Infoblox has published its Q2 2022 report, drawing attention to many dangerous malware threats to organizations. The research compiles the main threats and security breaches detected during the months of April–June 2022 and highlights smishing as one of the most prominent forms of attack.
Smishing, a cyberattack strategy that combines SMS (short message service, also known as text messages) and phishing, has been revealed as a new and sophisticated mechanism to obtain personal and financial information from victims, through false forms on fraudulent sites.
A wave of VexTrio attacks using dictionary domain generation algorithm (DDGA) has infected numerous websites built on WordPress, which in turn infect visitors to those sites with malware or spyware by executing Javascript code.
Infoblox, a leader in secure and cloud-managed network services, has published a new edition of the company’s Quarterly Cyberthreat Intelligence Report, a security intelligence report that compiles the main threats and security breaches detected during recent months on a quarterly basis worldwide.
Among the main conclusions of this report, which covers the months of April–June 2022, are:
Smishing – A strategy that combines SMS and phishing
Smishing messages are sent by bad actors to get victims to reveal private information, including passwords, identity and financial data. The messages typically include some incentive for the recipient to click a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.
Actors have regularly used spoofed sender numbers in the text messages to evade spam filters. However, those messages that are not automatically detected by the mobile provider can be stopped by blocking the sender’s phone number. In response, threat actors continue to evolve their own techniques.
In a well-known version of mobile phone spoofing, a recipient receives a text or phone call from someone who appears to be in the area close to the recipient. Users are hesitant to block local phone numbers for fear it would also block legitimate phone calls and messages.
Spoofing the recipient’s phone number is another advance by actors to overcome spam filtering and blocking and to convince users to click on the embedded links in the messages.
Prevention and mitigation
Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions for avoiding smishing attacks:
- Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondences, documents or links.
- Never click URLs in text messages from unknown sources. In the campaign under discussion, the source was the recipient, who did not send the message, and that is a red flag.
VexTrio DDGA domains spread adware, spyware and scam web forms
Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs and pornographic content. This attack is widespread and impacts targets across many industries.
VexTrio actors heavily use domains and the DNS protocol to operate their campaigns. The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors.
To accomplish this, they first detect websites that show cross-site scripting (XSS) vulnerabilities in WordPress themes or plugins, then inject malicious JavaScript code into them. When victims visit these websites, they are led to a landing web page that hosts fraudulent content, via one or more intermediary redirect domains that are also controlled by the actors.
Additionally, as a means to avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:
- The user must visit the WordPress website from a search engine. For example, the referrer URL can be https://www.google.com/.
- Cookies are enabled in the user’s web browser.
- The user has not visited a VexTrio compromised web page in the past 24 hours.
Prevention and mitigation
VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors. Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach. Infoblox assesses the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thereby enable follow-on attacks.
Infoblox recommends the following actions for protection from this kind of attack:
- Disabling JavaScript on web browsers completely, or enabling it only for trusted sites, can help mitigate attacks employed by VexTrio actors, who capitalize on the use of JavaScript to run their tasks.
- Consider using an adblocker program to block certain malware activated by popup ads. Along with an adblocker, consider using the web extension NoScript, which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors.
- Implementing Infoblox’s RPZ feeds in firewalls can stop the connection by actors at the DNS level, as all components described in this report (compromised websites, intermediary redirect domains, DDGA domains and landing pages) require the DNS protocol. TIG detects these components daily and adds them to Infoblox’s RPZ feeds.
- Leveraging Infoblox’s Threat Insight service, which performs real-time streaming analytics on live DNS queries, can provide high-security coverage and protection against threats that are based on DGA as well as DDGA.
