The Sneaky Box Behind That Phishing Text You Just Got
▼ Summary
– Scammers are exploiting unsecured cellular routers from Milesight IoT to send SMS phishing messages in ongoing campaigns since 2023.
– These rugged IoT devices connect industrial equipment via cellular networks and can be controlled through text messages, Python scripts, or web interfaces.
– Security researchers identified over 18,000 routers accessible online, with at least 572 allowing unauthorized access due to outdated firmware and known vulnerabilities.
– The phishing campaigns targeted phone numbers in countries like Sweden, Belgium, and Italy, using fraudulent links to steal credentials by impersonating government services.
– This method provides a decentralized, cross-country SMS distribution that complicates detection and takedown efforts, making it an effective attack vector.
Since late 2023, cybersecurity experts have identified a troubling trend where attackers are hijacking industrial-grade cellular routers to distribute fraudulent text messages on a massive scale. These specialized devices, produced by the Chinese firm Milesight IoT, are typically deployed for managing critical infrastructure like traffic control systems and smart energy meters. Equipped with their own SIM cards for 3G, 4G, and 5G connectivity, these routers can be remotely managed via text commands, web dashboards, or automated scripts, making them an unexpected tool for cybercrime.
Security analysts at Sekoia uncovered this scheme after detecting unusual network activity within their monitoring systems. Their investigation revealed more than 18,000 Milesight routers openly accessible online, with at least 572 devices having completely open programming interfaces. The overwhelming majority were running severely outdated firmware, some versions hadn’t been updated in over three years, leaving known security flaws unpatched and easily exploitable.
By sending simple requests to these unprotected interfaces, researchers retrieved the routers’ SMS logs, uncovering extensive phishing operations dating back to October 2023. These “smishing” campaigns targeted mobile users across several countries, with Sweden, Belgium, and Italy appearing as primary targets. The deceptive messages typically urged recipients to verify their identities by logging into government service portals or other official-looking accounts. Each text contained a link directing users to counterfeit websites designed to harvest login credentials and personal information.
Security professionals Jeremy Scion and Marc N. from Sekoia noted that while the method isn’t technologically advanced, it proves highly effective for attackers. Using vulnerable cellular routers allows threat actors to distribute SMS phishing messages across multiple regions simultaneously, creating significant challenges for detection and mitigation. This decentralized approach complicates efforts to trace the source or shut down the operation, highlighting the risks posed by unsecured industrial IoT equipment in our connected world.
(Source: Ars Technica)
