The Flubot banking trojan is attempting to infect devices by using SMS messages. The messages claim to be from parcel delivery companies such as the Post Office, UPS, DHL and others. Some messages focus on the user paying a small fee to have their package redelivered. Others try to get them to download an app to track their package. If the user clicks on the link, the malware is installed on their device, they are taken to a fake site, and their banking credentials stolen.
One subpostmaster in the UK is so concerned about Flubot he has posted a video on his Facebook page warning customers to be aware.
Making this attack more effective is the widespread availability of mobile phone numbers from multiple breaches. The largest of these is the Facebook breach, but it is far from being the only one. LinkedIn has also had a major breach of data, including telephone numbers. As both are services where users keep their mobile numbers updated, attackers know the vast majority of messages will get to the intended target.
It has also become extremely easy for cybercriminal gangs to buy access to bulk SMS messaging services. As the services do not vet the messages being sent, they enable the malicious campaigns to be effective.
How does Flubot work?
Burak Agca, security engineer at Lookout, commented on this. He wrote:
“When an Android user taps the malicious link, they are forwarded to a page where they are prompted to download an app so they can track their package. Once installed, the infected app Flubot can intercept and send SMS messages, display screen overlays, and steal contacts. iOS users, by comparison, are directed to phishing pages that link to other malware or impersonate major banks in the hopes of stealing that user’s mobile banking login credentials. Almost 80% of mobile phishing attacks are intended to deliver malware like FluBot.”
Flubot has other capabilities beyond those above. It is delivered as Malware as a Service (MaaS). That means its owner rent it out to anyone who can afford it. It also runs its own command and control servers. In this current attack, more than 400 of these servers have already been uncovered. Such a large infrastructure makes it harder to spot and takedown.
For an attacker to use Flubot, all they need to do is rent it, customise their messages and select whom they want to target. So far, attackers have targeted users across Europe, with the UK seeing a significant amount of attacks. The likelihood is that the US will be the next country to see a wave of Flubot attacks.
Enterprise Times: What does this mean?
Scammers and cybercriminals will go to any means to steal from their victims. With people still working remotely and shopping online, attacks like Flubot have a fertile breeding ground. Nobody wants to miss a parcel or have it returned because of a problem with unpaid fees. However, all the major parcel delivery companies have made it clear that they don’t send messages via SMS asking for additional payments.
Anyone getting such a message should just delete it. If you are worried about a package or want to track where it is, go to a browser and search the website of the parcel carrier. They will advise you on how to track a parcel.