A new INPS-focused smishing campaign aims to harvest victims’ credit card information and personal data, deploying a Telegram bot for C2. The phishing flow includes a fake INPS portal, SMS-based verification prompts, and IoCs disseminated by CERT-AGID. #INPS #TelegramBot
Keypoints
- Target: INPS (Italian National Social Security Institute)
- Method: Smishing (SMS phishing)
- Objective: Steal credit card and personal information
- Use of a Telegram bot for Command and Control
- Victims receive SMS claiming verification is needed for a payment
- Fraudulent URL mimics the INPS portal
- Attempts to bypass two-factor authentication (2FA)
- Indicators of compromise (IoCs) shared via CERT-AGID
MITRE Techniques
- [T1566] Phishing – SMS phishing messages targeting victims to collect sensitive information. “SMS phishing messages targeting victims to collect sensitive information.”
- [T1071] Command and Control – Use of a Telegram bot to send stolen data back to the attacker. “Use of a Telegram bot to send stolen data back to the attacker.”
- [T1003] Credential Dumping – Attempting to collect user credentials, including credit card information and 2FA codes. “Attempting to collect user credentials, including credit card information and 2FA codes.”
Indicators of Compromise
- [URL] Fraudulent URL – short URL in the SMS points to a fraudulent address that replicates the INPS portal. Example: fraudulent INPS portal URL
- [Domain] Telegram C2 endpoint – api.telegram.org (used to send stolen data). Example: https://api.telegram.org/bot{token}/sendMessage
- [File] IoC package – INPS_22-08-2024.json (IoCs downloadable from CERT-AGID). Example: INPS_22-08-2024.json
- [URL] IoC feed access – CERT-AGID IoC Feed page for public dissemination. Example: https://cert-agid.gov.it/scarica-il-modulo-accreditamento-feed-ioc/
Read more: https://cert-agid.gov.it/news/nuovo-smishing-inps-sfrutta-un-bot-telegram-come-c2/