Western European targeted SMS campaigns that are phishing for credentials and banking information
We have been following a threat actor since at least November targeting western European countries with SMS campaigns, leading to the phishing of account credentials and banking information. Targets thus far include government benefits agencies, e-commerce giants, and video-on-demand services. This actor favors Russian-based Prospero hosting, and has now been detected using Squarespace as a registrar.
This actor often uses phrases like ‘facturacion’ (which translates into ‘billing’ or ‘invoice in several European languages) as well as ‘service,’ moncompte (my account), ‘suscripcion,’ and similar generic terms combined with specific brands or agencies to lure targets in for account takeover or bank fraud. Previously targeted countries include Norway, Sweden, Finland, and Austria; the Squarespace-registered batch appears to be targeting Germany, France, and Spain as well.
Recent domain examples below:
suscripcionfacturacion[.]com
facturacion-suscripcionvod[.]com
retrasofacturacion[.]com
facturacion-retraso[.]com
connect-accnfix[.]com
navgov-hu[.]com
ntflx-serviceup[.]com
ntlx-accuntmanage[.]com
serviceup-ntlx[.]com
ups-myserviceup[.]com
We advise network administrators consider blocking Prospero’s IPspace in its entirety and allow-listing elements on a case-by-case basis, if possible.
End-users should be wary of SMS-related banking alerts, and only input their banking credentials into known or verified websites and application. We advise users to never download banking applications from third-party app stores, and to always navigate to their bank’s website manually in order to avoid unknowingly entering credentials into cloned or fraudulent banking websites.
Visualization of 49 likely associated domains first seen or newly active from 2024-06-01 forward utilizing Squarespace registration and Prospero hosting, also showing commonalities among server type and risk score.
