SMS Attack Spreads Emotet, Steals Bank Credentials:
A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan.
Attackers are sending SMS messages purporting to be from victims' banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware.
Emotet has continued to evolve since its return in September, including a new, dangerous Wi-Fi hack feature disclosed last week that can let the malware spread like a worm. Now, this most recent campaign delivers the malware via "smishing," a form of phishing that relies on text messages instead of email. While smishing is certainly nothing new, researchers say that the delivery tactic exemplifies Emotet's operators constantly swapping up their approaches to go beyond mere malspam emails – making it hard for defense teams to keep up.
[...] The SMS messages purport to be from local U.S. numbers and impersonate banks, warning users of locked bank accounts. The messages urge victims to click on a link, which redirects them to a domain that's known to distribute Emotet (shabon[.]co). Visually, when victims click on the link they see a customized phishing page that mimics the bank's mobile banking page.
Threatpost has reached out to X-Force researchers regarding how many victims have received the SMS messages, and which banks the messages purport to be associated with.
(Score: 4, Interesting) by MostCynical on Monday February 24 2020, @12:01PM (6 children)
Convenience kills security. Banks and many other companies have taught people to click on links in emails, and, with web-enabled phones, in text messages.
All a company should ever do is send a reminder or short message to ask a user to log in to get the actual , full message. No links, no html, no downloads, no attachments, no logos, just a text message (sms or email).
Maybe all keyboards and phones could be wired to tasers, so anyone clicking on a link or unknown attachment could get electrocuted - but that might not even be enough...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Informative) by FatPhil on Monday February 24 2020, @01:16PM (3 children)
And given that the danger is in following the link and doing what the phishing page there tells you to do, that link could have been sent via SMS, or by email, or be linked to from twitter (obfuscated through a t.co shortening, no less), or on facebook, or simply be a link in any other webpage or even a usenet post. Or be a QR code on a poster. Or an NFC tag claiming to be a free wifi connection. Or even hand-written on a piece of paper.
So it ain't really an "SMS attack", really.
I'm pretty sure I never saw /Politicians Fear Envelope Attack/ headlines when the anthrax white powder scares were going around a few years back, so even failstream media can avoid falling for this kind of mistake if they try.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by Booga1 on Monday February 24 2020, @01:50PM (1 child)
Yeah, when I saw this in the submissions queue I was expecting to see a description of a specially crafted SMS that would infect the phone or at least cause it to exfiltrate data. This is not an SMS attack. It's is plain old phisihing.
(Score: 3, Funny) by FatPhil on Monday February 24 2020, @02:18PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Monday February 24 2020, @06:41PM
"I'm pretty sure I never saw /Politicians Fear Envelope Attack/ headlines when the anthrax white powder scares were going around"
Yeah but some probably called it a "mail" attack.
(Score: 0) by Anonymous Coward on Monday February 24 2020, @05:57PM
My bank, even being the scumbags that they are, does exactly that.
(Score: 2) by Common Joe on Tuesday February 25 2020, @09:55AM
This. I was stuck with a bank for reasons I won't get into, but they kept sending out emails with links embedded in them urging people to click on them and login. It was legit from the bank. I even reported them to themselves off and on for years with explanations why it shouldn't be done. I guess after 4 years, they finally decided to stop. Unbelieveable.