Intro
As part of its ongoing commitment to enhancing financial awareness, inclusion, and literacy across all segments of society, National Bank of Kuwait (NBK) has launched a cyberawareness campaign to protect consumers in the country from malicious cyber activity and fraud. That follows the identified activity of cybercriminals groups, such as Smishing Triad, targeting consumers by leveraging advanced smishing and phishing kits.
Kuwait said on Thursday that it had foiled large-scale cyberattacks targeting telecom towers and banks in the Gulf country. An Interior Ministry statement said that the attacks were orchestrated by an international cybercrime ring of Chinese nationals. The ministry said the suspects behind the attacks were arrested and affirmed its commitment to safeguarding national security and strengthening cybersecurity measures to protect the country.
According to the statement, the perpetrators used sophisticated electronic devices and advanced data analysis techniques to send fraudulent messages impersonating banks and telecom companies in a bid to carry out phishing scams. The ministry said the suspects were referred to the relevant authorities for legal action. There was no immediate comment from Chinese authorities regarding the ministry’s statement.
Background
Resecurity was tracking the cybercriminal group for a while. Multiple episodes of their malicious activity targeting different geographies were described in our earlier threat intelligence publications:
Cybercriminals Impersonate Dubai Police to Defraud Consumers in the UAE - Smishing Triad in Action
https://www.resecurity.com/blog/article/cybercriminals-impersonate-dubai-police-to-defraud-consumers...
Smishing Triad Is Targeting India To Steal Personal and Payment Data at Scale
https://www.resecurity.com/blog/article/smishing-triad-is-targeting-india-to-steal-personal-and-paym...
Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale
https://www.resecurity.com/blog/article/smishing-triad-is-targeting-pakistan-to-defraud-banking-cust...
Cybercriminals Accelerate Online Scams During Ramadan and Eid Fitr
https://www.resecurity.com/blog/article/cybercriminals-accelerate-online-scams-during-ramadan-and-ei...
Cybercriminals Impersonate UAE Federal Authority for Identity and Citizenship on the Peak of Holidays Season
https://www.resecurity.com/blog/article/cybercriminals-impersonate-uae-federal-authority-for-identit...
Smishing Triad Impersonates Emirates Post to Target UAE Citizens
https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizen...
Smishing Triad Targeted USPS and US Citizens for Data Theft
https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft
Chinese Connection
The notable difference that this time the peers of the group were using specialized devices in close proximity to the victims and telecommunication equipment offline. Investigations found that sophisticated electronic devices had enabled the six-member gang to hack into communication networks and send extensive fraudulent messages allegedly sent from some banks with the aim of stealing bank account data and seizing money. Through signal tracking devices, security agencies identified the source of the signals to be coming from a vehicle in the Farwaniya area, south of Kuwait City. “The security teams immediately moved to the specified location where the suspicious vehicle was spotted,” the ministry said in a statement. “While approaching the vehicle, the mobile phone network was affected, with the sounds of electronic devices being heard from inside it. The driver, who is of Chinese nationality, was arrested, along with electronic devices,” it added in a statement. The suspects admitted during interrogations to having participated with others in hacking into telecommunications networks and sending fraudulent messages impersonating banks and telecom companies with the aim of committing fraud.
The Differentiator
Bad actors exploit GSM (Global System for Mobile Communications) towers, particularly through the use of fake cell towers, to send SMS spam and phishing messages. This method allows them to bypass traditional security measures and target users directly on their mobile devices. Cybercriminals can deploy rogue base transceiver stations (BTS), which mimic legitimate GSM towers. When mobile devices connect to these fake towers, the attackers can intercept SMS messages and other data. This allows them to send fraudulent messages that appear to come from legitimate sources, tricking users into providing sensitive information. Once connected to a rogue tower, attackers can send out smishing messages that may contain links to malicious websites or prompts to download malware. These messages often create a sense of urgency, encouraging victims to act quickly without thinking critically about the legitimacy of the request.
Fake cell towers, also known as IMSI catchers or Stingrays, mimic legitimate cellular towers. When a mobile device connects to one of these rogue towers, the attacker can intercept communications and send fraudulent messages. This technique is particularly effective against older 2G networks, which lack robust encryption and security protocols
Mechanisms of Attack
SMS Spam: Once connected to a fake tower, users may receive unsolicited SMS messages. These messages can promote scams, advertisements, or phishing attempts designed to trick users into revealing personal information.
Phishing (Smishing): This specific type of phishing, known as smishing, involves sending deceptive text messages that appear legitimate. Users are often less cautious with SMS than with emails, making them more susceptible to scams. For instance, a message might claim to be from a bank or service provider, prompting the recipient to click a link or provide sensitive information
Psychological Manipulation: Cybercriminals have become adept at exploiting psychological triggers. They craft messages that create a sense of urgency or fear, compelling users to act quickly without scrutinizing the content.
GSM towers are critical infrastructure for mobile networks, and compromising them can allow attackers to intercept communications. This can be particularly appealing for state-sponsored actors or criminal organizations looking to gather sensitive information, such as personal data or corporate secrets. Criminal organizations may attack GSM towers to facilitate other illegal activities, such as drug trafficking or organized crime. Disabling communication can provide them with a tactical advantage, allowing them to operate without the risk of being monitored or intercepted by law enforcement.
Implications and Risks
The use of fake GSM towers poses significant risks, including:
Data Theft:
Users may unknowingly provide personal information, leading to identity theft or financial loss.
Malware Distribution:
Some smishing attacks may include links to malicious software, which can compromise the user's device.
Trust Erosion:
As these attacks become more prevalent, users may become increasingly wary of legitimate communications, complicating the relationship between consumers and service providers.
In summary, the motivations behind attacks on GSM towers are varied and can include disrupting communication, espionage, symbolic resistance, and facilitating criminal activities. Each of these factors highlights the strategic importance of telecommunications infrastructure in modern society.
Associated Risks for Financial Institutions
Financial institutions should be acutely aware of the risks associated with GSM tower compromises and the inherent vulnerabilities of SMS as a communication method. Here are several reasons why they should treat SMS as insecure:
1. Vulnerability to Interception:
SMS messages are not encrypted, making them susceptible to interception by cybercriminals. Attackers can exploit weaknesses in the GSM network, such as SS7 vulnerabilities, to access SMS messages. This means that sensitive information, including authentication codes and personal data, can be easily compromised.
2. Risks of SIM Swapping:
Cybercriminals can perform SIM swapping attacks, where they convince mobile carriers to transfer a victim's phone number to a new SIM card controlled by the attacker. This allows them to receive SMS messages intended for the victim, including two-factor authentication codes, thereby gaining unauthorized access to financial accounts.
3. Social Engineering Attacks:
SMS is often used in social engineering attacks, where attackers trick users into revealing sensitive information. Since SMS messages can appear to come from legitimate sources, users may be more likely to fall for scams that request personal or financial information.
4. Lack of Robust Security Measures:
Many financial institutions still rely on SMS for multi-factor authentication (MFA), despite its known weaknesses. This reliance can create a false sense of security among users, who may believe that SMS-based MFA is sufficient to protect their accounts. However, the reality is that SMS is one of the weakest links in securing online transactions.
Financial institutions should consider the significant risks associated with using SMS (Short Message Service) as a method for two-factor authentication (2FA) or alternative multi-factor authentication (MFA).
Given these significant security risks, financial institutions should consider transitioning away from SMS-based authentication methods and explore more secure alternatives, such as authenticator apps, security keys, or biometric authentication.
By addressing the vulnerabilities inherent in SMS-based authentication, financial institutions can better protect their customers and mitigate the risk of data breaches and financial fraud.
