Cyberthint Threat Hunters have analyzed a large-scale smishing attack targeting Turkish citizens residing in Istanbul, Turkey for our dear readers/followers.
What is Smishing?
Today, with the rapid development of the digital world, cybercrimes are also emerging with new methods. One of these is a type of cyber-attack (social engineering) method called “smishing”. Smishing aims to carry out phishing attacks via SMS (Short Message Service). Attackers using this method aim to deceive users and steal their personal information or infect their devices with malware.
Cyber Incident Analysis
The incident in question started on 02.01.2024 at around 19:00 with the SMS whose screenshot is shared below. When we focus on the apparent name of the sender of the message, the phrase of “IBBMEZDAIBS” draws attention. The acronym in the title brings to mind the “Department of Cemeteries” of the Istanbul Metropolitan Municipality. There is a strong possibility that the threat actor or actors succeeded in accessing a bulk SMS sending platform belonging to the IBB Department of Cemeteries and used it to send this crafted SMS to many people living in Istanbul. (According to our analysis and experience, this is a prediction, the exact situation is not yet clear).
When the link shortening URL in the SMS sent is visited, it is seen that it is directed to “edevlet-kapisi[.]com“.
When the “Uygulamayı Aç” (that means “Open the Application”) button on the malicious website is clicked, a file called “e-Devlet.apk” is downloaded to the device from “uygulamayiac[.]com“. When installed and run, it starts malicious activities on the device.
When the registration dates of the related domains are analyzed, it is seen that both domains were registered by registrar.eu a few days before the attack.
Istanbul Metropolitan Municipality warned citizens not to take any action regarding the SMS sent with a declaration made on their official X account.
This post/status made by the municipality on its own social media reinforces the above-mentioned assumption that there was unauthorized access to the SMS sending panel.
Analysis of Android (APK) App
When “e-Devlet.apk” is statically analyzed, it is observed that the source code is obsufucated.
One of the obsufucated resources draws attention. Based on the file name and the information it contains, it was detected that the APK file was obfuscated with an obsufucator named NPManager on 26.11.2023 at 09:23.
The APK file is currently marked as malicious by 22/63 antivirus software when analyzed by VirusTotal.
Threat Definition: Android Banker Dropper
Recommendations
Protecting yourself from smishing attacks requires vigilance and taking precautions in suspicious situations. By following these simple steps, you can protect your personal information and be more secure against fraud attempts.
- Examine Suspicious Messages Carefully: Carefully review messages from unknown numbers or unfamiliar names. Messages with typos, meaningless characters or unexpected links can often indicate fraud attempts.
- Avoid Sharing Personal Information: No government agency, bank or financial institution will ask you for personal information via SMS. Be careful not to share your credentials, passwords or bank account details.
- Verify Connections: Before clicking on links in incoming messages, go to the official website of the organization and check the information on there. If there is a link you are getting suspicious about, visit the official website of the relevant organization directly instead of clicking on it.
- SMS Filtering and Blocking: Use the filtering features of your phone or messaging apps to block messages from suspicious numbers. This can prevent repeated fraud/scamming attempts.
- Report Unauthorized Messages to the Relevant Authority: If you receive a suspicious message, report it by calling the customer service of the relevant bank or organization. This can help them inform other potential victims.
- Precautions for Organizations: Brand Monitoring & Protection and Threat Intelligence Feed services can effectively combat such kinds of cyberattacks.