2013 is open season for smishing

An office worker in his late 30s named Lee recently received a wedding invitation message on his iPhone. It was a number he was unfamiliar with, but he clicked on the linked address anyway. When it didn’t open after a few tries, he gave up.

A few days later, he sent a text message to the sender because he got curious about who was getting married. The message he got back was, “Don’t open the link. It’s fraud.”

“I was surprised at the response because I never thought the Internet link was connected to a Web site infected with malicious virus,” Lee said. “I didn’t suspect anything because the invite had my full name on it.”

Lee’s lack of technical knowledge about ways to open the Web site helped him avoid becoming another victim of smishing, a new form of phishing that has been spreading rapidly. It tries to swindle money from victims by using short message services (SMS).

The mutant chest code first showed up in March, sneaking fees from users by disguising a fee application as a pay version and attacking mobile payments. It is a kind of Trojan virus, first seeping into a smartphone via a text message, saying the enclosed link offers a free movie or dining voucher. The malicious code automatically installs once the link is opened.
The code extracts all kinds of private information - such as names and resident registration and phone numbers - and transfers it to the attacker. The attacker can make payments with the information and pass through the next security step of authentication code by paralyzing the smartphone’s notification function.

Past mobile attacks mostly did not cause financial damages. For instance, an advertisement randomly popped up while the corresponding application was not in operation. The attacks that appear this year, however, are all about money.

The new codes mainly try to get money through false mobile application fees and mobile banking transactions. Attackers specifically grasped the fact that the most frequently used applications by Korean smartphone users are for shopping and games that require payments.

The trend of accessing private information this year is more diverse and sophisticated than in the past, when attackers tried to gain information through spam calls or text messages from public servants, bank tellers or post office workers.
Technologically advanced, they now try to lure users to fake bank Web pages, usually called phishing sites, and extract information from bank transactions.

Also, the attackers integrated a malicious code previously used to hack online game accounts with bank accounts.

One of the popular smishing tactic is the wedding invitation, but they also come in other types such as a baby’s first birthday party, funerals, gift coupons from banks and even information about refunds. Some even come in the form of a message from a court claiming that the receiver has been summoned regarding a legal dispute.

Nowadays there are reports that smishing messages are coming in the form of Chuseok greetings or notification of a Chuseok gift delivery.

Not all are as lucky as Lee.

The Korean police cyber unit last week tracked down and arrested a 27-year-old known only as Park for fraud through smishing. His accomplice, a 27-yeard-old Shin, was indicted without arrest.

Park started sending smishing messages in May. Anyone who accessed the Web site was infected with a malicious program that mined personal information. Park not only used his computer, but also sent out the message from Shin’s apartment as well as from PC rooms.

He is reported to have used personal information acquired through smishing in 535 cases, which included purchasing items and reselling them on the Internet. Park is charged with collecting more than 34 million won ($31,340).

In August, four people were arrested on similar charges. They were accused of sending more than 1 million messages since February and collecting in excess of 110 million won from 490 victims.

According to a recent report by the nation’s largest security software developer, AhnLab, cases of smishing have been growing rapidly.

Last year, the total number of smishing cases was 29. In January alone there were 68, 174 in February and 262 in March. In August there were more than 700 smishing reports, bringing the total for the first eight months of the year to 2,433.

A separate report released Monday by a Democratic Party lawmaker was much more severe. According to lawmaker Kim Hyun, who based the study on national police reports provided by the national police, there were 2,182 smishing reports in 2012 and more than 18,143 this year through July. The amount collected grew from 569 million won last year to 3.5 billion won from January through July.

Kim said the reason smishing has grown at such an alarming rate is because unlike voice phishing, in which the con artist has to talk directly to the victim over the phone, smishing approaches potential victims through messages that most wouldn’t suspect.

“Smishing targets anyone with a mobile phone, which makes the damage grow significantly in a short period,” the lawmaker said. “Because voice phishing and smishing are usually based overseas, there is a limit to arresting the criminals. The best way is to minimize the damage and raise public awareness.”

The Financial Services Commission on Monday said that starting Sept. 26, it will step up efforts to prevent fraud through the Internet, computer and mobile banking system. Currently, when making a payment, a user must verify the authenticated certificate then punch in a security card or one-time password (OTP). Under the new system, users will get a call from the financial institution to verify the payment. However, the move will be limited to amounts exceeding 3 million won and optional for those who use OTPs.

Early last year, the financial authority acted to limit voice phishing by delaying card payments for two hours from the time of the initial request and 10 minutes for ATM transactions of 3 million won or more.

BY kim ji-yoon, lee ho-jeong [jiyoon.kim@joongang.co.kr]