The well-known TrickBot malware has been updated with a new version and features so that it is used by a hacking group against mobile carrier users. The new variants are confirmed to be used against users of T-Mobile, Sprint, Verizon among others.
Major Mobile Carrier Users Targeted By Updated TrickBot Attacks
TrickBot is primarily known as a banking Trojan among the security community. Over time different hacking groups have created their own iterations for their own campaigns and developed it into a very dangerous weapon. Recently a group of security experts discovered that a new TrickBot release is used by hackers against users of popular mobile carriers such as Sprint, T-Mobile and Verizon. This is done by infecting sites and end devices with malicious code that will redirect the users when visiting the landing pages of the services to a fake phishing copy.
In order for this to work the web sites need to be injected with the required malicious code that are powered by TrickBot. As a result after the users request for the sites an injection will done in their browsers which will lead to to the display of the phishing domains. What’s particularly dangerous is that the introduction of this malicious code will lead to the display of extra information prompts — pin codes of the smart phones for example. The hackers will use the gathered information in order to launch a series of other crimes: blackmails, financial abuse, identity theft and etc. This gives hackers the ability to carry out two specific scams:
- Port-Out — When the information is acquired from the victims the hackers can institute the “port-out scam”. This is the practice of fraud moving out of one carrier to another. This is done to automatically intercept messages, calls and other activity. When the porting process has completed the phone will shut off for the victim user and the hackers will be able to use the phone’s plan on another device.
- SIM Swap Fraud — By acquining personal information and the device’s PIN numbers the attackers can access sensitive applications and services. Using the information the criminals can convince a carrier to “swap” the SIM cards and link the identity of the victims to a hacker-controlled card.
The development of the TrickBot malware and the current versions of the threat showcase that the base is still used in numerous attack campaigns. We anticipate that hacking groups are interested in modifying the source code of the TrickBot across its multiple generations. As such we believe that the threat will be used in future attack campaigns as well.