- Dean Smith
Creative Scamming: Stealing Bank Credentials via Text Messages
Fraudsters using authentically styled text messages from banking institutions are spreading Emotet malware, stealing financial logins, passwords, and data.
On February 25, 2020, Windows Club reported attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware.
Windows Club explained that malware attacks have consistently been on the rise for the past several years. Now these days, attackers try out different ways to gain unauthorized access to your digital lives. Malware spreading via email phishing is common. But now, email phishing has also become difficult due to many advanced security and filtration techniques adopted by cybersecurity companies and email services. Since smartphone consumption has reached its peak, attackers have largely shifted focus towards SMS communication.
Now, this most recent campaign delivers the malware via “smishing,” a form of phishing that relies on text messages instead of email. While smishing is certainly nothing new, researchers say that the delivery tactic exemplifies Emotet’s operators constantly swapping up their approaches to go beyond mere malspam emails – making it hard for defense teams to keep up.
The SMS messages purport to be from local U.S. numbers and impersonate banks, warning users of locked bank accounts. The messages urge victims to click on a link, which redirects them to a domain that’s known to distribute Emotet (shabon[.]co). Visually, when victims click on the link they see a customized phishing page that mimics the bank’s mobile banking page.
What is Emotet?
Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions of the Emotet malware functioned as a banking trojan, stealing financial information from infected hosts. Throughout 2016 and 2017, Emotet operators updated the trojan and reconfigured it to work as a “loader,” a type of malware that gains access to a system, and then allows its operators to download additional payloads. These second-stage payloads can be any type of executable code, from Emotet’s own modules to malware developed by other cybercrime gangs.
The most recent advent in Emotet was in September of 2019, which included a new, dangerous Wi-Fi hack feature can let the malware spread like a worm.
Researchers with IBM stated, “Emotet’s operator, the Mealybug gang, has varied its activity levels over time, sometimes going into lengthy lulls and periods of low-volume activity. Since late 2019, Mealybug has been pushing its activity through various channels, including spam, sextortion emails, SMiShing and ploys like fake Coronavirus warnings that were spread in Japan.”
SMS Smishing Emotet and the Trickbot Trojan
According to ThreatPost, the smishing landing page was registered on the same day the text messages were sent, said researchers. This domain features the bank’s name (with a different top-level domain) and requests victims enter their login and passwords, followed by a second request to download a document file loaded with the malicious macros.
Amidst the executable code and macros, researchers discovered some junk content in the file, containing “news” excerpts regarding President Donald Trump and presidential candidate Michael Bloomberg, likely a tactic to evade detection.
Curiously, the TrickBot trojan often uses a similar method to escape detection, leading researchers to believe there is a potential link between the two malware’s. Although Emotet began as a banking trojan in 2014, the malware has constantly evolved its full-service threat-delivery mechanism, and was used to distribute TrickBot in previous attacks, such as the recent one targeting the United Nations.
“Knowing that Emotet is one of the ways TrickBot payloads are dropped to infected systems, there is a possibility that this attack is a targeted campaign designed to enable the spread of the TrickBot trojan,” researchers said, and warned this recent smishing campaign, coupled with other recent Emotet appearances, may only be field testing for the latest version. They explained the malware’s operators may be looking to launch future cyberattacks, potentially around the upcoming 2020 Olympics, which kick off July 2020.