Smishing, also known as SMS phishing, is a type of fraudulent communication in which an attacker disguises SMS communications to deceive a target into providing their sensitive data. Smishing attacks use a variety of tactics; however, they have a similar goal of stealing money or personally identifying information (PII) from a victim. In response to these attacks, a wide variety of anti-smishing tools have been developed to block or filter these communications. Despite this, the number of phishing attacks continue to rise. In this paper, we developed a test bed for measuring the effectiveness of popular anti-smishing tools against fresh smishing attacks. To collect fresh smishing data, we introduce Smishtank.com, a collaborative online resource for reporting and collecting smishing data sets. The SMS messages were validated by a security expert and an in-depth qualitative analysis was performed on the collected messages to provide further insights. To compare tool effectiveness, we experimented with 20 smishing and benign messages across 3 key segments of the SMS messaging delivery ecosystem. Our results revealed significant room for improvement in all 3 areas against our smishing set. Most anti-phishing apps and bulk messaging services didn't filter smishing messages beyond the carrier blocking. The 2 apps that blocked the most smish also blocked 85-100\% of benign messages. Finally, while carriers did not block any benign messages, they were only able to reach a 25-35\% blocking rate for smishing messages. Our work provides insights into the performance of anti-smishing tools and the roles they play in the message blocking process. This paper would enable the research community and industry to be better informed on the current state of anti-smishing technology on the SMS platform.

翻译：短信钓鱼（Smishing，亦称SMS网络钓鱼）是一种欺诈性通信方式，攻击者通过伪装短信通信来诱骗目标泄露敏感数据。短信钓鱼攻击采用多种策略，但其核心目标均为窃取受害者资金或可识别个人身份信息（PII）。为应对此类攻击，业界开发了多种反短信钓鱼工具以拦截或过滤这些通信。然而，钓鱼攻击数量仍在持续攀升。本文构建了一个测试平台，用于评估主流反短信钓鱼工具应对新型短信钓鱼攻击的有效性。为收集最新短信钓鱼数据，我们推出了Smishtank.com——一个用于报告和收集短信钓鱼数据集的协作性在线资源平台。所有短信样本均经安全专家验证，并对收集到的信息开展深入定性分析以提供更多见解。为比较工具效能，我们针对短信投递生态系统的三个关键环节，分别使用20条短信钓鱼信息与良性信息进行实验。结果表明，这三个环节在应对我们准备的短信钓鱼数据集时均存在显著改进空间。多数反钓鱼应用与批量短信服务在拦截短信钓鱼信息方面的表现并未超越运营商层面的拦截能力。其中拦截钓鱼信息最多的两款应用，同时错误拦截了85-100%的良性信息。最后，尽管运营商未误拦任何良性信息，但其对短信钓鱼信息的拦截率仅达25-35%。本研究揭示了反短信钓鱼工具的性能表现及其在信息拦截过程中的角色定位，有助于研究界与工业界更全面了解短信平台上反短信钓鱼技术的当前发展状况。