{"id":8297,"date":"2022-11-17T13:11:56","date_gmt":"2022-11-17T21:11:56","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8297"},"modified":"2024-04-26T13:19:59","modified_gmt":"2024-04-26T20:19:59","slug":"french-smishing-campaign-uses-fake-social-security-portal","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/french-smishing-campaign-uses-fake-social-security-portal\/","title":{"rendered":"French Smishing Campaign Uses Fake Social Security Portal"},"content":{"rendered":"

Author: Ma\u00ebl Le Touz<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

Since late August, Infoblox has been tracking an actor sending a large number of SMS phishing (smishing) messages targeting phone numbers in France. This attack is ongoing and so widespread that it is regularly mentioned in national news.1<\/sup> The text requests that the addressee fill out a form to receive a new Social Security Card and to keep the addressee\u2019s healthcare plan. Threat actors then charge victims\u2019 bank accounts and later make fraudulent tax claims.<\/p>\n


\nFigure 1: An example of an inbound smishing message, received on 14 October. <\/p>\n

2. Customer Impact<\/h3>\n

This campaign was first discovered in relation to Ameli: the French government’s portal for social security, and one of the single sign-on (SSO) points for other websites of government services. The campaign is focused on French speakers and French nationals who use government services and banks. However, some related domains used also include lookalikes that target British nationals, Spanish and Portuguese speakers, as well as Belgian telco and Dutch energy companies. See Figures 2 and 3 below.<\/p>\n


\nFigure 2: An example of a phishing page masquerading as the portal for the website for S\u00e9curit\u00e9 Sociale<\/p>\n


\nFigure 3: Example of a phishing page targeting customers of the Caisse d’Epargne bank<\/p>\n

Once the landing page is accessed, the victim is served with a form asking for personal information, such as email addresses and passwords. The fraudulent websites also ask for financial information, purportedly to allow for the payment of taxes or late fees. If the victim fills out those forms, their bank accounts will be immediately charged. Some time later, when tax season comes, the victims\u2019s Ameli login will be used to make fraudulent tax claims and receive tax rebates on an attacker-controlled bank account.<\/p>\n


\nFigure 4: Most commonly used words in the domain names<\/p>\n

4. Infrastructure analysis<\/h3>\n

Attackers used an extensive network of burner emails, phone numbers, and fake identities to cover their tracks, as well as used multiple hosts to avoid automatic takedowns. After several days, the attackers took the phishing pages offline to avoid detection by automated tools and browser safety lists. Infoblox was able to detect and identify approximately 200 IP addresses serving over 7,000 unique phishing domains, illustrated in the map in Figure 5 below. Although the attackers have used Amazon, Google, and other providers of cloud services, they also rely heavily on dedicated servers.<\/p>\n


\nFigure 5: The number of dedicated hosting IPs used by the actors, per country<\/p>\n

The landing pages are of good quality and, to the unsuspecting eye, visually indistinguishable from the legitimate login pages. Some phishing pages ask for credit card information, purportedly to pay taxes or resolve an unsuccessful payment to a legitimate service. Using Ameli, one can log in to a variety of government portals, including the tax office and the portal for government subsidies. This has led the government of France to temporarily cut off access from it.2<\/sup> Nevertheless, we consider this attack as more likely to be financially motivated rather than political, because it has targeted multiple sectors – government, financial, energy and communication – in several countries.<\/p>\n

5. Vulnerabilities and Mitigation<\/h3>\n

Infoblox strongly recommends that businesses consider the following security measures:<\/p>\n