Smishing has been identified as a new and sophisticated method of obtaining personal and financial information from victims by using fake forms on fraudulent websites. Smishing is a cyberattack tactic that combines SMS (short message service, usually known as text messages) and phishing.
Infoblox Inc., a leader in secure and cloud-managed network services, has published a new edition of the company’s Quarterly Cyber Threat Intelligence Report, a security intelligence report that compiles the main threats and security breaches detected during the previous three months on a quarterly basis worldwide. Among the main conclusions of this report, which covers the months of April to June 2022, are:
Smishing – a strategy that combines SMS and phishing
Smishing messages are sent by bad actors to get victims to reveal private information, including passwords, identity and financial data. The messages typically include some incentive for the recipient to click a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.
Actors have regularly used spoofed sender numbers in the text messages to evade spam filters. However, those messages that are not automatically detected by the mobile provider can be stopped by blocking the sender’s phone number. In response, threat actors continue to evolve their own techniques. In a well-known version of mobile phone spoofing, a recipient receives a text or phone call from someone who appears to be in the area close to the recipient. Users are hesitant to block local phone numbers for fear it would also block legitimate phone calls and messages.
Spoofing the recipient’s phone number is another advance by actors to overcome spam filtering and blocking and to convince users to click on the embedded links in the messages.
Prevention and Mitigation
Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions for avoiding smishing attacks:
- Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondences, documents or links.
- Never click URLs in text messages from unknown sources. In the campaign under discussion, the source was the recipient, who did not send the message, and that is a red flag.
VexTrio DDGA Domains Spread Adware, Spyware and Scam Web Forms
Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs and pornographic content. This attack is widespread and impacts targets across many industries.
- The user must visit the WordPress website from a search engine. For example, the referrer URL can be https://www.google.com/.
- Cookies are enabled in the user’s web browser.
- The user has not visited a VexTrio compromised web page in the past 24 hours.
Prevention and mitigation
- Implementing Infoblox’s RPZ feeds in firewalls can stop the connection by actors at the DNS level, as all components described in this report (compromised websites, intermediary redirect domains, DDGA domains and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
- Leveraging Infoblox’s Threat Insight service, which performs real-time streaming analytics on live DNS queries, can provide high-security coverage and protection against threats that are based on DGA as well as DDGA.
Newly Observed Domains and the Ukraine War
The surge in registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time. Nevertheless, Infoblox research shows that low levels of new phishing campaigns, donation scams, and other suspicious activities are still being launched in attempts to take advantage of Ukraine’s crisis.
Overall, data shows that the volume of legitimate domains is greater than malicious websites in Infoblox’s environment. The surge in newly observed domains began in the first week after the invasion (the beginning of March). For several weeks, many legitimate sites were created to help provide relief to the people of Ukraine; however, cyber threat actors and scammers also took advantage of the crisis, creating their own sites and adding to the volume of newly observed domains. By the end of March (week 13), the number of domains started to decrease, and the number of newly observed domains in Infoblox’s data began to stabilize. The most recent trends, beginning in April (week 14), show that, on average, there continues to be a higher – though only slightly – number of newly observed domains (legitimate and suspicious/malicious) in comparison to before the invasion.
Although the number of malicious domains is trending down, users should remain vigilant. From previous experience, bad actors will continue to exploit individuals through email, malvertising, and other means as long as they can. For comparison, while covid related malware campaigns peaked in 2020, we still see them two years later. Users should carefully inspect requests for donations from organizations they are not familiar with and they should not click on links from unknown sources.
Mohammed Al-Moneer, Regional Director, META at Infoblox says, “Our report shares research on many dangerous malware threats. Security effectiveness depends on timely, up-to-date threat intelligence. Using tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize and distribute highly accurate, multi-sourced threat intelligence to strengthen the entire security stack. Additional capabilities can help SecOps to accelerate threat investigation and response by up to two-thirds.”