A newly discovered attack looks to try to make a victim of mobile device holders using a two-pronged attack that uses Emotet and, perhaps, Trickbot.
Security researchers at IBM X-Force have uncovered a new SMiShing attack in which mobile phones are sent a text purporting to be the victim’s bank with a message indicating the account has been locked and requires immediate attention. Using fake bank domains, preoccupied users may miss the fact that the address being used isn’t quite right.
Users that click the link are taken to domains known to distribute Emotet, as well as are presented with phishing pages designed to look like the banking logon page.
According to X-Force researchers, junk news content is found in the initial payload binary – a method used by creators of the Trickbot trojan.
While the attack seems to focus on credential theft, it may be a test pilot for a future campaign. The ability to infect with malware depends on the victim’s client OS, and there’s no current way for cybercriminals to know the make and OS of a victim’s phone ahead of time.
Users need to be mindful of each piece of information provided to them in any kind of unsolicited message – whether via text, in email, or on the web. Users need to be taught with Security Awareness Training to always be suspicious of messages and to look at any provided details (e.g., the domain name provided in the SMiShing attack) to quickly determine it’s bogus and potentially threatening to the user and their organization.