Smishing Example

What is Smishing?

Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.

I received this lately and I wanted to share it so you see a real-life example. I’ve blocked out the link for safety.

I did not go to this website, but you can bet they copied the look of USPS’s website along with a login page. This login page will not work for you to login, because this is a fake site. What it will do is capture you’re password and email.

So what, right? No harm done. Well here is another term to learn. Credential stuffing.

What is Credential Stuffing?

Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.

Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.

Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.

https://owasp.org/www-community/attacks/Credential_stuffing

This is exactly what these bad guys or hackers will do. They might also sell the list that they get to other hackers. which will then in turn try the same thing. So use a password manager and don’t use the same password on more than one site. Don’t click on anything you are not expecting. If you’re unsure, contact the source directly. In this case, I am not expecting anything from USPS, and I see so many red flags on this I know it is smishing.

Those red flags are:

  • I’m not expecting it.
  • The senders address – It is not usps.gov which is what I would expect instead it is ups.gidaew24lw@usps.tw. What the heck is that?!
  • The URL didn’t make sense either. I would expect usps.gov, but it is a .com and it wasn’t usps.com either. So strange, right?