Smishing

Estimated reading time: 5 minutes

Il cybercrimine, sta mirando sempre più ai dispositivi mobili ed è sempre in continua evoluzione. Sui social network e tramite i nostri contatti personali riceviamo sempre più spesso tentativi di truffe mascherati da semplici inviti. Dai rapporti e dai comunicati della polizia postale possiamo notare come negli ultimi anni stiano aumentando i casi di Smishing, che ogni anno causano consistenti danni economici ad aziende e privati per centinaia di migliaia di euro.

Smishing

Cos’è lo Smishing

Con il termine “Phishing”, ci riferiamo a tutte quelle attività fraudolente messe in atto dagli hackers con il fine di trarre in inganno un individuo. Altri fini possono essere sottrarre informazioni sensibili e utilizzarle per commettere illeciti di natura fiscale.

Lo Smishing si differenzia dal Phishing per via dell’utilizzo degli SMS come strumento di contatto. Il nome viene proprio dalla crasi di SMS e phishing.

Questa tipologia di attacco solitamente avviene sfruttando l’ingenuità del malcapitato, inducendolo a scaricare dei malware autoinstallanti o invitandolo a compilare dei moduli con le proprie informazioni personali. Questi malware si mascherano da comuni applicazioni, in modo da non insospettire la vittima. Nel caso in cui l’utente rilasci delle informazioni all’interno di queste applicazioni, i dati inseriti verranno automaticamente inviati all’hacker, che potrà usarli a suo piacimento.

Analogie con il phishing

Altre tipologie di Smishing, invece, prevedono l’invio di messaggi di testo apparentemente provenienti dalla nostra banca, da un’organizzazione di credito, da un’azienda o da un individuo che conosciamo, nel quale riponiamo fiducia. Di solito questi messaggi contengono segnalazioni riguardanti presunti movimenti sospetti o problemi per l’accesso ai servizi bancari. Sfruttando la fiducia che un individuo pone nei confronti di una banca, l’hacker conduce la sua vittima verso un sito web fasullo.

Infatti, il testo del messaggio, oltre a contenere un messaggio allarmante per la vittima, contiene anche almeno un link che reindirizza il malcapitato verso un sito fraudolento.

Questo tipo di siti lo abbiamo visti anche negli attacchi di phishing, e sono creati appositamente dall’hacker con la speranza che la richiesta di dati sensibili sia compilata. Questa può essere sotto forma di un form di login della banca, del tutto simile a quello originale.

Dei dati raccolti, poi, possono essere fatte varie cose. Potrebbero essere rivenduti, usati per ricattare la vittima o per rubarne altri account che utilizzano la stessa combinazione di user e password. Quest’ultima eventualità è il motivo per cui le password dovrebbero essere uniche e non condivise con vari servizi.

Come difendersi

Per difendersi dagli attacchi di Smishing, non è necessario adottare sofisticate tecniche di difesa.

Essendo dei tentativi di raggiro, potrebbero essere facilmente evitati ignorando il contenuto dei messaggi fraudolenti. Di fatto questa tipologia di attacco, per poter funzionare, necessita dell’interazione da parte dalla vittima. Senza un’interazione da parte dell’utente, è impossibile attuare questa tipologia di attacco informatico.

Truffa smishing

Individuare tentativi di Smishing.

Ecco alcune tipologie di messaggi o situazioni sospette a cui fare attenzione e di cui valutare bene la provenienza:

Avvisi urgenti sulla sicurezza, messaggi che promettono denaro o premi gratuiti, offerte o regali. Questi sono tutti dei campanelli d’allarme. Molto probabilmente si tratta di un tentativo di raggiro. Fare leva su un senso di urgenza è tipico di questi attacchi. Una tecnica simile viene usata nel marketing per fare fretta al cliente e spingerlo ad acquistare.

Gli istituti finanziari o i commercianti non utilizzano mai gli SMS per chiedere ai loro clienti di aggiornare le informazioni relative al proprio conto personale. Soprattutto, non chiedono mai informazioni sensibili, come ad esempio i numeri di una carta di credito.

Un SMS che contiene questo genere di richieste, probabilmente è un tentativo di Smishing. In caso di dubbi inoltre, è possibile contattare la propria banca per avere spiegazioni in merito alla richiesta, in modo da accertarsi se si tratta effettivamente di un tentativo di Smishing oppure no.

Evitare di cliccare sui link presenti in un messaggio se non si è sicuri che l’SMS provenga realmente da una fonte attendibile.

Prestare particolarmente attenzione ai numeri telefonici che sembrano sospetti. Questi numeri spesso sono collegati a degli strumenti che hanno la funzionalità di inviare SMS direttamente da una casella e-mail. I truffatori utilizzano questo sistema per evitare di fornire il loro numero di telefono.

Mai conservare credenziali d’accesso, dati bancari, o informazioni personali sensibili sullo smartphone. Se si utilizza quest’accortezza, sarà impossibile per un hacker ottenere questi dati, anche se dovesse utilizzare un malware.

Mai salvare nulla su un dispositivo, è sempre opportuno avvalersi di sistemi di archiviazione tradizionali, come carta e penna o la nostra cara e vecchia memoria. Alternativamente, affidarsi a un servizio di gestione delle password come Bitwarden.

Mantenere sempre la calma, anche se il testo del messaggio dovesse contenere minacce o scadenze. Mai abboccare all’amo.

Denunciare i tentativi di attacco di smishing alla Polizia Postale. Segnalando queste truffe è possibile evitare che altre persone possano cadere nello stesso raggiro.

Smishing di lato

Conclusioni

Come abbiamo visto in questo articolo, i tentativi di truffa sono in continua crescita. Fortunatamente però, a nostro supporto ci sono istituzioni che indagano costantemente, bloccando i responsabili di queste truffe. Ricordiamo sempre di fare sempre attenzione ogni qualvolta che si forniscono delle informazioni personali. Bisogna sempre verificare che la fonte alla quale stiamo affidando i nostri dati sia attendibile.

Quando si tratta di un’azienda, tuttavia, consigliamo di prendere in considerazione un servizio per fornire gli strumenti adeguati ai dipendenti per contrastare lo smishing o il phishing. I nostro servizio di phishing etico può aiutare a individuare quali siano le vulnerabilità aziendali. Inoltre, organizziamo dei training ad hoc sulle basi dei risultati dei test per aiutare i dipendenti a saper riconoscere i tentativi di phishing e smishing.

Per saperne di più su come il nostro servizio di phishing etico potrebbe aiutare la tua azienda, non esitare a contattarci, saremo lieti di rispondere ad ogni domanda.

Useful links:

Link utili:

phishing con pdf cover

Estimated reading time: 9 minutes

There was a dramatic 1160% increase in malicious PDF files in 2019-2020. It went from 411,800 malicious files to 5,224,056. PDF files are an enticing vector of phishing as they are cross-platform and allow attackers to engage more users, making their scam schemes more credible than a text email with a simple link.

To lure users to click on links and buttons embedded in phishing PDF files, there are five main schemes used by attackers: Fake Captcha, Coupon, Play Button, File Sharing and E-commerce.

Data analysis

Data collected from the platform WildFire by Palo Alto Networks was used to analyze the trends . A subset of phishing PDF samples were collected throughout 2020 on a weekly basis. Over 5 million cases of phishing with PDF were analyzed for 2020 alone and the increase in the incidence compared to the total number of documents sent rose by 1160%.

In particular: in 2019 the total number of files analyzed was 4.5 billion, of which about 411 thousand were found to be malware (0.009%). In 2020, following the analysis of over 6.7 billion documents, 5.2 million were found to be phishing vectors with PDF (0.08%).

Phishing with PDF, the most commonly analyzed methods

Five major phishing schemes have been identified from the dataset and will now briefly analyze them in order of distribution. It is important to keep in mind that files used in PDF phishing attacks often act as a secondary step and work together with their carrier (for example, an email or article containing them).

1. Fake CAPTCHA

PDF files Fake CAPTCHA , as the name suggests, require users to verify themselves through a fake CAPTCHA . CAPTCHAs are challenge-response tests that help determine whether a user is human or not.

However, the observed PDF phishing cases do not use a real CAPTCHA, but an image depicting a CAPTCHA test . As soon as users try to “verify” by clicking the continue button, they are taken to a website controlled by the attacker.

The figure below shows an example of a PDF file with a fake CAPTCHA embedded, which is just a clickable image.

phishing with pdf captcha

2. Coupon

The second category identified are coupon themed phishing PDF files and often used the logo of a major oil company .

A significant amount of these files were in Russian with notes like “ПОЛУЧИТЬ 50% СКИДКУ” and “ЖМИТЕ НА КАРТИНКУ” which translate to “get 50% off” and “click on the picture” respectively. The figure below shows an example of these types of phishing PDF files:

phishing with pdf coupon

Similar to other campaigns seen in the past, these PDF phishers have also taken advantage of traffic redirection for the reasons mentioned above . Analyzing several of them, it was found that they use two traffic redirectors. The figure below shows the chain of a sample:

redirect

The entry website took us to another website ( track [.] backtoblack.xyz ), on which another redirect was set.

Eventually, you are directed to an adult dating site through a GET request with some parameters filled in such as click_id , which can be used for page monetization. All these redirects occurred through HTTP 302 redirect messages. Research showed that the offer_id parameter of backtoblack [.] Xyz controls which site the user ends up on .

3. Static image with a play button

These PDF phishing scams don’t necessarily carry a specific message, as they are mostly static images with a video play button superimposed, so they look like videos you need to start.

Although different categories of images were observed, a significant part of them used nudity or specific economic / monetary themes as the subject such as Bitcoin, stock charts and the like to lure users to click on the play button.

The image below shows a PDF file with a Bitcoin logo and a clickable play button.

phishing with pdf fake play button

By clicking the play button, as you can guess, you are redirected to another website. In most of the tests carried out, the redirect pointed to https: // gerl-s [.] online /? s1 = ptt1 .

From the domain name, one could assume that the site is also in the realm of online dating. However, at the time of this writing, the site has been removed. Unlike the previous campaign, there was only one redirect involved , and it was noted that all redirects had the following format:

id-6-alphanumeric-characters [dot] sed followed by a main domain, similar to those listed below:

http://pn9yozq[.]sed.notifyafriend.com/ http://l8cag6n[.]sed.theangeltones.com/ http://9ltnsan[.]sed.roxannearian.com/ http://wnj0e4l[.]sed.ventasdirectas.com/ http://x6pd3rd[.]sed.ojjdp.com/ http://ik92b69[.]sed.chingandchang.com/
http://of8nso0[.]sed.lickinlesbians.com/

4. Sharing files

phishing with pdf sharing

This category of PDF phishing uses popular online file sharing services to grab the user’s attention . They often inform the user that someone has shared a document with them. However, for reasons that may vary from one PDF file to another, the user cannot see the content and apparently has to click on an embedded button or link . The image above shows a PDF with a Dropbox logo asking the user to click on the button to request access.

Below, similarly, an image of a PDF file with a OneDrive logo, prompts the user to click on “Access Document” to view the contents of the file.

As the number of cloud-based file sharing services grows, it wouldn’t be surprising to see this theme grow and continue to be among the most popular approaches.

phishing with pdf onedrive file sharing

Clicking the “ Access Document ” button takes you to a login page with an Atlassian logo, as shown below. There are two options to use for logging in: Microsoft email or other email services.

phishing with PDF

Atlassian Stack is geared towards business, so we assume this campaign was aimed at business users. Each of these links has been designed to resemble a legitimate email login page.

For example, “ Continue with Microsoft ” takes you to a page that looks somewhat similar to the one you come across upon entering the legitimate https://login.live.com , as shown below:

After entering an email address, we proceed to another page that asks us to enter our password.

It was observed that the stolen credentials were sent to the attacker’s server through parameters in a GET request.

After entering your credentials, you are returned to the first login page.

We would like to point out that, when we visited this site, it was already reported as phishing by major browsers such as Google Chrome and Mozilla Firefox.

However, during the research, we proceeded to test the whole path with fake credentials to further investigate and investigate the method of phishing with PDF.

5. E-commerce

Embedding e-commerce themes in emails and phishing documents with PDF is not a new trend. However, there has been an upward trend in the number of fraudulent PDF files that have used brands of international e-commerce to induce users to click on embedded links.

The image below shows an example of a PDF phishing scam that notifies the user that their credit card is no longer valid and that they must “ update their payment information ” in order not to interrupt. the benefits of Amazon Prime .

Similarly, another image below shows a document that informs the user that their Apple ID account will be suspended if they do not click on the link to update their information.

At the time of analyzing the data for the purposes of this article, all websites in this specific PDF phishing campaign have been deleted. It is worth noting that most of these e-commerce themed files used https: //t.umblr [.] Com / for redirection purposes.

Conclusions

We’ve covered the most common PDF phishing campaigns of 2020 along with their distribution and general functioning. Data from recent years shows that the amount of phishing attacks continues to increase and social engineering is the main vector for attackers to take advantage of users.

Previous research has shown that large-scale phishing can have a click-through rate of up to 8% . Therefore, it is important to double-check and double-check files that you receive unexpectedly, even if they come from an organization you know and trust.

For example, why was your account blocked out of thin air, or why did someone share a file with you when you least expected it?

It is with a critical eye and thinking before acting that you are best protected against phishing campaigns of any kind. We have seen several times how damaging phishing attacks can be that hit , so we recommend that you evaluate our ethical phishing service for your company’s employees.

Through ethical phishing campaigns we will be able to test employees and retrieve important data that will then be used to design and carry out specific training tailored to the people involved.

To find out more, contact us, we will be happy to answer any questions.

Useful links:

esempi di phishing cover

Estimated reading time: 8 minutes

Successful phishing attacks are increasing rapidly and so is the variety of forms they come in. Today I want to bring a couple of examples of phishing reported in the last period on the Italian territory by the CSIRT ( Computer Security Incident Response Team ).

Millions of users around the world are put at risk every day, statistically, one every 30 seconds. Cybercriminals are evolving and so are their techniques.

But it’s not just the traditional phishing scam that is catching on, but spear phishing and CEO fraud now also offer a much more damaging reach to the enterprise. For businesses, a successful attack could mean millions of dollars in damage.

Since it is known that users, even corporate users, tend to be lazy and do not manage their passwords effectively, even a phishing campaign aimed at individuals could provide useful credentials to later target corporate accounts. For this reason, one of the most effective defenses is the training of users, who, knowing the danger, can avoid it altogether.

examples of phishing covers

Why does phishing work?

Before giving concrete examples of phishing that took place in Italy, it is interesting to understand why it is a technique that works so well. According to a white paper from Ostermann Research in 2017, phishing is the main concern of security teams.

There are 5 main reasons, identified by Ostermann Research, why phishing is still a real danger.

1. Lack of awareness

Undoubtedly, the predominant reason is the lack of “ security awareness “. More specifically, the lack of training on issues such as phishing and ransomware are the main reasons for the success of these attacks.

2. Need for more information

The use and notoriety of the Dark Web have lowered the commercial value of stolen data. The price of a credit card record dropped from $ 25 in 2011 to $ 6 in 2016 , which means that cybercriminals have had to adapt their attention to new ways to earn the amount of money they did in the past.

3. Lack of adequate protection

Companies are not doing enough to reduce the risks associated with phishing. There is a lack of proper backup processes, as well as an inability to identify weaker users who need further training.

In addition, there is a lack of strong control processes, such as double confirmation for every bank transfer request. Neglecting these protocols means putting yourself directly in the hands of some of the most common fraudulent techniques.

4. Ease of finding tools

The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) gave would-be hackers an easy opportunity to enter the market and compete with sophisticated criminal organizations.

The most troubling part of this growing trend is that even people with little or no computer experience are reaping the benefits of these easy-to-obtain tools.

5. Attacks leverage people’s weak points

As we have seen with social engineering , leveraging some factors can lower people’s guards . Alternatively, you aim for a sense of urgency to ensure that the necessary checks are not carried out before taking action. At other times it is guilt or shame that are used as a weapon to request money directly, as in the case of ransomware .

Among the examples of phishing that we will see shortly, I believe that the main factors for which they succeed are ignorance of IT (security) and feelings of guilt or urgency transmitted in the messages used in attacks.

Examples of 2021 phishing on Italian territory

“Eni gas and electricity reimbursement”

This campaign, reported in March 2021 , uses as a pretext a fake reimbursement from ENI Gas e Luce in order to steal personal data and banking information from the victims. The promise of a refund and seemingly legitimate web pages are key elements of the attack.

The following personal data are requested: name, surname, date of birth, social security number and telephone number. In addition, the following are also required: credit card type, number, expiration date and security code.

The victim reaches the phishing page by following a link to hxxps: //legendaryfirewitch.tumblr [.] com / eni , a page hosted on the Tumblr social platform. From here the user is redirected, using a Javascript script, to a page similar to the ENI website.

After entering the credentials in the form, two screens appear. A summary and a confirmation. Note that the SMS / OTP confirmation method is mentioned in the summary screen but is not required of the victim. Finally, you are directed to the real ENI website.

To defend yourself, always pay attention to the URLs of the pages you visit. These often contain elements of obvious wrongdoing. For example the ru extension of the pages.

Bank Account Phishing Example (N26)

At the end of March 2021, a campaign affecting the customers of the N26 online bank was reported. Through SMS and email, users are asked for personal data, personal information (telephone number and social security number ) and the OTP code and the unique access token of the credit card.

Through a landing page very similar to that of N26, you are asked to log in to the service. The user enters the login credentials, the card code and then personal information is also requested. The excuse is to check the user’s data.

After entering the data, the victim is informed that the entered OTP code is incorrect and a new one is requested. This happens 3 times, until a server error page is shown.

The data has now been entered and sent to the attacker, who can access the victim’s account thanks to the information collected.

Conclusions

The phishing examples listed in this article are just two of all those regularly reported on the CSIRT site. Scams are often completely avoidable, if only you knew the basics of detecting a fraudulent web page.

Always valid advice: before following a link received, go to email, it is better to visit the site from your browser, without using the URLs provided in the message. Email communications are often notifications that must also be reflected on the account page on the site.

Those who fall victim to a phishing attack are likely not able to recognize threats in general. This can become a risk for the whole company.

The best defense is to invest in your employees. This can be done through ethical phishing campaigns followed by targeted training consolidate the problems found. At SOD, we can help your company recognize weaknesses and then provide employees with the information they need to raise the bar.

Contact us to find out how we can specifically help your company to raise the defenses against phishing and make the infrastructure more secure.

Useful links:

Useful links:

Customers

Newsletter

{subscription_form_1}