Smishing, also known as SMS phishing, is a type of fraudulent communication in which an attacker disguises SMS communications to deceive a target into providing their sensitive data. Smishing attacks use a variety of tactics; however, they have a similar goal of stealing money or personally identifying information (PII) from a victim. In response to these attacks, a wide variety of anti-smishing tools have been developed to block or filter these communications. Despite this, the number of phishing attacks continue to rise. In this paper, we developed a test bed for measuring the effectiveness of popular anti-smishing tools against fresh smishing attacks. To collect fresh smishing data, we introduce Smishtank.com, a collaborative online resource for reporting and collecting smishing data sets. The SMS messages were validated by a security expert and an in-depth qualitative analysis was performed on the collected messages to provide further insights. To compare tool effectiveness, we experimented with 20 smishing and benign messages across 3 key segments of the SMS messaging delivery ecosystem. Our results revealed significant room for improvement in all 3 areas against our smishing set. Most anti-phishing apps and bulk messaging services didn't filter smishing messages beyond the carrier blocking. The 2 apps that blocked the most smish also blocked 85-100\% of benign messages. Finally, while carriers did not block any benign messages, they were only able to reach a 25-35\% blocking rate for smishing messages. Our work provides insights into the performance of anti-smishing tools and the roles they play in the message blocking process. This paper would enable the research community and industry to be better informed on the current state of anti-smishing technology on the SMS platform.

翻译：短信钓鱼（Smishing），也称SMS网络钓鱼，是一种攻击者伪装短信通信以诱骗目标提供敏感数据的欺诈性通信形式。短信钓鱼攻击采用多种策略，但其目标均为窃取受害者的金钱或个人身份信息（PII）。为应对此类攻击，已开发出多种反短信钓鱼工具用于拦截或过滤这些通信。尽管如此，网络钓鱼攻击数量仍在持续上升。本文构建了一个测试平台，用于衡量主流反短信钓鱼工具应对新型短信钓鱼攻击的有效性。为收集新型短信钓鱼数据，我们引入了Smishtank.com这一协作式在线资源，用于报告和收集短信钓鱼数据集。短信由安全专家验证，并对收集到的信息进行深入的定性分析以提供进一步洞察。为比较工具有效性，我们针对SMS消息传递生态系统的3个关键环节，对20条短信钓鱼消息和良性消息进行了实验。结果显示，在全部3个环节中，针对我们所用短信钓鱼消息的处理能力均有显著提升空间。大多数反钓鱼应用和批量消息服务仅依赖运营商拦截功能过滤短信钓鱼消息。成功拦截最多钓鱼短信的两款应用同时拦截了85%-100%的良性消息。最后，虽然运营商未拦截任何良性消息，但其对短信钓鱼消息的拦截率仅达25%-35%。我们的研究揭示了反短信钓鱼工具的性能及其在消息拦截过程中的角色，使研究界和业界能够更全面地了解SMS平台上反短信钓鱼技术的当前状态。