New Smishing Attack
In a new smishing campaign, cyber criminals are misusing the names of major Indian banks like SBI, ICICI, HDFC, Axis Bank, PNB and the Indian Income Tax Department (IT Dept) for trapping innocent users into submitting confidential information.
First of All, What is Smishing?
As it is a very known fact, the most commonly used mode for a phishing attack is email. However, text messages or SMS is becoming an increasingly dangerous and potent mode of use for cyber threat actors to trap victims.
A 2020 article published by Security Boulevard mentions that 85% of attacks seen on mobile devices now take place via mediums other than email.
Phishing through SMS is called SMiShing. The attackers often impersonate a bank or a government department or another trustworthy entity to deliver a fraudulent SMS. This SMS would usually contain information about a benefit for the receiver through cash prizes, refunds or any other lucrative offer.
The SMS would also contain a link to a landing page that looks exactly like the website of a trustworthy government or private organization. On the fake landing page, the users might be asked to submit their private information or download a malicious attachment.
What’s in the News?
Innocent Indian bank users are being targeted by cyber criminals through a new smishing campaign. Threat actors are luring these users into submitting confidential information by asking them to submit an application for the disbursement of the income tax refund.
These cyber miscreants are using a webpage that looks exactly like the income tax e-filing webpage to make the campaign more believable.
As revealed in an investigation by CyberPeace Foundation, the cyber attackers have used the names of some of the most renowned Indian banks for launching this attack! Furthermore, the report mentions that these suspicious links originate from the US and France.
How are They Carrying Out These Attacks?
The campaign is said to be collecting personal data along with banking information, the report goes on to further reveal. It is important to note here that such a trap can potentially cause a huge financial loss to the users.
It is noteworthy that the link attached with the fraudulent SMS has no domain name. Moreover, the IP addresses associated with this smishing campaign belong to a third-party cloud hosting provider.
Another key point is that this smishing campaign uses plain HTTP protocol instead of HTTPS protocol. Therefore, anyone on the network or the internet can intercept the traffic to extract confidential information in plain text for its misuse.
The campaign is being used to ask the users to download an application from a third-party source and not from Google Playstore. The downloaded application asks the user to provide various kinds of access and permissions to the device.
As per the article published by Business Insider, on opening the link in the SMS (http://204.44.124[.]160/ITR), users get redirected to a page that looks exactly like the official government website for income tax e-filing.
On that web page, there is a green-colored ‘Proceed to the verification steps’ button. The users are asked to submit their personal information after clicking that button. This information includes their name, gender, date of birth, Aadhaar number, PAN, address, pin code, mobile number, email address and marital status.
Along with this, the users are also asked to submit account number, IFSC code, card number, expiry date, CVV/CVC and card PIN. The users are redirected to a different page for confirmation of the submitted data.
After clicking on the ‘Confirm’ button, the user is redirected to a fake banking login page. This fake login page looks exactly like the real one. Then the user is asked to submit their online banking username and password on the fake login page.
The users are asked to enter a Hint question, Answer, Profile Password and CIF number as the next step in this Smishing process. After its submission, a mobile verification section appears, which contains instructions to download an android application (.apk file) to complete the ITR verification.
The users are asked to grant all device permissions at this point to this application. The application, called Certificate.apk, starts downloading upon clicking the ‘Download’ link.
Here’s How Smishing Attacks Can Impact Organizations
As it can be seen from the recent incident mentioned above, cyber criminals have started using smishing as a popular attack vector.
In an article published by CSO Online in 2020, it was revealed that 84% of organizations surveyed by a cyber security company faced smishing attacks.
It may not be long before these criminals decide to attack the employees of your organization through text messages. Therefore, it is important for you to secure your employees against such smishing attacks. Mentioned below are some ways to secure your employees against smishing attacks:
- Look for ways to spread cyber security awareness among employees. Using cyber security awareness tools can be effective in this regard. ThreatCop is one such awareness training tool that can be used to run cyber attack simulation campaigns. Along with this, ThreatCop also provides a huge library of awareness content to improve the overall cyber security awareness among your employees for an improved cyber threat posture.
- The employees should be instructed to avoid any downloading from links sent via text messages. The SMS may contain a fake free download link to an app that is paid on trusted app stores like Google Play Store and Apple App Store. But it is a trap to get the victim to download malicious content.
- Any inconsistency or problem in the official bank accounts or other official accounts reported to the employees via SMS should be first verified on official websites. Clicking the link sent via SMS to check for the problem or any other urgent matter can result in big damage for the recipient of such text messages.
- It is a best practice to not answer any strange texts asking for sensitive information. The employees should be sensitized about this. Along with this, reporting such text messages is also important for investigation purposes.
- Employees should be encouraged to use Multi Factor Authentication (MFA) in their bank and other accounts that hold sensitive information, if that option is available. This way, any information that has been mistakenly transmitted to the attacker will be rendered useless as soon as the victim gets reminded of the mistake he’s committed when he receives a code for verification or approval of the transaction.
Smishing campaigns become successful only if users err. Aware employees or users are the best defenders against any kind of phishing attacks, including smishing.
