Hackers are trying to lure people to a malicious Web site using cell phone
text messages, a security company has warned.
The blended attack uses social engineering techniques in its attempt to trick
people to the site, security vendor Websense said in an advisory. An SMS text message is sent to
the targets' cell phones, thanking them for subscribing to a fictitious dating
service. The message states that they will be automatically charged a fee of
US$2.00 per day via their phone bill, unless their subscription is cancelled
The same message has also been sent multiple times to the comments section of
numerous bulletin boards, Websense said. The attack began on Friday in the
United States and was first detected by Sunbelt Software, a security software vendor,
Once victims visit the purported dating site to unsubscribe, they are
prompted to download a Trojan horse program. (A Trojan horse is malicious
software that disguises itself as another kind of application.) The attackers
provide instructions on how to bypass security warnings in Internet Explorer,
After the Trojan horse--a variant of a program Websense calls "Dumador"--is
installed, it turns the computer into a "zombie,"
allowing it to be remotely controlled by the hackers. The compromised machines
then become part of a "bot" network, which can then be used to launch
distributed denial-of-service attacks.
"This is definitely the first time we've seen this specific approach," said
Ross Paul, a senior product development manager at Websense. "Basically, they're
taking a social engineering attack vector with a lot of users."
Websense said it had been monitoring the attacks, but couldn't divulge the
identity of those responsible or say whether it was collaborating with the
authorities on the case.
"In general, these kinds of attack are perpetrated by organized rings of
people. In some cases we know their nicknames, which we share with law
enforcement. We regularly share information with the police, when that makes
sense," Paul said.
Websense could not say how many users had been affected by the attack.
Monitoring botnet activity is "very difficult" to do because of the crossborder
nature of the networks, Paul said.
The Dumador Trojan allows hackers to use HTTP to control the bots and trigger
them to upload information. Typically, the most popular method of bot control is
through Internet Relay Chat (IRC).