Telco Phishing. PHOTO: Cybercrime Magazine.

Something Smells Phishy In The Telco Industry

DNS-based malware attacks pose a serious threat

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Jun. 11, 2021

Threat actors have much to gain from targeting telecommunications companies. After all, the industry is among the top 10 highest-earning sectors in the world with a market value of US$1.7 trillion. These companies also stand to lose a significant amount of money due to cyberattacks.

One example was the ransomware attack against Telecom Argentina in July 2020. Threat actors demanded about US$7.5 million in Monero coins, which they threatened to double to US$15 million if the victim doesn’t pay after three days.

Telcos are also prime targets of Domain Name System (DNS)-based malware attacks. Almost half of the companies in the sector suffered from DNS attacks, and each attack cost the victims an average of US$886,560.

The revenue loss of telco shutdowns as a result of an attack or a suspected attack could even amount to more than the figures cited above. Some consequences are also more challenging to quantify. For instance, there is no universal formula for computing the reputational damage caused by a successful phishing campaign that resulted in a data breach.

Common Phishing Techniques

Phishing remains an effective means for threat actors to obtain credentials, distribute malware, and access the victim’s network, according to Verizon’s 2021 Data Breach Investigations Report (DBIR).

In the telecom industry, phishing may have different faces aside from traditional email phishing. These include short message service (SMS) phishing or smishing and voice call phishing or vishing.

Use of Phishing, Smishing, and Vishing

A typical phishing email imitates a company’s messages and asks the target to click a malicious link or download a malware-laden file. The same is true with smishing, but threat actors would send the message through SMS. In vishing, on the other hand, the attacker would call the victim.

In these attacks, the messages could promise rewards and discounts or threaten users of account disconnection due to nonpayment. An example of a message offering a reward posted by a Twitter user is found below.

Twitter screenshot

In recent years, threat actors were also seen sending fake bills by impersonating major telcos, such as Verizon and BT Group. An example of such message is shown below.

Twitter screenshot

The Effort to Make Phishing Look Believable

Regardless of tactic used, traditional phishing, vishing, or smishing, threat actors can make their messages more believable and legitimate-looking by using the company name in their domains or URLs.

For example, PhishTank currently lists several valid phishing URLs targeting Vodafone that are still live at the time of writing. These URLs predominantly use the strings “vodafone,” “bill,” and “account.” Three of the phishing domains resolve to login pages that look similar to the legitimate Vodafone login page.

More Potential Phishing Domains

Threat actor use of legitimate-looking URLs and web pages means that most domains and subdomains that contain a telco’s name could potentially be used in phishing attacks. That translates to thousands of Internet properties based on domains & subdomains discovery analyses. The table below shows a sample of the number of domains and subdomains that contain the names of five of the top telcos today.

Note that less than 10 percent of these cyber resources can be publicly attributed to the respective legitimate telcos as they share the same WHOIS registrant data. This leaves over 90 percent of telco-related domains and subdomains that are potentially cybersquatting and could be used maliciously.

In fact, some of the subdomains have already been reported as malicious. These include vodafone[.]billing-required[.]com, vodafone[.]bills-due[.]com, vodafone[.]overview-account[.]com, and other subdomains with root domains containing the strings “bill” and “account.”

The telecom industry has always been under threat of phishing, and will continue to be so. In recent months, an espionage campaign called “Operation Diànxùn” lured users to a fake Huawei career page. While the likely goal of the Huawei attack was to access data related to 5G technology, the reality is that this won’t be the last of similar campaigns.

If the number of non-attributable domains and subdomains are any indication, more phishing attacks might already be underway. Early detection of compromised Internet properties is one way to combat phishing and avoid its costly repercussions.

Are you interested in the telco-related domains and subdomains in this post? Contact us for more information about how you can use our domain intelligence tools to detect phishing attacks targeting telcos.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds.  WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).


Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.