SMiShing & Canadian Banks & Data

Earlier this spring became aware of a new cyber attack (Smishing) spreading across the US after migrating it’s way through Asia. This new attack as you may have already guessed was SMiShing and subsequently it’s close cousin Vishing. All the major banks Canadian banks have mobile applications and most financial institutions in Canada have form of a mobile application allowing their clients to interact with them. I mentioned the SMiShing attacks taking place south of the boarder at work as I expected not to much fanfare, however I hadn’t heard of to many attempted SMiShing attacks in Canada yet. Somehow I’ve managed to drop my phone number off in the right database, or I have some nefarious friends who are registering my number somewhere on the InterWebs, because yesterday I received a targeted SMiShing attack directed at my mobile device and targeting using Canadian Imperial Bank of Commerce (CIBC). Having a career in software security I recognized the attempt for what it was, not to mention I don’t bank with the CIBC. What follows is a surface level analysis of the directed SMiShing attack,later I’ll fall victim to the SMiShing attack on a research device an analyze it from that point of view as well.

What is SMiShing?

Smishing is an attack very similar in principal to Phishing whereby the attacker attempts to get the victim to click on a destination link that the victim controls for the purposes of exploiting some information from the victim, downloading malware onto the device the victim clicked on the link from, or attempting to compromise the device or secrets in some other manner. The primary difference between a phishing attack and a SMiShing attack is the manner in which the attack payload (message) is delivered to to the victim. In a phishing attack the message is usually delivered via an E-mail. In Contrast a Smishing attack is delivered over SMS. In the phishing example the attacker should know an E-mail or at the very least a domain group to target E-mails after. In the Smishing attack situation the attacker merely needs to know a phone number. Since most phone numbers are 10 digit numbers around the world the attacker merely only needs to randomly guess phone numbers to send a valid attack vector out to. This raises serious questions about phone numbers within any organization and the need for said organization to protect phone numbers of it’s clients and requires a revisit as to the data classification of phone numbers.

The SMishing Attack

This was the text message that I received. On the grand scale of how effective this message was, I would rate it as 5/10 (10 being the most effective). The big red flag for me was that I don’t bank or have any account with CIBC. The first interesting fact about this message was how the attackers decided to attempt to contact me, I have never been or signed up for text message from a bank in Canada. Now my understanding is that, some banks do provide text messaging services, however the number is certainly not a Cdn number and looks like it’s being spoofed from somewhere. Ordinarily I would not consider spoofing a number as a serious warning sign, I’ve been involved in situations where calls are being made from an outgoing number and wanted respondents to respond to a different number, a perfectly legitimate example of number spoofing.

However if you google 222-220-000 you’ll notice it’s been used in SMiShing attempts at other Canadian Banks, not just CIBC. The other peculiar aspect is the number is not enough digits for a Canadian telephone system we use 10 digital dialing and messaging for everything. However if the number wasn’t considered suspicious other factors of this message certainly should be.

The E-mail address associated with this message mjdkmi@cibc.net. I have no idea if this is legitmate E-mail address or not, or just an E-mail address which was spoofed to make this message look legitimate. I suspect this was an E-mail -> Text style Smishing hit of millions of phone numbers harvested from a database somewhere. However what should immediately be suspicious about this message is that the domain of the E-mail address is CIBC.net, not CIBC.com. A quick google of CIBC.net refers me to some French vocational training website certainly not CIBC operating in France.

If I run a whois query on CIBC.net it certainly appears to be registered to the group operating the website somewhere in France, however a far cry from CIBC.com Canadian banking operations.

The last suspicious part of this Smishing attempt was the link that I was asked to click on to restore access to my Canadian Banking accounts at CIBC which I do not have. The link cibc.ilies.ro. “Ro” is the domain suffix for Romania. Quickly investigating this a bit further I notice that cibc.ilies.ro is parked sub domain in ilies.ro.

The best case scenario is that some Smishing attackers have set up a website to look like CIBC to attempt to steal my credentials from an access my bank. I say this is the best case scenario because, I have a great deal of trust in the Canadian Banks fraud detection software an departments to detect this and stop unauthorized uses of my accounts.

A Case Worse Then The Best Case

Earlier in this post I mentioned that I would give this Smishing attack a 5/10. The reason being is to an uniformed technology user and we all know a number this type of a situation could potentially be extremely terrifying. To make the situation worse it would be terrifying if said uniformed tech user was in the middle of attempting some financial business and legitimately believed there account was locked. I can totally understand how uniformed person may be very well tempted to click on the link.

If the unsuspecting victim clicked on the link they could be taken to a page that closely resembles the CIBC website to steal their credentials & even worse if that website employed the use of Angler Exploit Kit. With the Angler Exploit Kit the attackers could theoretically deploy malware to an unpatched device especially if it’s an unpatched android device. Once the malware is deployed to the device, it may run right away it may not run right away, however rule #1 of The 10 immutable rules of security has just been breached, and chances are there will be more.

A slightly worse situation here is not only does the victim have their credentials compromised, they also get malware deployed to their device which may cost them financially such as crypto locker, the malware may steal data from the device, change permissions violating more of the immutable laws of security, or may just still steal other credentials or critical data such as the victims credit card data all because of one errant SMishing SMS message.

Improving the SMishing Attack

This attack only gained a 5/10 in my opinion because of it’s numerous red flags that I would hope most people would detect and not respond to, however even as I write that, I know this is not the case. A seriously dedicated attacker could improve this SMishing attempt in the following ways.

1. Do some research, and learn that CIBC.net is wholly different then CIBC.com, CIBC.com is a bank, and CIBC.net is not, in this case I am guessing the E-mail address is there in an attempt to make this official looking or required as E-mail ->Text functionality. very few victims are going to E-mail the address most are going to click on the link. Therefore the person sending this E-mail could have put alex@cibc.com or some other fictitious address or E-mail CIBC.com in hopes of scoring a real person and their address.
2. I would attempt to obfuscate the address the attacker wanted the victim to go to, so it’s not so obvious that the attacking url is originating in Romania. This can be done with a simple URL shorten-er. It might difficult to use a respectable one such as Google’s however all a URL shortener is, is a web service/site call which receives a token, looks the token up in a DB and redirects the user. You could write one in an afternoon, and even host at a url looking Canadian, which would then redirect to the full attacking URL.
3. Make the phone number look Canadian either through a Canadian burner sim or better spoofing

SMishing & Software Security

Many developers, managers folks I speak extensively about software security with agree to some extent, maybe, perhaps, as the budget allows, that software security is important but things like open redirects, and cross site scripting vulnerabilities aren’t sexy, they’re not protecting the “big data” we’re not encrypting a database full of customer data when we fix these vulnerabilities on the websites. If attackers can use open redirects or reflected cross site scripting vulnerabilities in your websites to redirect the user to some nefarious code running on a server in Romania & that code can trick your users into entering banking credentials, does it really matter how well you encrypted that user’s data? They just gave away the keys to the kingdom. Now you might argue, that’s the user’s problem and not ours….I would agree to a certain extent, however if vulnerabilities in your website are allowing users to use a legitimate website to redirect users they are attacking, then I’d say the responsibility is 50/50, because it was your website and your reputation that assisted and attack in successfully executing a Smishing attack against your users.