Attackers use socially engineered SMS messages & malware to compromise 10s of 1,000s of devices & drain user bank accounts.
They are impersonating the Iranian Govt. in a widespread SMS phishing campaign that is defrauding 1,000s of Android users by installing malware on their devices that can steal their credit card data & take money from financial accounts.
Malicious Website
Researchers from Check Point Research estimate that the campaign, which sends so called “smishing” messages that tempt victims to visit a malicious website, has already compromised 10s of 1,000s of devices. This has resulted in the theft of billions of Iranian rial (or 100s of 1,000s of US dollars), they explained in a report published Wed.
The campaign is 1st delivered as a standard smishing attack, using socially engineered SMS messages sent to a potential victim’s device to lure them to a malicious website, researchers stated. There they are asked to enter account info while Android malware silently installs a backdoor on devices.
Impressive
What has been impressive about the campaign is its ability of attackers to defraud so many people of so much money, researchers observed.
“What is noteworthy about these current campaigns is the sheer scale of the attack,” they wrote in the report, adding that “an unprecedented number of victims” have shared similar stories on social networks about how their bank accounts were drained by the cyber-criminals.
Capabilities
The malware delivered to targets via the malicious site has a number of backdoor capabilities that allow attackers to steal money from people’s accounts, maintain persistence on their devices, & allow attackers to take over device functionality, researchers reported.
The malware immediately steals all of the victim’s SMS messages to a command-&-control (C2) server; with this type of data access, attackers can then bypass 2-factor authentication (2FA) on financial accounts & make unauthorised account withdrawals, researchers explained.
Backdoor
The app also hides its icon on the device, making it difficult for people to remove or control the app. The backdoor can then maintain persistence & use its botnet capabilities, communicating with the C2 server via Firebase Cloud Messaging to allow attackers to execute additional commands on the victim’s device.
This can include stealing contacts & sending SMS messages, researchers commented.
The malware also has a wormable component to it. It can expand the campaign’s attack surface by sending SMS messages to a list of potential victims using a custom message & a list of phone numbers retrieved from the C2 server, researchers stated.
This allows attackers to bypass any existing blocks on “malicious” numbers by telecom companies because the smishing messages are delivered from the phone numbers of recognised users, they outlined.
Attack Sequence
The attack typically begins with an SMS message from an electronic judicial notification system that notifies the victim that a new complaint was opened against them—which in Iran, is not something to be ignored, researchers informed.
“The seriousness of such an issue might explain why the campaign has gone viral,” they observed in the report. “When official government messages are involved, most citizens do not think twice before clicking the links.”
Electronic System
The link points a target to what looks like an official government site, ostensibly to read the full complaint. There the user is asked to enter personal identification information to proceed to an electronic system to do so, using current COVID restrictions as a reason this must be done electronically.
When this is done, the campaign redirects the victim to a page to download a malicious .apk file that, once installed, shows a fake login page for the Iranian electronic judicial notification system authentication service.
The page, which appears authentic, asks the victim to enter his or her mobile phone & national identity numbers as well as also notifies the victim that a small fee–—typically 20,000, or sometimes 50,000 Iranian rials, the equivalent of US $1–is required to proceed. The trivial amount lessens any suspicious & makes the transaction seen legitimate, researchers noted.
Payment Page
Once the details are entered, the target is redirected to a payment page that shows a “payment error” message once the person carries through with the transaction—a signal that attackers already have taken the money & the person’s payment info.
The malware payload of the campaign also has been installed on a person’s device at this point, allowing the attacker to proceed with further theft & other malicious activity.
