Malware as a Service Meets Mobile Phishing: A Dangerous ComboDownload Case Study
Beginning in December 2020, Europeans were hit by an influx of SMS texts claiming to be package delivery notifications. It turns out these messages were orchestrated by threat actors seeking to distribute malicious apps laced with the banking trojan FluBot, also known as Cabassous. Once the victims download the malware, the app could intercept SMS messages, steal contact information and display screen overlays to trick users into handing over their credentials.
FluBot was a cheap but highly customizable banking trojan, and SMS phishing takes advantage of the trust we put on our mobile devices. By fusing the two together, the attackers created a dangerous apparatus that puts your personal and organizational data at risk.
The good news is that FluBot is no longer a threat — it was taken down by an international law enforcement operation coordinated by Europol’s European Cybercrime Center in May 2021. While FluBot is no longer active, the campaign is a perfect example of how attackers can leverage various mobile-targeting methods to maximize their return.
How was FluBot distributed?
I’ve previously written about phishing attacks disguised as WhatsApp and Telegram authentication messages to socially engineer a number of Australian government officials. This is yet another illustration of why mobile phishing is so effective.
In the case of FluBot, it seems that the attackers took advantage of a Facebook data leakage where over 500 million users’ information were exposed. And what was unique about the campaign is that it had different kill chains depending on whether the target used an iOS or Android device. Android and some iOS victims were directed to a website that prompted them to download an app. Other iOS targets were shown fake online banking pages to trick them into giving up their credentials.
Malware as a service remains on the rise
While FluBot is gone, the bad news is that it was only one of many malware as a service (MaaS) operations. Threat actors are business people, too and they are always looking for the lowest investment with the highest return. MaaS is perfect for lowering the costs for threat actors because it is inexpensive, easy to set up, and highly customizable.
Another prominent MaaS is BancaMarStealer, a banking trojan that Lookout researchers reported on in 2018. Similar to FluBot, BancaMarStealer is distributed to both iOS and Android victims using SMS messages. Because it’s older, we have a good understanding of its usage that has been growing exponentially. In 2018, we reported that there were about 7,700 samples. As of March 2021, the number of samples has grown nearly tenfold to more than 74,000.
What made FluBot more sophisticated than other MaaS is its use of a domain generated algorithm (DGA). This algorithm creates slightly different variations of a given domain name — a technique known as domain fluxing — to hide its command-and-control server IP address among a long list of benign domains.
Mobile phishing and MaaS — a dangerous combination
History has shown us that mobile phishing attacks, while simple, are highly effective. Just look at this widespread campaign Lookout uncovered in 2021 that targeted mobile banking users across North American. These attacks are so effective because mobile devices are now at the center of everything we do, from staying in touch with family and friends to getting package delivery updates and verifying accounts.
Combine this with how cheap and easy it is to use MaaS, this is a dangerous combination that can easily put your personal and organizational data at risk. An MaaS operation doesn’t have to be advanced to be effective — it could be a kid in his parents’ basement sending out a phishing message to a few hundred thousand numbers. Even if only a few of those people click the phishing link, it can still do damage, and organizations that have bring-your-own-device policies need to stay aware of the threat.
The first step of mitigating the risk against MaaS is educating users on the dangers of mobile-targeting phishing attacks. Your employees need to understand that phishing can come from countless apps, such as SMS texts, social media and dating apps.
They also need to know that telltale signs they’re used on desktop computers don’t exist within the simplified mobile user experience. Because of the smaller screen, you oftentimes can’t see the full URL of the webpage you’re on, you can’t hover over a link to see where it’s taking you, and we’re more likely to overlook small giveaways as we operate so reactively on these devices.
How to protect against the ever-evolving malware threats
Malicious actors often reuse bits and pieces of malware like FluBot to build new malware. This means if the dataset that feeds your security solution only searches for malware by comparing with old samples, they won’t be detected.
To ensure that your organization is completely protected against MaaS, you need a cybersecurity solution that’s cloud-delivered, uses crowdsource data and machine learning. Only with a deep understanding of the artifacts of pre-existing malware can you secure against threats that you’ve never seen before.
Lookout has an integrated platform that is backed by a security graph with telemetry data from millions of devices, apps and web domains. Visit our secure access service edge (SASE) solution page to learn more about how we can secure your organization from endpoint to cloud.