Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
SMS Phishing Campaign Used to Spread Emotet: ReportIBM Says Mobile Banking Customers Targeted With Fakes Messages and Domains
Mobile banking customers are being targeted by yet another SMS phishing campaign, according to new research from IBM X-Force. This time, however, in addition to trying to steal usernames and credentials, the attackers are also attempting to install Emotet malware.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
IBM researchers say in a new report that it appears that attackers are sending malicious SMS messages from what appear to be local U.S. phone numbers to banking customers concerning a locked bank account. Those text messages contain a link that takes the victim to a website that mimics a bank's legitimate mobile banking landing page, but uses a different top-level domain.
While the landing page looks legitimate, it's actually a well-disguised phishing webpage that first tries to steal usernames and passwords by having the victim input those credentials into a field on the screen; the credentials are then relayed back to the attackers, according to IBM.
The researchers also found that these landing pages attempt to trick victims into downloading a file with malicious macros that installs two binary files on the victim's device, which includes the Emotet malware.
The tip-off is that one of the domains to which victims are redirected during this this attack - "shabon[.]co." - is associated with Emotet, IBM researchers report.
"Our researchers found the file on the distributing domain and looked into some obfuscated malicious PowerShell scripts that led us to additional Emotet-serving domains," according to the new report.
The phishing campaign apparently started earlier this year and has since slowed down, according to IBM.
Fraudsters are increasingly using SMS phishing or "smishing" to lure victims into clicking on malicious links because smartphone users are less likely than those using other devices to scrutinize the authenticity of a text, security researchers say.
Earlier this month, cybersecurity firm Lookout discovered that nearly 4,000 mobile banking users were targeted by SMS phishing campaign that started in July 2019 (see: Mobile Banking Users Targeted in SMS Phishing Campaign)
Rise of Emotet
In their report, IBM researchers attribute the increasing spread of Emotet to a group that they refer to as the "Mealybug gang." After a lull of several months, Emotet resurfaced in September 2019, and it has been spreading rapidly since (see: Researchers: Emotet Botnet Is Active Again)
In another report released in January, researchers at IBM found that cybercriminals are using fake email messages about the coronavirus to spread Emotet as well as other malware.
"It appears that Mealybug is gearing up to expand its botnet, diversify its illicit income sources and prepare for a wider attack surface in Japan, possibly ahead of the 2020 international sporting event coming to Tokyo in the summer," according to the IBM researchers.
Emotet, which first appeared as a banking Trojan in 2014, usually serves as a dropper for other malware. The U.S. Cybersecurity and Infrastructure Security Agency considers it to be a dangerous cyberthreat.
Emotet developers added functionality so the Trojan could be used to install additional malicious code on endpoints it's infected, giving it the ability to scrape victims' PCs for contact information (see: Emotet Malware Alert Sounded by US Cybersecurity Agency)
IBM’s researchers found a connection between the latest Emotet campaign and Trickbot, which has the capability to communicate with a command-and-control server and exfiltrate sensitive data, according to the report. Emotet is one of the ways the Trickbot payload is delivered to infected systems (see: Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners).
When the IBM researchers examined the two binaries that help deliver the Emotet malware during a phishing attack, they found "junk content" that included news excerpts from current events involving President Donald Trump and Michael Bloomberg, who is running for president, according to the report.
"This practice, an old trick to evade anti-virus detection, has been observed recently in some malware families, including the Trickbot Trojan," the report adds.