Attackers Use SMS Phishing to Steal Credentials and Install Emotet Malware

Researchers have discovered a new SMS phishing campaign targeting mobile numbers in the United States aiming to steal online banking credentials and install the Emotet malware wherever possible.

SMS phishing campaigns, also known as smishing, follows a straightforward recipe. Victims receive an SMS message with an embedded link, sending them to a malicious site. Sometimes, it’s just a phishing scheme, with attackers looking to steal credentials. But the same platform can be used to trick people into installing malware, which could serve a variety of purposes, including transforming the device into a bot for other attacks.

This is the case with this current smishing campaign, which aims to do as much damage as possible, and that includes stealing credentials and infecting terminals with malware. When people open the link in the SMS warning them about a locked bank account, they are redirected to a website that looks very much like the real deal but with a different domain.

“Our researchers found the file on the distributing domain and looked into some obfuscated malicious PowerShell scripts that led us to additional Emotet-serving domains,” said the IBM X-Force researchers. The attackers used a known obfuscation technique that’s found in the TrickBot malware, so it’s possible there’s a connection between the two.

Smishing is part of the same family as phishing (email) and vishing (voice). Tricking users into providing their credentials to a third-party is the main objective. It’s also a good idea to install a security solution, no matter the platform (PC, Mobile, iOS and MacOS), that can spot possible phishing attempts and prevent the installation of malware.

Here’s how users can check if an SMS message or email is actually a scam. 

• Be wary of messages that claim your account was blocked, that requires to confirm personal details, or that imparts any sense of urgency a penalty/fine for not validating in time
• Check the messages for grammatical errors and typos in the domain names, as they may have a missing letter or misspelled name.
• Never offer sensitive data such as user names, passwords, social security numbers, credit card numbers, CVV numbers, or PINs, through online channels.
• As a rule of thumb, never open links received via emails or trough SMS messages if you don’t recognize the sender. If possible, users should manually type the URL in their browser. Some SMS links can redirect to other web pages that are fraudulent.
• If you do click on a link, you should verify the URL after you open it in a browser. It might look normal in an email or SMS, but the browser will show the real address. Official websites are secure (HTTPS) and have their own domains (PayPal.com, Netflix.com, etc), so any website that’s not hosted on its own domain and that’s not secure (HTTP) should be immediately suspicious.
• If you’re still unsure about the validity of a message from what looks like an official source, you can always contact the company or institution and ask them to confirm or deny if they every sent it.