A vast campaign of phishing carried out by Chinese hackers is currently affecting many people in France. More than 200,000 malicious SMS have already been sent since the beginning of the summer.
This is a well-known scam. It takes place by sending an SMS indicating: Your package has been sent. Please check it and receive it. ”, in which there is also a fraudulent link.
A malware offering access to your personal data to hackers
By clicking on this link, an update of the victim’s browser is offered to him, which will trigger the download of malware called “MoqHao”, explains Sekoia, a company specializing in cybersecurity that spotted the phishing campaign.
” After the victim downloads and runs the malware, the app asks for permission to read and send SMS. This permission allows the malware, among other things, to intercept text messages from victims’ mobile phones. It should be noted that the studied sample of MoqHao imitates the Chrome application to trick the victim into giving this permission “, explains the firm.
Around 70,000 Android devices have been affected by the malware in France, and it may happen that the affected smartphones are the source of the famous SMS being sent to other potential victims. Note that the link does not work for people outside of France. The group behind the scam, Roaming Mantis, is a specialist in the theft of bank data, and in particular identifiers.
Cybercriminals are currently focusing on France
Roaming Mantis was identified by McAfee in 2017. Based in China, the hacker group acts primarily out of financial motivation and is currently focused on France, “ as reported by Kaspersky and Team Cymru in early 2022, and based on our observation of over 90,000 unique IPs that requested the C2 server distributing MoqHao “, continues Sekoia.
However, campaigns using the MoqHao malware, designed by the cybercriminals themselves, have also targeted Japan, South Korea, Taiwan, Germany, the United Kingdom and the United States. Many victims located in France report the phishing scam on specialized sites as well as on Twitter, so be vigilant.
Sources: Numerama, Sekoia