Smishing

To the puzzled: &#x27;Smishing&#x27; = &#x27;SMS&#x27; ∩ &#x27;phishing&#x27;<p>&gt; <i>Signs that you are getting &quot;Smished&quot;: [...] when you receive a message from bigger service providers, (f.e. banks, post offices, or delivery services) they will mostly have their company names displayed instead of their numbers</i><p>The formulation in the article may lead to a very bad advice: in some areas, scammers do display a &quot;company name&quot;, regularly. So: a numeric sender string increases the chances of the SMS being a scam; an alphanumeric sender string &#x2F;<i>does not</i>&#x2F; decrease the chances of the SMS being a scam.

&gt; As software capable of zero-click exploit, Pegasus requires no user interaction to operate: ... As a result of a simple click on the URL, the spyware was granted unlimited access to every information stored on the iPhone.<p>That&#x27;s a one-click exploit, no?<p>Pegasus has demonstrated zero-click exploits (e.g. PDF embedded in GIF), but this is not one.<p>edit: the provided CitizenLab link [0] describes two classes of attacks, &quot;zero-click exploits and malicious SMSes&quot;. Looks like the author conflated the two?<p>[0] <a href="https:&#x2F;&#x2F;citizenlab.ca&#x2F;2022&#x2F;04&#x2F;catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru&#x2F;" rel="nofollow">https:&#x2F;&#x2F;citizenlab.ca&#x2F;2022&#x2F;04&#x2F;catalangate-extensive-mercenar...</a>

&gt; The number of the sender and that of the service provider they claim to be, do not match.<p>Don&#x27;t forget that the caller ID here can be spoofed. It&#x27;s best to disregard it completely.<p>One of the infographics in the article suggests looking up the number of the text, which I&#x27;d suggest is actively harmful advice - it gives you zero information and risks lulling people into a false sense of security. Assume that all texts are from scammers and act accordingly.

It would be great if a section about BEC [0] was included. At $WORK we see a lot of &quot;Smishes&quot; that pretend to be our CEO&#x2F;CTO that ask for the user to send them money. E.g. &quot;Hello it&#x27;s $CEO, I&#x27;m in a meeting currently and need your help. Can you send me 300 dollars in apple gift cards?&quot;<p>[0] <a href="https:&#x2F;&#x2F;www.fbi.gov&#x2F;scams-and-safety&#x2F;common-scams-and-crimes&#x2F;business-email-compromise" rel="nofollow">https:&#x2F;&#x2F;www.fbi.gov&#x2F;scams-and-safety&#x2F;common-scams-and-crimes...</a>

Anything that has anything to do with the cellular network is irredeemably broken and should be avoided.

It&#x27;s one thing to smish a man, but it&#x27;s even better if you can teach him how to smish.

&gt; In many cases, simply clicking the provided link can initiate a download process of viruses or malware<p>I imagine some payloads use JavaScript to infect a device upon clicking. They probably target Chrome, or god forbid the Samsung Internet browser. If you wanted to see the payload, just open the link in a secure sandbox environment and view the source. Congratulations to them, they just allowed you to see their 0day in the wild, and it&#x27;s no longer a 0day.

I disagree that so many things in tech need to be intentional spoonerisms.<p>It&#x27;s still &quot;phishing&quot; to me no matter what the medium.

A good read, <a href="https:&#x2F;&#x2F;citizenlab.ca&#x2F;2022&#x2F;04&#x2F;catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru&#x2F;" rel="nofollow">https:&#x2F;&#x2F;citizenlab.ca&#x2F;2022&#x2F;04&#x2F;catalangate-extensive-mercenar...</a>