[SANS ISC] Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th)

Many companies have extensive security tools to monitor employee computers. But these precautions often fail for “out of band” access that uses cellular networks instead of Ethernet/WiFi networks. Our reader Isabella sent us this phishing email that they received:

Dear User,
This is to let you know that our web-mail server will be upgraded and maint=
ained soon.

If you don’t want your e-mail account to be terminated during the upgrade,

Send “[redacted]” to 6-0-5-5-5-5-1-1-1-1. [altered]

You will receive instructions on how to upgrade your account via text messa=
ge.

If you do not comply with the above, your email access will be disabled.
Please accept our apologies for any inconvenience this may cause.

 

Regards
System Administrator
[redacted]

Note that the phone number is somewhat obfuscated, likely to protect it from tools inspecting email or network traffic. The user is asked to send an SMS. While SMSs may travel across WiFi networks in some cases, they are usually not accessible to network protection devices. In this case, the user received a link next:

The user is no likely going to click on the link using a mobile device, lessening the risk of discovery to the attacker. The target URL is no longer available, but Isabella reported that the link leads to a phishing page.

The attack was somewhat targeted in that the attacker used consistent branding for the code to be sent. It included the short-form of the organizations name which is why I redacted it above. Even the target domain used (which is no longer reachable to me), “http://micro365upgrade.com” was plausible for an Office¬†365 upgrade.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2021-03-28

Krebs: No, I Did Not Hack Your MS Exchange Server krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/ The Shadowserver Foundation says it has found 21, 248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top. The malware runs Windows Defender, which is a security product Microsoft ships with Windows devices that can help block attacks […]

Read More

[ZDNet] Zero trust and cybersecurity: Here’s what it means and why it matters

All posts, ZDNet

Security agency offers five reasons why a fashionable but ‘slippery’ concept might improve your defences. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Unpatched High-Severity Vulnerability Affects Apple macOS Computers

All posts, HackerNews

Cybersecurity researchers on Tuesday disclosed details of an unpatched vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. “A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.