Phone phishing attack hits US
Tom Espiner
ZDNet UK
June 23, 2006, 17:05 BST
Criminals have launched a blended attack which attempts to lure users to a
malicious Web site via text message.
IT managers have been warned to alert their staff to the attack, which uses
social engineering techniques to try to trick users to the phishing site,
according to security vendor Websense.
Users are sent an SMS text message to their mobile phone, thanking them for
subscribing to a fictitious dating service. The message states that they will
be automatically charged a subscription fee of $2.00 per day, which will be
added to their phone bill, until their subscription is cancelled at the online
site.
The same message has also been spammed to the comments section of numerous
bulletin boards.
Once victims visit the site to unsubscribe, they are prompted to download a
Trojan horse program which is a variant of a program Websense calls "Dumador".
Once installed, the program turns the computer into a zombie, allowing it to be
remotely controlled by the hackers.
Once machines have been compromised, they become part of a bot network, which
can then be used to launch distributed denial of service attacks, install
keylogging software and store account information.
"This is definitely the first time we've seen this specific approach," said
Ross Paul, a senior product development manager at Websense. "Basically they're
taking a social engineering attack vector with a lot of users," Paul added.
The attack began on Thursday in the US, and according to Websense was first
detected by Sunbelt Software, a security software vendor. The attack has so far
been focused solely on the US, but may spread to the UK.
Websense said it had been monitoring the attacks, but couldn't divulge the
identity of those responsible, or say whether it was collaborating with the
authorities in this specific case.
"In general, these kinds of attack are perpetrated by organised rings of
people. In some cases we know their nicknames, which we share with law
enforcement. We regularly share information with the police when that makes
sense," Paul said.
Websense could not say exactly how many users had been affected by the attack.
Monitoring botnet activity is "very difficult to do", due to the cross-border
nature of the networks, according to Paul.
The Dumador Trojan allows hackers to use HTTP to control the bots and trigger
them to upload information. The most popular method of bot control is through
Internet Relay Chat (IRC).
IT managers were advised to educate staff on the growing sophistication of
social engineering att
