The recent breach against Optus seems to have raised more questions than answers. While we know millions of customers have had personal details disclosed on the dark web, the implications when it comes to people's identities remain to be seen.
Subscribe now for unlimited access.
or signup to continue reading
Optus has advised customers to exercise greater caution with any emails, texts or phone calls potentially coming from scammers with texts displaying their personal information - and some customers have already reported receiving suspicious text messages, including ones purporting to be from family members requesting money to pay for petrol.
Australians are already somewhat used to scam texts by now, having lost a record $2 billion to this type of crime over the past year.
There was also the August incident reported by messaging provider Signal, where 1900 users had their phone numbers compromised. According to Signal, this was due to employees at Twilio - the provider it uses for phone number verification services - accidentally updating their passwords on nefarious websites.
The compromised credentials led to criminals accessing both the Twilio system and users' phone numbers, meaning they could receive authentication text messages, complete the authenticate process and impersonate victims. Indeed, the hacker ended up searching for three phone numbers and re-registering the account of one user.
Research from the Lookout Threat Lab found this specific threat actor has also targeted employees across a range of industries including telecommunications, cryptocurrency, customer service and social media.
Having people authenticate themselves with both a password and a one-time text-message code was once viewed as a bullet-proof way to ensure the security of accounts and personal information. But due to widespread practices such as malware and SIM-swapping, hackers can access these codes and the information they protect relatively easily.
Indeed, this highlights the concerning part of the Optus breach. With access to troves of personal information, hackers can build sophisticated campaigns around individuals, with the ability to authenticate themselves and set up all manner of accounts in their name.
In the wake of this hack, Australians and organisational leaders need to re-evaluate their approach to security to protect themselves and their sensitive information.
The evolution of phishing and smishing
Phishing, or criminals sending emails purporting to be from reputable sources, has evolved over the years.
While classic business email compromise attacks were one of the most common types reported in Australia last year, the widespread use of mobile devices for shopping, banking and working has opened the floodgates for smishing ie phishing attempts made via SMS or texting applications.
One example of smishing is this year's "Hi mum" scams, which involve hackers sending texts or WhatsApp messages to parents impersonating their children. The "child" typically says they've changed their phone and need money to get out of a bind. More than 1150 Australians have already lost considerable sums of money to these attacks.
With the Optus breach exposing people's personally identifiable information including their date of birth, addresses and driver's license number or passport number, scammers will be armed with more information to convince the text recipient that their text is legitimate.
Furthermore, mobile devices are typically equipped with less security generally, and with smaller screens and simplified user interfaces, they hide a lot of the tell-tale signs of a scam, such as additional characters at the end of a URL.
Phishing kits are also frequently sold in the malware-as-a-service market, giving attackers more capabilities than ever before. These kits are often relatively cheap and provide even inexperienced attackers with the tools to target organisations with complex phishing campaigns.
Spotting the red flags
Attackers are getting better at building slick, realistic phishing and smishing campaigns, and now they have a potential plethora of data from the Optus breach to work with. This makes red flags harder to spot, but there are a few key things to look out for.
Abnormal communication should set off alarm bells, for instance, receiving an unsolicited authentication text message. Also, in the Signal example, one of the three targeted users received a text message verification code at an odd time - the middle of the night.
People should also assess whether the message includes manipulative tactics to snap them into immediate action, whether this is clicking a link or sending money by a deadline.
Location discrepancy, misspelled words or suspicious URLs are also tell-tale signs of a smishing scam.
How organisations can stay vigilant
The Signal story shows the effects a smishing campaign can have on an organisation, its customers and its employees. An attacker's goal isn't always the service it initially compromised, and if just one employee hands over their credentials, criminals can gain access to an organisation's entire cloud infrastructure - as well as those of the companies it's connected to.
This can unlock sensitive information required to commit identity and financial fraud, or to execute a ransomware attack.
Organisations should provide ongoing education about how to handle phishing and smishing campaigns. For instance, let people know that if they received an authentication text message, but didn't try to log into anywhere themselves, that they should immediately report it to their IT team.
It's also crucial to consider the dispersed nature of organisations. Employees now log into networks from a range of devices and over many different locations. They're also using SMS, social media and other third-party messaging platforms like WhatsApp, which lie outside the control of security teams.
Leaders should ensure employees are aligned on a consistent security roadmap, and have the right tools in place as a safety net for human error. This includes measures that can alert them of suspicious behaviour across the entire perimeter, and detect indicators of malicious activity beyond the traditional network.
The Optus breach will undoubtedly lead to an increase in smishing attempts, with scammers looking to exploit our data, habits and inherent natures. But if we stay educated and have the right measures in place, we can beat them at their own game.
- Don Tan has more than 20 years' experience in the cyber security industry. He is senior director, APJ at Lookout Inc where he is responsible for the company's strategy in the Asia-Pacific region.
