Exploiting SMS: Threat Actors Use Social Engineering to Target Companies

By: Christopher Matta, Cofense Phishing Defense Center

 
Phishing attacks continue to target businesses in increasingly sophisticated ways. One common method used by threat actors is smishing—an SMS-based phishing tactic that often serves as a gateway to credential harvesting. The Cofense Phishing Defense Center (PDC) has observed an uptick in SMS-based attacks attempting to send malicious fake websites through fake/unknown phone numbers. Smishing uses social engineering to manipulate recipients by creating a sense of urgency or fear. Attackers exploit human emotions to bypass skepticism and prompt immediate action. This deceptive approach underscores the importance of users recognizing these tactics and remaining vigilant in safeguarding their personal information. 

Figure 1: SMS Delivery

The smishing attack begins with an SMS message as seen in Figure 1. The attacker uses carefully crafted language designed to evoke a sense of urgency, enticing recipients to click the link. Phrases like "attention" and requests to "please view changes" create an immediate sense of importance, leveraging social engineering to manipulate emotions. This intentional use of persuasive language aims to establish trust, making the request seem routine and legitimate. Additionally, the threat actor includes the phrase "If this was not you, please log in to make a ticket”. The goal here is to prompt action from two types of recipients: those who believe they made a timetable change and those who want to take action to fix false timetable changes. 

To further deceive the recipient, the threat actor uses a redirect through a commonly known and legitimate domain, Google in this case, to mask the malicious intent of the link. By appearing as a reputable source, the attacker increases the likelihood that the victim will perceive the link as safe. The goal is to create a false sense of security, convincing individuals that they are simply fulfilling their responsibilities. This strategy highlights the effectiveness of social engineering tactics, as it blurs the line between normal behavior and malicious activity, leading individuals to believe that visiting the new website is legitimate.

Figure 2: Initial Redirect

Upon clicking the link, we see that Google issues a warning about the redirect to "resolveservicedesk[.]com," as seen in Figure 2. This should raise concerns, as we initially expected to visit a legitimate Google site, but instead, the threat actor is trying to take us to a completely different domain. This unexpected diversion is a significant red flag. What started as a seemingly trusted interaction has now turned suspicious, highlighting the danger of being redirected outside of a familiar platform like Google.

The attacker's earlier efforts to build trust now come into play. By using social engineering, they've crafted a narrative that makes the malicious behavior seem normal and even acceptable. As a result, recipients feel compelled to visit the new site, assuming it aligns with their usual tasks. Recognizing the manipulation is key, as it highlights how attackers exploited the recipient’s instinctive trust, emphasizing the need to remain cautious and aware of these tactics.

Figure 3: Landing Page

After the redirects, we land on a phishing page that impersonates ServiceNow and prompts us to provide login credentials as seen in Figure 3. This well-designed landing page can easily appear legitimate to many users. However, it's essential to train employees to be cautious when the browser interface differs from the standard ServiceNow layout. Furthermore, discrepancies in the URL are a clear indication that the site is not official or legitimate.

If users enter their credentials, they are then presented with a fake multifactor authentication prompt as shown in Figure 4. This tactic is designed to further build trust, making recipients believe they are engaging with a legitimate process. The threat actor preys on the victim's sense of routine and trust in established procedures. Once the attacker captures both the credentials and MFA information, they can gain unauthorized access to sensitive accounts or systems, potentially leading to serious data breaches or financial losses.

Organizations must remain vigilant and educate employees about the risks of SMS-based phishing attacks, especially those leveraging deceptive redirect links, to effectively safeguard sensitive information and prevent breaches. Cofense PhishMe Security Awareness Training (SAT) provides solutions for preparing individuals against smartphone-based attacks like Vishing, Smishing, and WhatsApp-vectored threats. These training simulators place the learner in the controls of an iOS or Android smartphone and present them with examples of real smartphone-based attacks in a safe environment. To learn more about our threat-based simulation training as well as our Managed Phishing Detection and Response (MPDR) platform, contact us today. 

 

All third-party trademarks referenced by Cofense, whether in logo form, name form, product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.