

CVE-2024-32896 – Google Android Vulnerability Exploit in the Wild
June 14, 2024
Multiple Adobe Experience Manager Vulnerabilities
June 14, 2024
CVE-2024-32896 – Google Android Vulnerability Exploit in the Wild
June 14, 2024
Multiple Adobe Experience Manager Vulnerabilities
June 14, 2024Severity
High
Analysis Summary
Researchers have discovered a new Smishing Triad activity that has extended to Pakistan. The group's most recent strategy entails using iMessage and SMS to send fraudulent messages to mobile carrier users on behalf of Pakistan Post. The intention is to steal their financial and personal data.
The code and templates in this smishing kit are similar to what has been seen in other Smishing Triad cases. In the past, cybersecurity researchers detailed several instances of Smishing Triad activity directed toward users of online payment, banking, and e-commerce platforms in various regions, including the USA, EU, UAE, and KSA.
The experts estimate that threat actors transmit between 50,000 and 100,000 messages daily, depending on their operations' scope. They use compromised databases that they obtained from the Dark Web, which include phone numbers and other sensitive personal information about residents, to accomplish this. In the first half of 2024, there were many data breaches in Pakistan, a country with a population of around 235.8 million, compromising the Personal Identifiable Information (PII) of its residents. After that, automated techniques are used to process these records in bulk for malevolent intent.

To safeguard their consumers, telecom operators are reminded by this warning sign to improve their fraud detection skills and aggressively stop such illegal conduct. The researchers have obtained several samples of smishing messages from a purported campaign shared by users of Jazz/Warid, Zong, Telenor Pakistan, and Ufone, among other popular mobile carriers in Pakistan.
By using local phone numbers, the threat actors provide the impression that the recipient is getting a text message from a local postal service or a business trying to get in touch. The actors would pretend as Pakistan Post and demand that the victim arrange payment and enter their credit card details to cover additional fees purportedly required to get a delivery if the victim responds to the phishing link.
Early signs of this activity began to appear in the latter part of May, and early June saw the height of activity. Certain smishing text versions demand that recipients reply to the message to verify receipt. By verifying whether a user is using their mobile device, actors can modify their strategy and more precisely target the user. Concerns over possible fraud or smishing efforts were raised recently after several Pakistani users reported questionable behavior and received suspicious SMS messages.
The threat actors use a variety of evasive tactics to avoid being discovered, such as URL shortening services that can generate QR codes. In a security advisory, the National Cyber Emergency Response Team of Pakistan (PKCERT) shared patterns of detected smishing behavior and urged citizens to take preventative steps to stay safe. The team was also instrumental in uncovering several fraudulent delivery package schemes besides Pakistan Post. People who were expecting authentic shipments from reliable courier firms like FedEx, TCS, and Leopard were the main targets of these scams.
Security researchers discovered that attackers using smishing kits were using several hosts to target Pakistan's postal providers, including Correos, a Spanish state-owned postal company that was previously the victim of Smishing Triad activity from the previous year. Multiple domain names were found to be linked to the same IP address. This attests to the group's ongoing targeting of victims who are EU citizens. Smishing Triad was earlier targeting Correos in July 2023.
Smishing, also known as SMS phishing, is a tactic used in text messaging that tries to fool recipients into divulging personal information or clicking on rogue links. Unwanted text messages should be carefully ignored, especially if they request personal information or include dubious links. Trustworthy companies usually do not SMS requests for private information. Ignoring and refusing to answer dubious text messages is the easiest line of protection against smishing attempts.
Impact
- Sensitive Data Theft
- Financial Loss
- Identity Theft
Indicators of Compromise
Domain Name
- ep-gov-ppk.cyou
- pk-post-goi.xyz
- pak-post.com
- pakpotech.top
URL
- https://ep.gov-pk.cc/a
- http://l.ead.me/bf6fB8
- http://is.gd/bpEPk3
- http://l.ead.me/BjsT
- http://is.gd/8vcwYW
- http://2h.ae/nwxP
- http://2h.ae/cNRd
- http://ytfrt.top/id
- http://linkr.it/4bStpB
- http://qrco.de/bf56c0
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails or SMSs from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement email filtering and anti-phishing solutions to detect and block malicious emails before they reach users' inboxes.
- Educate employees about the risks of phishing attacks and provide training on how to recognize and report suspicious emails or SMSs.
- Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
- Deploy endpoint security solutions, including antivirus software and intrusion detection systems, to detect and mitigate malicious payloads delivered through phishing emails.
- Regularly update and patch software and operating systems to address vulnerabilities that could be exploited by cyber attackers.
- Utilize network monitoring and logging tools to detect and respond to unusual or suspicious network activity indicative of a phishing attack.
- Enforce strict access controls and least privilege principles to limit the impact of successful phishing attacks by restricting user permissions and access to sensitive data and systems.
- Implement multi-factor authentication (MFA) to add an extra layer of security to user accounts and prevent unauthorized access in the event of compromised credentials.
- Establish incident response procedures and protocols to quickly identify, contain, and remediate phishing attacks, including communication plans for notifying affected parties and stakeholders.
- Collaborate with industry partners, government agencies, and cybersecurity organizations to share threat intelligence and best practices for defending against phishing attacks.