Hackers pretending to be Iranian govt use SMS messages to steal credit card info, create botnet

Security company Check Point Research has uncovered a hacking campaign that involves cyberattackers impersonating Iranian government bodies to infect the mobile devices of Iranian citizens through SMS messages. 

The SMS messages urge victims to download Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. The first messages typically claim that a complaint has been filed against the victim and that an application needs to be downloaded in order to respond. 

Once downloaded, the applications allow hackers to access the victim’s personal messages. Victims are asked to enter credit card information in order to cover a service fee, giving attackers access to card information that can now be used. With access to a victim’s personal messages, the attackers can also get past two-factor authentication. 

Check Point Research said the campaign is ongoing and is being used to infect tens of thousands of devices. In addition to the Check Point report, Iranian citizens have taken to social media to complain about the scams. Some Iranian news outlets are also covering the issue

“The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated,” the cybersecurity company explained. 

“CPR estimates tens of thousands of Android devices have fallen victim, leading to theft of billions of Iranian Rial. Threat actors are using Telegram channels to transact malicious tools involved for as low as $50. CPR’s investigation reveals that data stolen from victims’ devices has not been protected, making it freely accessible to third parties online.”

Check Point’s Shmuel Cohen said in one campaign, more than 1,000 people downloaded the malicious application in less than 10 days. Even if they did not enter credit card information, their device became part of the botnet. 

s3.jpg
Check Point Research

Alexandra Gofman, threat intelligence team leader at Check Point, told ZDNet that the attacks appear to be a form of cybercrime and not attributed to any state-backed actors.

The velocity and spread of these cyberattacks are unprecedented, Gofman said, adding that it is an example of a monetarily-successful campaign aimed at the general public. 

“The campaign exploits social engineering and causes major financial loss to its victims, despite the low quality and technical simplicity of its tools. There are a few reasons for its success. First, when official-looking government messages are involved, everyday citizens are inclined to investigate further, clicking the provided link,” Gofman said. 

“Second, due to the botnet nature of these attacks, where each infected device gets the command to distribute additional phishing SMS messages, these campaigns spread quickly to a large number of potential victims. Although these specific campaigns are widespread in Iran, they can take place in any other part of the world. I think it’s important to raise awareness of social engineering schemes that are employed by malicious actors.”

Check Point explained that the cybercriminals behind the attack are using a technique known as “smishing botnets.” Devices that have already been compromised are used to send SMS messages to other devices. 

The people behind the technique now offer it to others on Telegram for up to $150, providing anyone with the infrastructure to launch similar attacks easily. Even though Iranian police were able to arrest one of the culprits, there are dozens of different cybercriminals in Iran using the tool now. 

The company estimates that about $1,000 to $2,000 has been stolen from most victims. The attackers are also offering the personal information that was stolen to others online. 

Gofman added that the general population of Iran is now in a situation where cyberattacks significantly impact day-to-day lives. 

These attacks began with railways, Gofman said, noting that the company traced that attack to a group called Indra. 

“The attacks continued with gas stations, and then the national aviation company. Now, we’re seeing yet another cyberattack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran,” Gofman said. 

“Although we do not see a direct connection between these latest cyberattacks and the major aforementioned attacks, our latest insights show how even unsophisticated cyber attacks create significant damage on Iran’s general population.”

READ MORE HERE