Infoblox report shows smishing in websites built on WordPress
Smishing has been identified as a new and sophisticated method of obtaining personal and financial information from victims using fake forms on fraudulent websites. Smishing is a cyberattack tactic that combines SMS (short message service, commonly referred to as SMS) and phishing.
Infoblox Inc., a leader in secure, cloud-managed network services, has released a new edition of the company’s Quarterly Cyber Threat Report, a security intelligence report that compiles top threats and security vulnerabilities detected across the over the previous three months on a quarterly basis. base worldwide. Among the key findings of this report, which covers the months of April to June 2022, are:
Smishing – a strategy that combines SMS and phishing
Smishing messages are sent by bad actors to trick victims into revealing private information including passwords, identity data, and financial data. The messages usually include an encouragement for the recipient to click on a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.
Actors routinely used spoofed sender numbers in text messages to evade spam filters. However, messages that are not automatically detected by the mobile operator can be stopped by blocking the sender’s phone number. In response, threat actors continue to evolve their own techniques. In a well-known version of mobile phone spoofing, a recipient receives a text message or phone call from someone who appears to be in the area near the recipient. Users are hesitant to block local phone numbers for fear that it will also block legitimate phone calls and messages.
Spoofing the recipient’s phone number is another step forward by actors to overcome spam filtering and blocking and to convince users to click on links embedded in messages.
Prevention and Mitigation
Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions to avoid smishing attacks:
- Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondence, documents, or links.
- Never click on URLs in text messages from unknown sources. In the campaign in question, the source was the recipient, who didn’t send the message, and that’s a red flag.
VexTrio DDGA Domains Spread Adware, Spyware and Scam Web Forms
Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a Dictionary Domain Generation Algorithm (DDGA) to run scams and distribute risky software, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and affects targets in many sectors.
- The user must visit the WordPress website from a search engine. For example, the referral URL might be https://www.google.com/.
- Cookies are enabled in the user’s web browser.
- The user has not visited a web page compromised by VexTrio in the last 24 hours.
Prevention and Mitigation
- Implementing Infoblox RPZ feeds in firewalls can stop actors connecting at the DNS level because all components described in this report (compromised websites, intermediate redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
- Using Infoblox’s Threat Insight service, which performs real-time flow analysis on live DNS queries, can provide high-security coverage and protection against DGA-based as well as DDGA-based threats.
The Newly Observed Domains and the Ukrainian War
The wave of registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time. Nonetheless, Infoblox research shows that low levels of new phishing campaigns, donation scams, and other suspicious activity are still being launched in an attempt to capitalize on the Ukraine crisis.
Overall, the data shows that the volume of legitimate domains exceeds that of malicious websites in the Infoblox environment. The rise of the newly observed domains began in the first week after the invasion (early March). For several weeks, many legitimate sites have been created to help bring relief to the Ukrainian people; however, cyber threat actors and scammers have also taken advantage of the crisis, creating their own sites and adding to the volume of newly observed domains. At the end of March (week 13), the number of domains began to decrease and the number of newly observed domains in the Infoblox data began to stabilize. The most recent trends, from April (week 14), show that on average the number of newly observed domains (legitimate and suspicious/malicious) continues to be higher – albeit slightly – compared to before the invasion.
Although the number of malicious domains is decreasing, users should remain vigilant. Based on previous experience, bad actors will continue to exploit individuals through email, malicious ads, and other means for as long as they can. For comparison, while covid-related malware campaigns peaked in 2020, we are still seeing them two years later. Users should carefully review donation requests from organizations they do not know and should not click on links from unknown sources.
Mohammed Al-Moneer, Regional Director, META at Infoblox, says, “Our report shares research on many dangerous malware threats. Effective security depends on timely and up-to-date threat intelligence. Using the tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize, and distribute highly accurate, multi-source threat intelligence to strengthen the entire security stack. Additional features can help SecOps speed up threat investigation and response by up to two-thirds.