Phishing messages and fake websites for stealing users’ credentials are a common occurrence. Recently, however, mobile banking users in China are facing a new wrinkle: phishing texts that appear to come from a major bank’s official number.
The GSM standard is not a secure network because the authentication between mobile phone and network goes in a single direction: The network checks the legality of the client, but client does not check the network. An attacker can take advantage of this to send mass text messages to mobile devices from a fake base station. For more information, check out the following: https://www.twelvesec.com/?s=fake+base+station
The following two screen captures of SMS text messages appear to come from the service number of a well-known bank in China:
The messages warn that a mobile bank account will become unavailable, and lead the potential victim to fake websites.
The bogus site pretends to be the web interface of the bank and “requires” users to input bank account, password, and mobile phone number to register the mobile phone’s bank features. The following images show the fake interface (left) and the legitimate interface (right) of the bank.
If a victim delivers the bank account, password, and mobile phone number, an attacker is much more likely to steal money from an account.
If a victim delivers the bank account, password, and mobile phone number, an attacker could at least access the account and steal information. (The attacker might not be able to withdraw funds because a one-time password is necessary.)
The key to this threat is that the SMS texts appear to come from the bank’s official number. This is an important point because most people trust messages that appear authentic. Unfortunately, this kind of message can be forged with a fake base station and an SMS mass-sending tool.
When a user enters an area where the fake base station’s signal is stronger than the real base station’s, the fake station will send SMS messages to the user’s device. This fake base station could be in a house or a moving car. In China, buying the equipment to set up a fake station is inexpensive.
Threats vary considerably. In this case, you need to question even official phone numbers, websites, and other apparently authorized sources to avoid being cheated.
To check if your device is connecting to a fake base station, try the following:
- Call a provider’s service number, for example, if you are a China Mobile user, call 10086 to see if you can reach it.
- Send a text message to your provider’s service number and wait for a text message response. For China Mobile, text 10086.
- If you don’t mind bothering a friend, text or call to see if you have a legitimate connection.
Intel Security, through McAfee Mobile Security, detects these malicious text messages as SMS/Smishing.D.