Understanding how cyberattacks unfold is key to stopping them. In this blog, Fortra’s threat researchers break down the anatomy of a recent smishing campaign, revealing the tactics, techniques, and infrastructure behind the attack.
The Smishing Attack
The smishing text contains a banking alert about a transaction being put on hold and urges the reader to visit the link if the transaction was not initiated by the recipient. Given that this is an unsolicited text message about an unknown transaction, combined with the urgent tone of the text, the user is likely to be tricked into clicking the phishing URL and visiting the malicious site.
SMS Sender Verification
Typically, a telltale sign of identifying a smishing attack is four-digit numbers because they indicate the use of email-to-text services. However, the attacker is using a standard complete number in this smishing campaign to bypass identification through this well-known detection technique.
Unlike how a sender’s emails are used to identify and filter against phishing attacks, smishing attempts can’t be blocked based on the sender’s phone number because phone numbers may get recycled and reused by future legitimate entities. Additionally, unlike phishing emails, phone numbers do not contain spelling and grammar mistakes that can be used to identify a suspicious source. These unique characteristics of phone numbers allow the attacker to further bypass security controls and distribute their initial text, leading to a higher success rate in reaching their intended victims.
Landing Page Analysis
The following screenshots were anonymized to protect the privacy of Fortra’s clients.
Fortra has identified a phishing kit that offers multiple variations of this landing page. These landing pages have been observed impersonating popular brands such as financial institutions, large retail chains, and mail service providers.
The initial landing page asks the user to enter their banking login information, luring them into compromising their credentials by providing them to the attacker. Upon clicking on the “Log In” button, the user is taken through a couple of pages that prompt them to provide sensitive Personally Identifiable Information (PII) such as their Social Security Number (SSN) and credit card number. The victim is lured into compromising their sensitive information which can expose them to the risk of identity theft, credit card fraud, and other malicious behaviors. In fact, compromised PII can even allow the attacker to craft highly advanced spear phishing campaigns that target the victim through the exploitation of their exposed PIIs and other sensitive data.
The attack chain ends with the adversary luring the victim into giving up their Multi-Factor Authentication (MFA) code. This lure is further strengthened by the security preference question at the bottom of the webpage, which not only helps to increase the legitimacy of the website but also tricks the user into a false sense of security. The attacker can then leverage the compromised MFA code, alongside the banking credentials shared previously by the user, to gain unauthorized access to the victim’s bank account and perform various malicious operations.
Suspicious URL Analysis
The smishing URL: https[:]//cancelbank29b[.]com
Unlike the landing page, the URL does not impersonate a specific brand or identity because the domain name refers to a generic “cancelbank.” The generic and vague domain name, in addition to the random string of numbers and letters “29b”, can help the user identify the suspicious URL and question the legitimacy of the URL’s destination.
Fortra conducted a WHOIS lookup query on the smishing URL which revealed ingenuine information.
A quick Google search demonstrated the registrant’s name does not exist, and the registrant’s address is an empty parking lot. Additionally, the registrant’s phone number contains too many digits. These bogus details raise doubts about the legitimacy of the registrant, further alluding to the malicious motivations of the threat actor.
However, the query revealed the registrant’s email address which Fortra utilized to perform a reverse WHOIS lookup to identify the following additional domains that the attacker may be operating under:
Protect Yourself from Social Engineering with Better Cybersecurity Training
Social engineering attacks are no longer limited to the familiar phishing email. They’ve evolved into highly sophisticated and varied threats, including smishing campaigns that exploit users through text messages. This growing diversity in attack methods makes it increasingly difficult for users to recognize and respond to cyber threats. That’s why robust security awareness and training programs are essential to building strong cyber defenses.
Fortra Brand Protection and Fortra Human Risk Management solutions empower organizations to cultivate a resilient cybersecurity culture, equipping users to stay vigilant and respond effectively to the ever-changing threat landscape.