NCSC warns UK organisations of FluBot SMS spyware scam

Mobile giants in the UK also issue advice over "package delivery" scam targeting Android smartphones to steal passwords and sensitive data.

locked phone and virtual data [mobile security]

The UK’s National Cyber Security Centre (NCSC) and leading mobile networks have warned of a new SMS-based spyware scam dubbed “FluBot”. It targets Android smartphones and devices across the UK. As a result, UK organisations have been urged to take action to ensure their mobile device management is sufficient to reduce the risk and potential impact of compromise.

As outlined in new NCSC guidance, owners of Android devices are being targeted with text messages encouraging them to install a tracking app regarding a “missed package delivery.” If clicked, the link leads victims to a scam website displaying seemingly official branding. In an example shared by the NCSC, a DHL logo is used to make the site appear legitimate.

“The tracking app is in fact spyware that steals passwords and other sensitive data,” the NCSC explained in its guidance posting. “It will also access contact details and send out additional text messages – further spreading the spyware.”

UK mobile carriers including Vodafone, EE and Three have also shared public advice on the scam, urging customers to follow the NCSC’s advice to avoid clicking on any links if they receive such a text and to report it to Ofcom before deleting the message from their device.

FluBot cybersecurity threats to UK organisations

The cybersecurity risks posed to UK businesses by the FluBot scam have the potential to be significant if effective safeguarding measures are not in place, according to cybersecurity author, Raef Meeuwisse. “This is a potential threat vector for any organisation that is using mobile phone devices to transact or access data of value, although that will really be down to whether or not the company in question already has robust security on those devices,” he tells CSO. “People should always be educated not to click on links or download items from any message unless they know it is safe to do so. However, companies have a duty of care to ensure that any devices that they permit to access, store or transact sensitive data have appropriate security measures in place.”

Dr. Jason R.C. Nurse, senior lecturer in cybersecurity at the University of Kent, concurs, adding that, while the FluBot SMS delivery method is common, it’s proving particularly effective simply due to its vector of attack and how it spreads. “For UK businesses, FluBot poses a key risk especially due to the increasing use of delivery services because of COVID-19 restrictions, and therefore the higher likelihood that SMS recipients may actually be awaiting a delivery.” If FluBot infects a business, its data including passwords to any accounts accessed or saved in the settings in the device are at risk, he adds. Credentials to corporate files or services are also at risk.

Security’s response to the FluBot risk

UK organisations should therefore act to reduce the risk of falling victim to the FluBot scam and limit the damage it could cause to the business, Meeuwisse argues. “For example, implement mobile device management to limit what can be installed and track security status, effective mobile anti-virus, proper multi-factor authentication before access to systems can be achieved, encryption on any data of value that has to be locally stored and a distributed architecture to ensure that the compromise of any single devices cannot represent a threat to the organisation.”

Harman Singh, director of cybersecurity consultancy Cyphere, agrees, adding that organisational security teams should also use “DNS filtering to block internet connections to the [scam] domain and relevant IPs” along with analysing/blocking the following indicators of compromise:

  • 1a2a4044cf18eed59e66c413db766145
  • 74f88d5480aefe165721c36100dcf89a
  • 3759f4ae5378372d34be6022c31c306c

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)