The latest roundtable discussion from Security on Screen analyses the recent FluBot malware campaign that has been targeting online food delivery services and how attackers have strategically opened themselves up to a much wider audience

In recent weeks, an SMS malware campaign, capable of stealing passwords and banking credentials, has been spreading like wildfire, with members of the public being warned to be vigilant of scammers targeting online shoppers.

The Chartered Trading Standards Institute (CTSI) said it has received evidence of a text scam involving supermarket delivery messages. The messages claim “your Asda order is out for delivery” and links to a webpage supposedly allowing the recipient “to track your order and view your delivery note”. The reports also involve Morrisons, although the CTSI warned other retailers are also being targeted.

Mobile carriers and law enforcement agencies alike have been prompted to issue warnings about the so-called FluBot campaign. Although the hook to the SMS phishing message is an old one, based on the ‘you have a parcel delivery’ theme, the exploitation method and the way the campaign is evolving are real causes for concern.

“This particular incident looks like it could be part of a campaign that’s been targeting individuals across Europe in the last few weeks,” comments Hank Schless, Senior Manager, Security Solutions at Lookout. “The campaign that this seems to resemble, which uses data leaked from the massive Facebook data breach earlier this month to contact individuals on their personal cell phones, intends to trick the attacker into downloading a malicious app.

“The malicious app is laced with FluBot, which is a banking trojan that can intercept SMS messages, steal contact information, send messages to contacts and display screen overlays to trick users into handing over their credentials. FluBot is an example of malware as a service, which is a model that attackers use with increasing frequency as it allows them to easily acquire and customise the malware to be more convincing to the target.”

Pandemic impact

When Covid-19 first began to engulf Europe a lot of people rushed to the supermarkets to stockpile, while others remained at the keyboards. Worldwide Google searches for ‘food delivery’ and ‘local food’ reached all-time highs in April, allowing scammers take full advantage.

Paul Bischoff, Privacy advocate at Comparitech.com, comments: “The pandemic spurred widespread adoption of meal and grocery delivery services. When you submit an order on one of these apps, users are often flooded with notifications via email, SMS, and the app itself. Users often get text updates letting them know their order has been received, that the delivery driver has picked it up, and that the driver will arrive shortly.

“Scammers are capitalising on this trend by sending phishing messages via SMS in the hopes that recipients will think it’s from a legitimate app. Because SMS messages come from phone numbers instead of emails, it’s more difficult to determine which texts are legitimate. If you use a food delivery app, I recommend disabling the SMS notifications and just use the notifications that come directly from the app. Then, if you receive an SMS notification about a supposed delivery, you can safely ignore it.”

“A rise in individuals resorting to online shopping as a result of many countries being put under strict lockdown has seen there be a significant rise in the use of these fraudulent tactics,” adds Natalie Page, Threat Intelligence Analyst at Talion. “The pandemic has essentially allowed scammers an environment to mature their skills to an immaculate level, making it now near impossible for the individual user to distinguish between the genuine and the fake. 

“Humans need food, so by adopting grocery stores as a lure, attackers have cunningly opened themselves up to a much wider audience to potentially fall victim to these attacks. For anyone utilising online shopping and wanting to avoid being socially engineered by these tactics, take your time when reading the messages you receive, if you feel you are being put under pressure by the sender, if you are being asked to give personal information, or if something simply looks or feels a little off, it is likely you are being scammed.”

Training and prevention

Chris Hauk, Consumer Privacy Champion at Pixel Privacy, suggests to members of the public who receive text messages or emails like this, “should never automatically assume the sender is legitimate.” He continues: “First of all, folks that receive text messages like this should first consider whether they have actually made a delivery order from the merchant (DUH!), or ask their significant other if they made an order.

“If you still have questions about the supposed order, call the merchant (by obtaining the merchant’s number from their official website or app), to check if an order has actually been made. Plus, remember that a legitimate grocery delivery service will never ask for personal information.”

Niamh Muldoon, Global Data Protection Officer at OneLogin also advises: “Seeing that cybercriminals have consistently targeted those offering online shopping facilities through various threat vectors including social engineering with phishing campaigns, it would be wise for these online businesses to offer support and training. The training really should be provided prior to providing devices and online system access.”

Muldoon concludes: “It is only through security awareness training that staff and customers can make better-informed decisions. Partnering with IAM trusted providers to implement two-factor authentication reduces associated risks of unauthorised access to online shopping devices and systems which is now subject to Strong Customer Authentication (SCA) regulation.”