Uptick in Mobile SMS Phishing (Smishing)

Impersonations of Wells Fargo phishing emails seem to be on the increase. Received two over the last week on my phone.

The text reads Wellsfargo: We have detected unusual activity regarding your account, follow the link for security reason. https:/bit.ly/XXXXXXX to verify details. login page intentionally obscured here with XXXXXXX.

Using a short URL decoder I found the URL resolved to a phishing site registered on Namecheap. Namecheap seems to be a poplar registrar for these. Namecheap also provides free privacy. The page hosts a phony mobile Wells Fargo login page. The page is fairly well done. Of course, if you look at the URL bar you would immediately know its not a valid Wells Fargo site as it is just a site name and not a homograph /doppelganger. Have you noticed any of these?

1 Like

Here’s my question: when I get these kinds of mobile text phishing notices (all very obvious), I wonder if they can “infect” my phone just by clicking on them (i.e. ransomware)? Is that possible, or is it always click through and then have to input details by hand (oops)? I would never click through anyway, but I have always been curious if the technology has advanced enough to do that. Thanks!

1 Like

There are fairly rare scenarios where simple clicking on the link might be enough to exploit a phone, but they aren’t super common. It can happen when an attacker has found a way to exploit something that isn’t generally known to the vendor (i.e. a zero day) or before the patch has been created or applied to the phone. But these attacks are fairly rare, because when they are discovered the vendor works to close the holes very quickly. Zero days are pretty valuable to hackers or state sponsored cyber criminals. If they found a zero day a bounty hunter might try to sell it for $$$ and unlikely they would waste it on you unless you were a really high value target.

There is probably a longer delay to getting cell phones patched than regular computers, but the attacks are far more infrequent and so the math is probably about the same…which means fairly rare. Most cell phone users will never be hit by a zero day…maybe a few people out of many million over their entire lifetimes. So, it’s possible, but exceedingly rare. Far more common is where someone clicks on something and then an additional prompt has to be approved to allow the malware to execute. That is the far bigger threat and common scenario. So, in general, if a user doesn’t get tricked into clicking on an additional prompt to allow execution of something they are pretty well protected. But there will be those “lucky” few who do nothing but click once on a link and that’s enough. So, best practice is to avoid clicking on any unknown and unexpected link if possible.

Thanks so much for the details. I’ve been wondering this every week when I get our KnowBe4 newsletter. Have a great day - and stay warm!

1 Like

Larry, thanks for contributing to the discussion in the community!! We encourage questions and participating by Hackbuster’s users to make this community the best place to discuss social engineering.


Privacy Policy | Terms of Service