Infoblox released its Q2 2022 report, drawing attention to many dangerous malware threats to organizations. The research compiles the top security threats and vulnerabilities detected during the months of April to June 2022 and highlights smishing as one of the most prominent forms of attack.
Smishing, a cyberattack strategy that combines SMS (Short Message Service, also known as SMS) and phishing, has been shown to be a new and sophisticated mechanism to obtain personal and financial information from victims, via fake forms on fraudulent sites.
Infoblox, a leader in secure, cloud-managed network services, has released a new edition of its Cyber Threat Intelligence Quarterly Report, a security intelligence report that compiles the top security threats and vulnerabilities detected over the past few months on a quarterly basis around the world. Among the key findings of this report, which covers the months of April to June 2022, are:
Smishing – A strategy that combines SMS and phishing
Smishing messages are sent by bad actors to trick victims into revealing private information including passwords, identity data, and financial data. The messages usually include an encouragement for the recipient to click on a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.
Actors routinely used spoofed sender numbers in text messages to evade spam filters. However, messages that are not automatically detected by the mobile operator can be stopped by blocking the sender’s phone number. In response, threat actors continue to evolve their own techniques. In a well-known version of mobile phone spoofing, a recipient receives a text message or phone call from someone who appears to be in the area near the recipient. Users are hesitant to block local phone numbers for fear that it will also block legitimate phone calls and messages.
Spoofing the recipient’s phone number is another step forward by actors to overcome spam filtering and blocking and to convince users to click on links embedded in messages.
Prevention and Mitigation
Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions to avoid smishing attacks:
- Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondence, documents, or links.
- Never click on URLs in text messages from unknown sources. In the campaign in question, the source was the recipient, who didn’t send the message, and that’s a red flag.
VexTrio DDGA domains spread adware, spyware and fraudulent web forms
Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a Dictionary Domain Generation Algorithm (DDGA) to run scams and distribute risky software, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and affects targets in many sectors.
- The user must visit the WordPress website from a search engine. For example, the referral URL might be https://www.google.com/.
- Cookies are enabled in the user’s web browser.
- The user has not visited a web page compromised by VexTrio in the last 24 hours.
Prevention and Mitigation
- Implementing Infoblox RPZ feeds in firewalls can stop actors connecting at the DNS level because all components described in this report (compromised websites, intermediate redirect domains, DDGA domains, and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
- Using Infoblox’s Threat Insight service, which performs real-time flow analysis on live DNS queries, can provide high-security coverage and protection against DGA-based as well as DDGA-based threats.
The Newly Observed Domains and the Ukrainian War
The wave of registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time. Nonetheless, Infoblox research shows that low levels of new phishing campaigns, donation scams, and other suspicious activity are still being launched in an attempt to capitalize on the Ukraine crisis.
Overall, the data shows that the volume of legitimate domains exceeds that of malicious websites in the Infoblox environment. The rise of the newly observed domains began in the first week after the invasion (early March). For several weeks, many legitimate sites have been created to help bring relief to the Ukrainian people; however, cyber threat actors and scammers have also taken advantage of the crisis, creating their own sites and adding to the volume of newly observed domains. At the end of March (week 13), the number of domains began to decrease and the number of newly observed domains in the Infoblox data began to stabilize. The most recent trends, from April (week 14), show that on average the number of newly observed domains (legitimate and suspicious/malicious) continues to be higher – albeit slightly – compared to before the invasion.
Although the number of malicious domains is decreasing, users should remain vigilant. Based on previous experience, bad actors will continue to exploit individuals through email, malicious ads, and other means for as long as they can. For comparison, while COVID-related malware campaigns peaked in 2020, we’re still seeing them two years later. Users should carefully review donation requests from organizations they do not know and should not click on links from unknown sources.
“Our report shares research on many dangerous malware threats,” said Mohammed Al-Moneer, regional director, META at Infoblox. “Effective security depends on up-to-date and timely threat intelligence. Using the tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize, and distribute highly accurate, multi-source threat intelligence to strengthen the entire security stack. Additional features can help SecOps speed up threat investigation and response by up to two-thirds.
Click below to share this article