20,000 phishing SMS posing as Guichet.lu detected in one week
POST I 9:00 am, 23rd January
Are you one of the people who recently received an SMS claiming to have come from Guichet.lu and inviting you to claim your right to a tax rebate of as much as several hundred euros? In recent weeks, an extensive SMS phishing campaign has targeted Luxembourg mobile numbers, pretending to be the Public Administration citizens’ portal. As often with this type of attack, the goal of cyber criminals is to retrieve data, such as user names, passwords, authentication codes, which they can then use to extort money from you.
Between 1,500 and 6,000 phishing attempts every day
Using its tool Telecom Intrusion Detection System (TIDS) developed by its CYBERFORCE department, POST was able to carry out an in-depth analysis of this phishing attack that stole Guichet.lu's identity.
In the first week of January, we detected some 20,000 fraudulent SMS text messages allegedly sent on behalf of the public portal and passing through our mobile network. In recent weeks, between 1,500 and 6,000 of these messages have been sent daily to Luxembourg mobile numbers from various foreign platforms. These messages invite you to click on URLs containing the words ‘guichet,’ ‘my-guichet’ or ‘lux’ with the aim of duping the user.
Example of fraudulent SMS:
The fact that the senders of the messages and the phishing websites to which links are redirected change continuously makes these attacks particularly difficult to identify and thwart.
Example of malicious website:
Example of Website blocked by Google Safe Browsring:
A unique tool for detecting fraudulent SMS
To provide a response to this fraud, the detection of these attacks inside TIDS deployed by the CYBERFORCE team uses machine learning. It analyses the content of messages passing through POST network in order to detect fraud attempts. The approach is fully automated. Using artificial intelligence technology, the confidentiality of content can be guaranteed while this surveillance is carried out.
The tool raises an alert for each fraudulent phishing message. Subsequent messages having the same/similar content can then be blocked by POST. As part of this recent campaign, and despite being under no obligation to do so, the team made sure that many of these messages were blocked, as far as the resources available permitted. However, it was not possible to block every message, and unfortunately some reached the end users.
Very convincing attacks
This campaign, in which the attackers pose as Guichet.lu, is not an isolated one. In recent years, malicious groups have been passing themselves off as large Luxembourg organisations, including well established Luxembourg banks, LuxTrust, POST, or other service providers for citizens, in order to steal data or, worse still, money from users.
These attacks demonstrate a deep understanding of the Luxembourg ecosystem and its stakeholders. Some fraudulent SMS text messages were sent in Luxembourgish. Sites to which fraudulent links refer reproduce the environment of the web portals of the organisations whose identity the attackers have assumed.
Detecting and blocking messages that usurp your identity
In order to help organisations whose clients are deceived by these campaigns, POST provides a dedicated service, ensuring that SMS phishing campaigns targeting the clients are detected and promptly handled. This helps reduce support effort and improve customer experience to the organisations.
In addition to blocking malicious SMS before they reach the user, the service also blocks its sender. What is more, steps are being taken to inform relevant cyber-incident handling teams about the website via which cyber criminals attempt to retrieve connection data. Their hosting service of the website is notified, and the domain name is reported as being used for criminal activities. DNS services are also informed to about malicious domains. Finally, the team also warns web browser creators to include incriminated phishing websites in existing anti-phishing devices. These various measures help to counter attacks.
Preventing risks
Even though these attackers are beyond the control of the organisation whose identity has been usurped, it still has to suffer the consequences. A bank’s customer whose money has been stolen as a result of a phishing campaign will necessarily contact customer service, which will have to devote resources to it and, where appropriate, compensate the customer if fraud can be proved. Preventing such attacks through POST services minimize the exposure to such unpleasantness and avoids the risk of users’ confidence in a bank, administration or organisation being damaged.
We must remain vigilant
Lastly, users should be reminded to be cautious about text messages or emails asking them to log in and provide information. Most organisations or administrations NEVER directly invite beneficiaries of their services to connect via an Internet link sent by SMS or email. In general, it is recommended that you never click on a link that is sent to you unless this is in connection with something that you yourselves have initiated (for instance, a password renewal). When in doubt, do not click, and consult your provider using a formal access channel.
Subscribe to our Newsletters
Stay up to date with our latest news
more news
"Small is Beautiful": Post Cyberforce, Wins GSMA Telecommunication-ISAC Award
by Kamel Amroune I 7:32 am, 28th February
Embodying the principle that "Small is Beautiful," Post Cyberforce, under the exemplary leadership of Mohamed Ourdane, and Alexandre De Oliveira for his investment in GSMA T-ISAC have been honored with the prestigious GSMA Telecommunication-ISAC awards.
Interview de Paul Jung : Ivanti et les défis de la cybersécurité
by Excellium Services I 8:52 pm, 12th February
Ivanti, un fournisseur américain de logiciels, a été confronté à une série de vulnérabilités majeures affectant ses appliances de VPN professionnel, notamment Ivanti Connect Secure. Ces failles ont été exploitées dans une attaque de grande envergure touchant des milliers de clients répartis dans des secteurs critiques tels que l'aérospatial, la finance, la défense et les télécommunications à l'échelle mondiale. Les entreprises françaises ainsi que des firmes du Fortune 500 figurent parmi les victimes de cette cyberattaque. Bien qu'Ivanti n'ait pas été directement piraté, les experts en cybersécurité, notamment ceux de la firme Volexity, ont identifié des compromissions potentielles de données affectant au moins 1 700 entreprises.Dans cette interview, nous avons eu l'occasion de discuter avec Paul Jung, Responsable des Opérations CSIRT, chez Excellium Services, pour évaluer l'impact de ces vulnérabilités et discuter des mesures à prendre pour renforcer la sécurité des entreprises touchées.
load more