Research by: Kobi Eisenkraft

 

Recently a new smishing (SMS phishing) attack targeted users in Israel. In a smishing campaign, attackers send SMS messages from supposedly legitimate organizations. These messages try to persuade you to download what turns out to be a malicious app, provide private information like bank account or credit card details, or click a link which leads to a malicious URL.

In this particular campaign, the messages were allegedly sent from one of Israel’s largest banks with the goal of obtaining credit card and other private information. When you click the link in the SMS, you are directed to a fake bank web page. This web page belongs to a legitimate but compromised site which has a valid certificate (allofus[.]com.br/coil2) (according to the Anti-Phishing Working Group (APWG) 58% of phishing sites now use HTTPS). Any information you enter on this fake page is revealed to the attackers, including your user name, password, first name, last name, email address, ID number, credit card holder name, credit card number, credit card expiration date and cvv, sent with http POST requests. Afterward, you are redirected to the original bank site.

The SMS messages were sent to thousands of Israeli cellphone numbers, regardless of whether the owners were customers of this particular bank. In addition, the attacker redirected victims outside of Israel to a Moroccan news site) http://2m[.]ma/ar/)

We identified more than 50 similar campaigns that targeted Israeli bank customers over the past two years, None of these campaigns are still active, as the typical life span of this type of campaign is very short and may only last for a couple of hours or days. We assume that we will continue to see similar campaigns in the near future. In the past year, there were more than one million new phishing sites reported each month. These campaigns targeted many sectors, including e-Commerce, financial institutions, payment services, email providers, delivery services, online services and more.

Attack Flow

The first SMS that was sent to the victims said: “Hello, sir. There is suspicious activity in your account. Sign in now to confirm your account.”

After the victim presses the link, he is redirected to this site allofus[.]com.br/coil2/

and asked to enter his user name and password:

In the next screen, the victim is asked to enter his credit card information including cvv.

This is followed by a “thank you” message and the victim is redirected to the legitimate bank site.

How can I protect against this type of attack?

Check Point products successfully protect against this campaign. Check Point SandBlast Mobile and SandBlast Agent provides purpose-built advanced Zero-Day Prevention capabilities to protect mobile devices, endpoints users and web browsers from the attack, leveraging Check Point’s industry leading network protections.

Phishing Prevention Tips

You should suspect a phishing attack if you receive a message that contains any of the following:

  • Asking for personal information.
  • Urgent deadlines.
  • Offers of large financial rewards.

In addition, you should:

  • Watch out for shortened links.
  • Verify the target site’s URL.
  • Verify the target site’s SSL credentials.

Conclusion

This campaign is just one example of how dangerous smishing attacks can be. These attacks can be modified easily to deceive users or to impersonate legitimate organizations. You should be wary of suspicious SMS messages, and only install apps from trusted sources. In addition, we recommend that you implement advanced security solutions capable of detecting and blocking advanced threats like smishing attacks.

A special thanks to our colleague Ethan Schorer for his contribution on this research!

Indicators of Compromise:

https://allofus[.]com.br/coil2/

https://rebrand[.]ly/leumi6

You may also like