14 DAY TRIAL // Security researchers from Sophos warn of a new malware-distribution scheme that involves fake notifications sent via SMS. The messages inform users that their banking details have been exposed and are available on a website that actually serves exploits.
According to the Sophos alert, the incident was reported to the company by a UK government worker, who in turn was notified of it by a librarian. The librarian stumbled upon the scam when a user attempted to visit a malicious website from a library PC.
“The user received an SMS message to say that his bank account details had been posted on the Internet and gave him a URL to go to. He attempted to access the site using a library PC but failed and queried the librarian about the security on the PC who raised a support call with us,” the government employee writes.
The spammed URL contained obfuscated JavaScript that was loading a malformed PDF file through an IFrame. The PDF file, identified by Sophos as Troj/PDFJs-B, exploits a security vulnerability in Adobe Reader or Acrobat and downloads additional malware onto the victim computer.
To make sure that the PDF exploit is successful, the website displays a message saying that Internet Explorer is required to access it. “Please wait 15 seconds, your personal information is loading...,” the web page reads. “IMPORTANT: You must use Internet Explorer browser to access your personal data, in other way you cant [sic.] access our database,” it claims.
“I haven’t seen details of a scam like this before and have looked for a site on which to report it without success. I’m assuming you’ll know what to do with it,” the public worker writes to Sophos, and, indeed, a scheme instrumented over SMS that preys on users' concern for identity theft is not at all common.
However, malware distributors have always come up with new ways of tricking users and this new ruse points to the fact that the constant efforts of the security community and even government agencies to educate people seem to pay off.
The switch to fake notifications sent by SMS, as opposed to e-mail, serves the purpose of making the scheme more believable. People might be used to receiving a lot of junk and fake e-mails, but SMS messages are a lot more personal and involve the sender knowing their phone number. Therefore, users could be tricked easier into thinking that the alerts are genuine.