Showing posts with label OPSEC. Show all posts
Showing posts with label OPSEC. Show all posts

Friday 3 April 2020

Awareness around COVID-19 SMS Phishing (Smishing)

This blog-post discusses an issue known for almost 20years, which is related to the online SMS platforms. Given the recent pandemic and the use of the GSM network for sending SMS notifications to the public, it in an opportunity to raise awareness regarding Smishing (SMS Phishing) attempts, targeting the public which is affected by COVID-19.


In Greece, the number 13033 is being used to send SMS confirmations to people who use this particular service, which is used for registering in advance their daily movements when it comes to get essential goods (such as, going to the supermarket, the pharmacy, etc.) before they exit their homes. Due to the COVID-19 pandemic, this process attempts to limit people’s unnecessary movement(s), in an attempt to minimise the risk of getting affected, or contaminating others in case the person is a carrier of the virus.

Given the importance of the pandemic and the necessity of this service, it is mandatory to mention that it is possible to spoof the SEND ID in order to send SMS updates to recipients pretending to be from the original 13033 service number. This action, have the potential to trick the recipients (general public) in clicking on malicious links, or by using Social Engineering (and potentially scare tactics) to ask recipients to pay a fine that has been imposed. 

"Given the current situation, it would be beneficial to everyone if the Ministry in Greece responsible for operating the 13033 service (and other Ministries around the globe that use similar services), could promote a campaign educating all recipients regarding the potential threat of Smishing"

More specifically, the public should be informed that they should under no circumstances visits any URLs received by the 13033 service and that the 13033 service will not send any messages requesting to pay any finesThe public need to be aware that in case they receive such messages, these should be ignored and deleted.  

The proof of concept for the alluded was tested and proven by @DimisMeu and we decided to publish this blog post in order to be able to raise the necessary awareness. 

Friday 5 June 2015

Understanding the significance of Operations Security (OPSEC) in a fast evolving threat landscape

It is not the first time a military term is being used by the Information Security community in order to describe an Information Assurance process. Operations Security (OPSEC) is a military term referring to the protection of different types of unclassified information which could end up exposing the security of an entity if put together and combined. In other words, in information security OPSEC describes the process by which publicly available information (unclassified) can be used against us if taken advantage by cyber criminals and/or adversaries with malicious intent.