Smishing, a cyberattack strategy that combines SMS (short message service, also known as text messages) and phishing, has been revealed as a new and sophisticated mechanism to obtain personal and financial information from victims, through false forms on fraudulent sites.
A wave of VexTrio attacks using the dictionary domain generation algorithm (DDGA) infected numerous WordPress-powered websites, infecting visitors with malware or spyware by executing Javascript code.
Infoblox Inc., a provider of secure and cloud-managed network services, has released a new edition of its Quarterly Cyber Threat Intelligence Report, a security intelligence report that compiles the top threats and security breaches detected in the previous three months on a quarterly basis around the world. Among the key findings of this report, which covers the months of April to June 2022, are the following:
Smishing – a strategy that combines SMS and phishing
Bad actors use smishing messages to trick victims into disclosing personal information such as passwords, identities, and financial information. The messages typically include an incentive for the recipient to click a link, which could be to a site hosting malware or a page attempting to persuade the user to submit data via a form.
To avoid spam filters, actors have frequently used spoofed sender numbers in text messages. Messages that are not automatically detected by the mobile provider, on the other hand, can be stopped by blocking the sender’s phone number. As a result, threat actors’ techniques continue to evolve. In a common form of mobile phone spoofing, a recipient receives a text or phone call from someone who appears to be in the recipient’s vicinity. Users are wary of blocking local phone numbers for fear of blocking legitimate phone calls and messages.
Spoofing the recipient’s phone number is another technique used by actors to avoid spam filtering and blocking and persuade users to click on embedded links in messages.
Prevention and Mitigation
Smishing messages are a popular way to send phishing links. To avoid smishing attacks, Infoblox recommends the following precautions:
VexTrio DDGA Domains Spread Adware, Spyware and Scam Web Forms
The Threat Intelligence Group (TIG) at Infoblox has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content since February 2022. This attack is widespread, affecting targets in a variety of industries.
Domains and the DNS protocol are heavily used by VexTrio actors to run their campaigns. The actors use vulnerable WordPress websites as attack vectors to serve fraudulent content to website visitors who are unaware of the situation. To do so, they first identify websites with cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into them. When victims visit these websites, they are directed to a landing page that contains fraudulent content via one or more intermediary redirect domains controlled by the actors as well. Furthermore, in order to avoid detection, the actors have integrated several features into their JavaScript and require the user to meet the following conditions in order to trigger the redirect:
Prevention and mitigation
VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors. Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach. Infoblox assesses the VexTrio DDGA campaign could serve as a delivery vector for other cyber crime syndicates and thereby enable follow-on attacks. Infoblox recommends the following actions for protection from this kind of attack:
Newly Observed Domains and the Ukraine War
The surge in registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time. Nevertheless, Infoblox research shows that low levels of new phishing campaigns, donation scams, and other suspicious activities are still being launched in attempts to take advantage of Ukraine’s crisis.
Overall, data shows that the volume of legitimate domains is greater than malicious websites in Infoblox’s environment. The surge in newly observed domains began in the first week after the invasion (the beginning of March). For several weeks, many legitimate sites were created to help provide relief to the people of Ukraine; however, cyber threat actors and scammers also took advantage of the crisis, creating their own sites and adding to the volume of newly observed domains. By the end of March (week 13), the number of domains started to decrease, and the number of newly observed domains in Infoblox’s data began to stabilize. The most recent trends, beginning in April (week 14), show that, on average, there continues to be a higher – though only slightly – number of newly observed domains (legitimate and suspicious/malicious) in comparison to before the invasion.
Although the number of malicious domains is trending down, users should remain vigilant. From previous experience, bad actors will continue to exploit individuals through email, malvertising, and other means as long as they can. For comparison, while covid-related malware campaigns peaked in 2020, we still see them two years later. Users should carefully inspect requests for donations from organizations they are not familiar with and they should not click on links from unknown sources.
Mohammed Al-Moneer, Regional Director, META at Infoblox says, “Our report shares research on many dangerous malware threats. Security effectiveness depends on timely, up-to-date threat intelligence. Using tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize and distribute highly accurate, multi-sourced threat intelligence to strengthen the entire security stack. Additional capabilities can help SecOps to accelerate threat investigation and response by up to two-thirds.”
