Several Iranian news sources and social networks have issued warnings in recent months about ongoing SMS phishing campaigns impersonating Iranian government services. The article is as old as time: victims click on a malicious link, enter their credit card information and their money is gone in a matter of hours.
Check Point researcher Shmuel Cohen wrote in a new report released Wednesday,”The malicious application not only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turns the victim’s device into a bot capable of spreading similar phishing SMS to other potential victims.”
According to the cybersecurity firm, it discovered hundreds of different phishing Android apps trying to act as device tracking apps, Iranian banks, dating and shopping sites, cryptocurrency exchanges, and government-related services, with these botnets sold as a “ready-to-use mobile campaign kit” on Telegram channels for anywhere between $50 and $150.
The infection chain of the botnet begins with a fake notification from the Iranian judiciary urging users to review a fake complaint filed against the message’s recipients. The complaint link takes victims to what appears to be a government website, where they are asked to enter personal information (e.g., name, phone number, etc.) and download an Android APK file.
The threat actors need to maintain several different components:
- A web page with the right lure to distribute the mobile application and phishing pages with the same lure theme to collect credit card data.
- The panel where the stolen data is stored.
- Firebase domain for C&C communication.
- Android applications with all the above defined in the code and configuration files.
One opendir exposing the structure of a specific campaign’s files and folders is enough to gain access to the data stolen from the victims of any other campaign by directly accessing URLs of other campaigns, even those that are not directly exposed through opendir.
The files located in each campaign folder include :
- Contacts.txt – The list of all contacts stolen from the last device added to the botnet.
- Sms.txt – All the SMS stolen from the bot.
- Message.oliver – The phishing message to be distributed by the bots.
- Numbers.oliver – The list of phone numbers where the bots should send this message.
- On.oliver – The list of all the online bots.
- Users.oliver – The full list
- of android_ids participating in this botnet.
Customers who choose to do so are then redirected to a false payment page that collects the credit card information entered, while the installed app acts as a covert backdoor to steal one-time passcodes sent by the credit card company and facilitate additional theft.
To make matters worse, the attackers behind the operation were discovered to have poor operational security (OPSEC), allowing any third party to freely access the phone numbers, contacts, SMS messages, and list of all online bots hosted on their servers.
Finally the researchers concluded that ,”Stealing 2FA dynamic codes allows the actors to slowly but steadily withdraw significant amounts of money from the victims’ accounts, even when each distinct operation may only garner tens of dollars,” It should come as no surprise that the number of such applications for Android and the number of people selling them is growing, given the ease with which the ‘botnet as a service’ business model has been adopted.”
Indicator Of Compromise