Social Engineering TTPs Episode 1: Smishing with 2FA Spoofing
Phishing Technique: Two Factor Authentication via Text Messages.
Last updated
Phishing Technique: Two Factor Authentication via Text Messages.
Last updated
In organizations where Zero-Trust is not just a buzz-word, but an actual technique amongst other techniques, you will find that everyone has a critical eye towards information exchange. Zero trust revolves around three Authenticator Authorization Levels as published in [NIST 800-63B ](https://pages.nist.gov/800-63-3-Implementation-Resources/63B/AAL/:
AAL1 - What you know (password).
AAL2 - What you have (2FA, token).
AAL3 - Who you are (biometrics, finger prints, facial recognition).
To set the context for the rest of this article, the intent of the following phishing attempt was to manipulate the target's trust via a Two-Factor-Authentication text message (AAL2).
Many web applications support text messaging as a way to receive 2FA codes and user's have grown to trust this process over the last few years. After reviewing this attempt, I believe the goal was for the user to see the message, panic, click the link and give up their credentials to ensure their account wasn't compromised... then compromise their account by sending their credentials to a different site.
It is important to note that Cybersecurity professionals have to strike a balance between security of the application and convenience for the customer on a regular basis. If the balance shifts too far one direction or the other, that can lead to either bad security, or customers that are upset with the platforms/turn off security.
( When one considers the threat landscape it is almost expected that threat actors would eventually go phishing via the most vulnerable aspect of 2FA: Text Messaging.
While working a few days ago I noticed a text message from what appeared to be Venmo providing a code for 2FA. I was not using my Venmo account at the time, so I ignored it and kept working. Worst case 2FA was protecting my account and the person messing with the account wasn't going to get in. When I had some time to read the message here is what I saw:
Overall it seemed legitimate at first glance. You had the warning about never asking for information, the 2FA code, a "location" and a link to check your account if you suspected someone was trying to break in. It all seemed legitimate until I looked closer.
I started thinking about that text message and how it relates to a Social Engineering awareness course I taught a few months ago at work.
Phishing messages are typically recognized by certain characteristics:
Urgent Language that demands immediate action.
Build trust rapidly through branding and familiar themes.
Requests for personal information.
Incorrect Spelling or Grammar.
Suspicious Sender information.
Lets take a deeper look at this message and see how it compares to the above criteria.
Looking at the opening message you will see a large amount of exclamation points and the use of capitalized words to place emphasis on areas of importance. I've used a red box to call out the area in question.
Using words such as NEVER, ONLY YOU, and BEWARE, are meant to draw alarm from the target.
This technique is almost like a psychological primer for the section that comes next. The dreaded "someone accessed my account" message and it wasn't me. If the target thought about it, they'd realize if you have 2FA enabled, you cannot "sign in" until you use the 2FA code.
When you look at the message, the first thing you see is the Venmo logo. It might not be the Venmo Logo you are used to seeing, but it is right there for the user to observe. A logo like this helps establish legitimacy and build overall trust that the message is legitimate.
Out of curiosity, I went and embedded a Venmo URL into a webpage and was greeted with the below logo. Which deviates from the above logo and makes me question the authenticity of the message.
From a marketing perspective, It does not make sense that Venmo would use a logo that is not fully visible in whichever medium it is being transmitted across.
What is unique about phishing text messages are that most of the time the request for information will be indirect. As in, "click here if you want to learn more" or "Not you? Go change your credentials now!" In this case we are presented with a link and a "sign-in now!" type of prompt.
You'll notice the URL is https://www.venmo-report14.support/(sometypeofcode)#(local client)ID number. Why would you limit your ID number to just the local client. That doesn't make sense from a web application perspective. Additionally Paypal owns the Venmo.com URL so why would Venmo have a .support instead? the -report14 makes me wonder what happened to reports 1-13 as each one would have needed to be registered individually, this does not make sense. This URL is more likely than not, illegitimate and I would not recommend clicking on it.
This message was riddled with grammar mistakes. There is never an instance in the English language where there is a space between the last word in a sentence and the punctuation. If this was generated by an AI or an automated platform, the error likely originated in the template.
In terms of the sender. I have no clue who this person was, but looking up their area code, 980, it originates out of Charolette, NC, and I suspect it was likely spoofed from another location.
I'll give credit where credit is due. This was very well done phishing message for someone looking quickly and making a fast decision. At first glance it almost looks legitimate. The average person might not notice that this is a fake message before it is too late. At that point they are in recovery mode and don't really care how the attackers got into their accounts. From a zero-trust perspective, I must reiterate that zero-trust is one tool of many in the defender's tool kit. The use of 2FA is meant to provide a higher level of authentication, and when that process is exploited can lead to some very poor decisions.
It is important that everyone double checks unsolicited text messages. If something doesn't seem right, don't click the link. Go on a computer and navigate to your account independently of that message. At that point you can verify the account activity without compromising your system.
Return to Table of Contents