SMS Messages Socially Engineered to Steal Billions of Rial from Iran’s Citizens
December 2021 by Check Point Research (CPR)
In the midst of major cyber attacks targeting the general population of Iran, Check Point Research (CPR) sees ongoing malicious campaigns using socially engineered SMS messages to infect tens of thousands of devices of Iran’s citizens. The SMS messages, designed to impersonate the Iranian government, lure victims into downloading malicious Android applications that steal credit card credentials, personal SMS messages and two-factor authentication codes.
The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated.
• CPR estimates tens of thousands of Android devices have fallen victim, leading to theft of billions of Iranian Rial
• Threat actors are using Telegram channels to transact malicious tools involved for as low as $50
• CPR’s investigation reveals that data stolen from victims’ devices has not been protected, making it freely accessible to third parties online
In the midst of major cyber attacks targeting the general population of Iran, Check Point Research (CPR) sees another significant cyber attack campaign, where socially engineered SMS messages are being used to target Iran’s citizens. Designed to Impersonate the Iranian government, the fraudulent SMS messages lure victims into downloading malicious Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. In turn, these malicious applications convince their victims to offer up sensitive data: credit card credentials and two-factor authentication codes. From there, the threat actors go on to perform unauthorized withdrawals from the credit card accounts of their victims.
The threat actors involved leverage a technique known as "smishing" botnets, where compromised devices are used as bots to spread similar phishing SMS messages to other potential victims. The threat actors use multiple Telegram channels to promote and sell their tools. For $50-$150, the threat actors provide a full “Android Campaign Kit”, including the malicious application and underlying infrastructure, with a control panel that can be easily managed by any unskilled attacker via a simple Telegram bot interface.
CPR’s insights come in the midst of major cyber attacks targeting the general population of Iran, including cyber attacks on the railways, gas stations and more. CPR attributes these latest cyber attacks to threat actors who are motivated purely by financial gain.
Billions of Iranian Rials Taken
CPR estimates that the threat actors behind these attacks compromised and installed malware on tens of thousands of Android devices, resulting in the theft of billions of Iranian Rials from victims, with estimates of $1,000 to $2,000 per victims. Furthermore, CPR’s investigation reveals that the data stolen from victims’ devices is freely accessible to third parties online, as it has not been protected.
1. The attack begins with a phishing SMS message. In many cases, it’s a message from an electronic judicial notification system that notifies the victim that a new complaint has been opened against them. The SMS message contains the link to a web page to follow-up on the complaint.
2. The webpage lures the user to download a malicious Android application and enter credit card data under the pretense of a small service fee.
3. Once installed, the malicious Android application steals all the SMS messages from the infected device, allowing the attackers to use the credit card with access to 2FA SMS sent by credit card companies.
4. The malicious application checks the attacker-controlled C&C server for new commands to execute on a periodic basis. Most notable is the command to spread additional phishing SMS messages to a list of new phone numbers.
The Android backdoor capabilities include:
• SMS stealing: Immediately after the installation of the fake app, all the victim’s SMS messages are uploaded to the attacker’s server.
• Hiding to maintain persistence: After the credit card information is sent to the threat actor, the application can hide its icon, making it challenging for the victim to control or uninstall the app.
• Bypass 2FA: having access to both the credit card details and SMS on the victim’s device, the attackers can proceed with unauthorized withdrawals from the victim’s bank accounts, hijacking the 2FA authentication (one-time password)
• Botnet Capabilities: The malware allows the attacker to execute additional commands on the victim’s device, such as stealing contacts and sending SMS messages.
• Wormability: The app can send SMS messages to a list of potential victims, using a custom message and a list of phone numbers both retrieved from the C&C server. This allows the actors to distribute phishing messages from the phone numbers of typical users instead of from a centralized place and not be limited to a small set of phone numbers that could be easily blocked. This means that technically, there are no "malicious" numbers that can be blocked by the telecommunication companies or traced back to the attacker.
Alexandra Gofman, Threat Intelligence Team Leader at Check Point Software:
"The general population of Iran is in a growing situation where cyber attacks significantly impact day-to-day lives. These attacks began with the railways, who we traced to a group called Indra. The attacks continued with gas stations, and then the national aviation company. Now, we’re seeing yet another cyber attack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran. Although we do not see a direct connection between these latest cyber attacks and the major aforementioned attacks, our latest insights show how even unsophisticated cyber attacks create significant damage on Iran’s general population. We believe these recent cyber attacks to be financially motivated and a form of pure cyber crime. We suspect the threat actors involved are likely from Iran itself.
Specifically, the velocity and spread of these cyber attacks are unprecedented. It’s an example of a monetarily-successful campaign aimed at the general public. The campaign exploits social engineering and causes major financial loss to its victims, despite the low quality and technical simplicity of its tools. There are a few reasons for its success. First, when official-looking government messages are involved, everyday citizens are inclined to investigate further, clicking the provided link. Second, due to the botnet nature of these attacks, where each infected device gets the command to distribute additional phishing SMS messages, these campaigns spread quickly to a large number of potential victims. Although these specific campaigns are widespread in Iran, they can take place in any other part of the world. I think it’s important to raise awareness of social engineering schemes that are employed by malicious actors."
CPR suggests the following safety tips to those interested:
• Use official app stores to download apps, even ones recommended by your relatives or suggested on social media.
• Use two-factor authentication, preferably from two different devices.
• Protect your mobile device, like you protect your laptops.