Table of Contents
Smishing (short for SMS Phishing) is a variant of phishing email scams that uses Short Message Service (SMS) systems to send out bogus text messages. Also written as SMiShing, SMS phishing made recent headlines when a vulnerability in the iPhone's SMS text messaging system was discovered that made smishing on the mobile device possible.
Smishing scams frequently seek to direct the text message recipient to visit a website or call a phone number. At which point, the person being scammed is enticed to provide sensitive information such as credit card details or passwords. Smishing websites are also known to attempt to infect the person's phone with Malware.
SMS phishing uses cell phone text messages to deliver the bait, persuading people to divulge their personal information. The "Hook" (method used to capture people's information) in the text message may be a website URL. LUCY offers the possibility to simulate such attacks. To create a smishing campaign is the same as creating a regular Phishing Campaign. The only difference is that within the message template (former e-mail template) you have to select SMS instead of email as a delivery method.
How is LUCY sending SMS?
LUCY has a build in API which will connect to a centralized LUCY gateway when initializing SMS delivery. The gateway will first verify, if the LUCY client has sufficient credits and is allowed to send SMS. If all checks pass our gateway will connect to an international provider using a second API. This provider is able to send the messages with the settings defined in LUCY.
In order to use the smishing feature in LUCY, you need a:
a) commercial license and b) sufficient balance
- Where can I see my current assets available for this feature?
You can find your current credit under settings/licence:
- How do I add credits?
You have a button next to the balance which enables you to buy more credits directly within the LUCY GUI.
- How many credits do I need?
One SMS costs 15 cents.
- How do I get a commercial license?
A Smishing Campaign is not different from a regular phishing campaign. Most templates can be used in the same way. The difference is only the delivery method: within the scenario (Base Settings –> Scenario Settings –> Message Settings) you can use as a delivery method either "mail" or "sms". Choose "SMS". As a sender, you can put a name or phone number (use always the phone number with the country code: example 49 xxx). The actual phone number should have no "00" and "+" in front, i.e. 41796959611 (41 - Switzerland country code) and not 0041796959611 or +41796959611. See https://en.wikipedia.org/wiki/List_of_country_calling_codes
If the phone number is saved in the recipient's contacts, it will show the corresponding contact information upon arrival of the SMS.
Next, you will need to enter the phone number in your recipient's list. Don't forget to also set the correct language (the language should match the language chosen in General Settings (Base Settings –> Scenario settings –> Base Settings).
Automated URL Shortening
When you place the %link% variable within the message body and your scenario uses a public domain name, it will automatically be shortened. The link will look like "http://is.gd/9VjDKF” to fit into one text message. If you use an IP address for your landing page the link will be not shortened.
- Issues with specific countries: in certain countries, SMS spoofing will not work at all or SMS might only arrive if the sender is using a different country code. For example: in Belgium, the SMS sender will get replaced by a general number like "8850" when using a different country code.
- Issues with Delivery (sender):This usually means, that your provider did not accept your senders ID. Try different variations to solve this. Example: if your sender number is 0041793531111 (where 0041 is the country code, 79 the prefix and 3531111 the phone number) you could try to send as +41793531111 or 0041793531111 or +41.793531111. If all variations do not work, please leave the sender field empty. Our message provider will then replace it with the default sender name. If the message gets successfully delivered with the default message, you can try to enter your own sender name (e.g. Jon Smith) instead of a phone number.
- Issues when spoofing with same provider: Spoofing a message within same provider within the same country might not work. For example: if you want to send a spoofed message from a cell phone using “o2” to another cell phone using “o2” the message won't arrive. But if you send the same message from a phone using “telekom” to a cell phone using “o2” it will work
- No credit: In order to use the Smishing feature you will need enough credits. To see your current balance go to the license page in LUCY.
- Issues with delivery (recipient number): sometimes the message is not delivered, because the phone number under the recipient is saved with the wrong format. Make sure recipients phone number always has the country code included.
- Issues with specific countries: in certain countries SMS spoofing will not work at all or SMS might only arrive if the sender is using a different country code. Example: in Belgium the SMS sender will get replaced by a general number like “8850” when using a different country code.
- Delivery issues (content): Unfortunately some operators block links in SMS sometimes (for example, in Russia it's nearly impossible to send a link in SMS). You could try to remove http link or create a plain SMS without a link to test this feature.
For further info please check out the support section at: http://support.messagebird.com/hc/en-us