Phone phishing attack hits US

Criminals are trying a new approach to try to dupe people into downloading a Trojan horse program
Written by Tom Espiner, Contributor

Criminals have launched a blended attack which attempts to lure users to a malicious Web site via text message.

IT managers have been warned to alert their staff to the attack, which uses social engineering techniques to try to trick users to the phishing site, according to security vendor Websense.

Users are sent an SMS text message to their mobile phone, thanking them for subscribing to a fictitious dating service. The message states that they will be automatically charged a subscription fee of $2.00 per day, which will be added to their phone bill, until their subscription is cancelled at the online site.

The same message has also been spammed to the comments section of numerous bulletin boards.

Once victims visit the site to unsubscribe, they are prompted to download a Trojan horse program which is a variant of a program Websense calls "Dumador". Once installed, the program turns the computer into a zombie, allowing it to be remotely controlled by the hackers.

Once machines have been compromised, they become part of a bot network, which can then be used to launch distributed denial of service attacks, install keylogging software and store account information.

"This is definitely the first time we've seen this specific approach," said Ross Paul, a senior product development manager at Websense. "Basically they're taking a social engineering attack vector with a lot of users," Paul added.

The attack began on Thursday in the US, and according to Websense was first detected by Sunbelt Software, a security software vendor. The attack has so far been focused solely on the US, but may spread to the UK.

Websense said it had been monitoring the attacks, but couldn't divulge the identity of those responsible, or say whether it was collaborating with the authorities in this specific case.

"In general, these kinds of attack are perpetrated by organised rings of people. In some cases we know their nicknames, which we share with law enforcement. We regularly share information with the police when that makes sense," Paul said.

Websense could not say exactly how many users had been affected by the attack. Monitoring botnet activity is "very difficult to do", due to the cross-border nature of the networks, according to Paul.

The Dumador Trojan allows hackers to use HTTP to control the bots and trigger them to upload information. The most popular method of bot control is through Internet Relay Chat (IRC).

IT managers were advised to educate staff on the growing sophistication of social engineering attacks.

Editorial standards