge. Unfortunately, operators in Southeast Asia are starting to realize that their "Firewalls" are designed to safeguard their networks and revenue, rather than providing robust protection for their subscribers or business customers against phishing. A prime example is Globe Telecom, which ultimately abandoned its efforts after investing $20 million in SMS Firewalls. They now fail their subscribers by blocking all SMS messages that contain any kind of web link.
3. The concept of "automated responses to identified threats" is paradoxical, and I hope it's now self-explanatory. By the time a threat is identified, it has already caused harm, and cybercriminals have either swapped their phishing URL for a new one, or they’ve picked a different target. The response to the subsequent threat will also be futile for the victims who have already suffered the consequences due to Infobip's failure to mitigate the threat before harm was already done.
4. The detection of MSISDNS (phone numbers) demonstrates that they have little understanding of the tactics used by cybercriminals and the tools at their disposal. No self-respecting hacker would ever have their identity verified before using a SIM card to engage in illegal activities. This notion is actually quite insulting to hackers since they are clearly the most intelligent individuals in this scenario. It's comparable to suggesting that hackers would have their real identities verified before using Mailchimp to target people with email phishing.

Conclusion:

In reality, Infobip doesn't offer any form of anti-phishing protection to mobile subscribers. Furthermore, even ProoPoint, the owner of SMS Firewall vendor Cloudmark, doesn't offer a solution for smishing. Remarkably, no cybersecurity vendor worldwide currently offers any solution specifically tailored to mobile operators. Have you ever wondered why? The answer lies in the fact that security vendors are well aware of the deficiencies in email security, which would become apparent the moment they disclose the mobile network they claim to "protect." You can’t test the security posture of any organization's email because it’s behind corporate walls. SMS, on the other hand, is a public-facing channel that's accessible on every mobile device on the planet.

Here's the revised version of the text, incorporating the requested change:

Now, how can one determine whether an SMS Firewall vendor is capable of effectively stopping smishing?

1. Obtain a SIM card from the desired mobile network you wish to test.
2. Acquire a few phishing URLs from PhishTank, a crowdsourced database of phishing URLs for login pages (please note that they don't investigate or classify phishing URLs used in malware attacks - another bone of contention for MetaCert).
3. Send a series of SMS messages to your SIM card, incorporating phishing URLs. For simplicity, you can use URLs that are already classified as "phish." For a more challenging test, use URLs reported as "phish" but still awaiting verification and classification. This verification process can take anywhere from a few days to a few months.

That's all it takes.

Consider this...

If world-leading cybersecurity companies such as Microsoft, Okta, and Cisco can fall victim to SMS phishing attacks that skillfully impersonate their own text messages, URLs, and SSO login pages, it raises critical questions. How did these attacks succeed, given that these companies offer security solutions specifically designed to safeguard their customers against such attacks? Twilio owns an app-based 2FA solution called Authy. Twilio employees also fell for the targeted SMS Phishing attacks in 2022 - how can they claim to have robust anti-phishing protection for their customers?

These incidents highlight a significant challenge. If such renowned cybersecurity companies struggle to defend against SMS Phishing, how can SMS Firewall vendors expect to tackle the problem? Merely relying on email-like spam filters, which are not specifically designed or built to handle the complexities involved in an anti-phishing solution, does not suffice.