Infoblox report shows smishing in websites built on WordPress


Smishing has been identified as a new and sophisticated method of obtaining personal and financial information from victims using fake forms on fraudulent websites. Smishing is a cyberattack tactic that combines SMS (short message service, commonly referred to as SMS) and phishing.

A wave of VexTrio attacks using the Dictionary Domain Generation Algorithm (DDGA) has infected many websites built on WordPress, which in turn infect visitors to these sites with malware or spyware by running Javascript code.

Infoblox Inc., a leader in secure, cloud-managed network services, has released a new edition of the company’s Quarterly Cyber ​​Threat Report, a security intelligence report that compiles top threats and security vulnerabilities detected across the over the previous three months on a quarterly basis. base worldwide. Among the key findings of this report, which covers the months of April to June 2022, are:

Smishing – a strategy that combines SMS and phishing

Smishing messages are sent by bad actors to trick victims into revealing private information including passwords, identity data, and financial data. The messages usually include an encouragement for the recipient to click on a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.

Actors routinely used spoofed sender numbers in text messages to evade spam filters. However, messages that are not automatically detected by the mobile operator can be stopped by blocking the sender’s phone number. In response, threat actors continue to evolve their own techniques. In a well-known version of mobile phone spoofing, a recipient receives a text message or phone call from someone who appears to be in the area near the recipient. Users are hesitant to block local phone numbers for fear that it will also block legitimate phone calls and messages.

Spoofing the recipient’s phone number is another step forward by actors to overcome spam filtering and blocking and to convince users to click on links embedded in messages.

Prevention and Mitigation

Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions to avoid smishing attacks:

  • Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondence, documents, or links.
  • Never click on URLs in text messages from unknown sources. In the campaign in question, the source was the recipient, who didn’t send the message, and that’s a red flag.

VexTrio DDGA Domains Spread Adware, Spyware and Scam Web Forms

Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a Dictionary Domain Generation Algorithm (DDGA) to run scams and distribute risky software, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and affects targets in many sectors.

VexTrio’s players make massive use of domains and the DNS protocol to run their campaigns. Actors exploit vulnerable WordPress websites as attack vectors to deliver fraudulent content to unaware website visitors. They do this by first detecting websites that have cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins and then injecting them with malicious JavaScript code. When victims visit these websites, they are directed to a landing web page that hosts fraudulent content, via one or more intermediate redirect domains that are also controlled by the actors. Additionally, in order to avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:

  • The user must visit the WordPress website from a search engine. For example, the referral URL might be
  • Cookies are enabled in the user’s web browser.
  • The user has not visited a web page compromised by VexTrio in the last 24 hours.

Prevention and Mitigation

VexTrio mainly misuses vulnerable WordPress websites to deliver unwanted content to visitors. Embedding malicious JavaScript code into often-visited web blogs and other popular but vulnerable websites helps actors expand their reach. Infoblox assesses that the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thus enable follow-on attacks. Infoblox recommends the following actions to protect against this type of attack:

  • Disabling JavaScript completely on web browsers, or enabling it only for trusted sites, can help mitigate attacks employed by VexTrio actors, who capitalize on the use of JavaScript to perform their tasks.
  • Consider using an ad-blocking program to block certain pop-up ad-enabled malware. In addition to an ad blocker, consider using the NoScript web extension, which allows JavaScript and other potentially dangerous content to run only from trusted sites to reduce the attack surface available for actors.
  • Implementing Infoblox RPZ feeds in firewalls can stop actors connecting at the DNS level because all components described in this report (compromised websites, intermediate redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
  • Using Infoblox’s Threat Insight service, which performs real-time flow analysis on live DNS queries, can provide high-security coverage and protection against DGA-based as well as DDGA-based threats.

The Newly Observed Domains and the Ukrainian War

The wave of registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time. Nonetheless, Infoblox research shows that low levels of new phishing campaigns, donation scams, and other suspicious activity are still being launched in an attempt to capitalize on the Ukraine crisis.

Overall, the data shows that the volume of legitimate domains exceeds that of malicious websites in the Infoblox environment. The rise of the newly observed domains began in the first week after the invasion (early March). For several weeks, many legitimate sites have been created to help bring relief to the Ukrainian people; however, cyber threat actors and scammers have also taken advantage of the crisis, creating their own sites and adding to the volume of newly observed domains. At the end of March (week 13), the number of domains began to decrease and the number of newly observed domains in the Infoblox data began to stabilize. The most recent trends, from April (week 14), show that on average the number of newly observed domains (legitimate and suspicious/malicious) continues to be higher – albeit slightly – compared to before the invasion.

Although the number of malicious domains is decreasing, users should remain vigilant. Based on previous experience, bad actors will continue to exploit individuals through email, malicious ads, and other means for as long as they can. For comparison, while covid-related malware campaigns peaked in 2020, we are still seeing them two years later. Users should carefully review donation requests from organizations they do not know and should not click on links from unknown sources.

Mohammed Al-Moneer, Regional Director, META at Infoblox, says, “Our report shares research on many dangerous malware threats. Effective security depends on timely and up-to-date threat intelligence. Using the tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize, and distribute highly accurate, multi-source threat intelligence to strengthen the entire security stack. Additional features can help SecOps speed up threat investigation and response by up to two-thirds.


About Author

Comments are closed.