Dishing and Smishing

If you receive a text from a sender who appears to be USPS, the Royal Mail, or a number of other organizations, you may be the target of a new smishing campaign from Chinese hackers.  Known as the Smishing Triad, these bad actors have been attempting to exploit US residents via compromised iCloud accounts for identity theft and other cases of fraud.

Smishing is basically the same as phishing, only through text messages/mobile devices instead of email.  Both are otherwise similar and have identical goals: steal personally identifiable information (PII) in order to infiltrate organizations.  The Triad messages its targets, telling them there’s been an issue with package delivery, and prompts them to enter their credit card information for tracking purposes.  If you see this, don’t fall for it – this will be beneficial both to your company and your own personal data in the long run.

Not only is the Triad running this social engineering scheme, it’s also showcasing its entrepreneurial side, selling smishing kits for cyber criminals targeting a number of other countries, from Sweden to Japan and plenty more.  According to reports, these kits exploit a SQL injection vulnerability that allows the group to monitor and extract system files from their clients. 

The breaches of the past week don’t stop there.  Johnson & Johnson Health Care Systems (“Janssen”) has informed its CarePath application customers of a breach of their data via IBM as a third-party vendor.  An investigation showed that unauthorized users accessed the CarePath database using an undiscovered method that was patched too late.  User information like names, health insurance and medication info was compromised in this fashion, which could lead to phishing, smishing and other social engineering attacks once they’re sold to interested buyers.  When asked by Bleeping Computer whether this security incident had any relation to the notorious MOVEit breach, which caught IBM in its net earlier this year, a spokesperson replied that it was due to a different incident.

When even IBM can fall into a supply chain security failure, everyone should be cognizant of how their data is protected.  The exposure can come from any angle, from any business or business partner, and of course, any text or email that might look legitimate but just pulls the wool over our eyes.  Keeping data encrypted serves as an extra layer of protection for when an unwitting target does fall for the scam.  NetLib Security’s Encryptionizer solution can help, offering transparent encryption of stored data to render it useless to cyber criminals who do manage to trick their way into an organization’s network.

Always be vigilant to who is attempting to contact you, and when you share your data with an organization, here also be on guard for when a data breach comes home to roost.