Overview of the Smishing Operation

Researchers have identified a widespread smashing (smishing) campaign that uses compromised networking routers as the backbone for sending massive volumes of fraudulent SMS messages. The operation demonstrates how attackers can repurpose inexpensive, often forgotten hardware to launch impactful phishing attacks without needing large, dedicated infrastructure.

Exploitation of Router Vulnerability

The campaign appears to center on a known vulnerability identified as CVE‑2023‑43261. This flaw stemmed from a misconfiguration that exposed files in a router’s storage through a web interface. Among the exposed files were cryptographically protected passwords for device accounts, including the administrator. Although the passwords were encrypted, the files also contained the encryption key and initialization vector (IV), enabling an attacker to decrypt the passwords and gain full administrative access.

Analysis of the compromised devices revealed that the majority of the 572 identified as unsecured were running firmware versions 32 or earlier. Those versions are susceptible to CVE‑2023‑43261, while newer firmware such as version 35.3.0.7 had the vulnerability patched. However, the researchers noted that some of the routers used in the campaign ran firmware that should not have been vulnerable, indicating that additional exploitation methods may be in play.

Phishing Infrastructure and Tactics

The phishing sites associated with the campaign employ JavaScript that restricts content delivery to mobile devices only, effectively targeting the intended SMS recipients. One site also disables right‑click actions and browser debugging tools, likely to hinder analysis and reverse engineering. Visitor interactions on these sites are logged through a Telegram bot known as GroozaBot. The bot is operated by an actor identified as "Gro_oza," who appears to communicate in Arabic and French.

Potential Sources of the Compromised Devices

According to the investigators, many of the compromised routers are small, overlooked devices that may be located in janitorial closets or other low‑visibility areas within industrial settings. Their low cost and ease of access make them attractive targets for attackers seeking to build a scalable smishing platform.

Implications and Recommendations

The findings underscore the strategic utility of such equipment for malicious actors and suggest that similar devices could already be leveraged in ongoing or future smishing campaigns. Organizations are advised to audit network hardware for outdated firmware, apply security patches promptly, and monitor for unusual outbound SMS traffic that could indicate exploitation.

Este artigo foi escrito com a assistência de IA.
News Factory APP - notícias agênticas para impulsionar seu SEO e AEO.