That innocent-looking text message might not be coming from your usual spammer’s smartphone. Instead, it could be originating from a small, innocuous-looking device hidden in an industrial site somewhere—possibly even in a janitor’s closet. Recent findings reveal that cybercriminals have found a creative new method for distributing SMS-based phishing attacks by hijacking industrial cellular routers, turning them into massive smishing (SMS phishing) distribution networks.
The Unlikely Phishing Platforms
In a discovery that highlights the expanding attack surface in the Internet of Things (IoT), security researchers have identified that scammers are exploiting unsecured industrial cellular routers to send large volumes of SMS phishing messages. These aren’t your typical home routers but rather specialized devices like the Milesight UR35, designed for connecting industrial equipment like traffic lights and power meters to central systems.
These routers are part of the industrial Internet of Things (IIoT) infrastructure, built to be rugged and reliable in demanding environments. Equipped with SIM cards that work with 3G/4G/5G networks, they can be controlled through various interfaces including SMS commands, web interfaces, and even Python scripts. This versatility, unfortunately, also makes them attractive targets for cybercriminals looking for scalable infrastructure to propagate their phishing campaigns.
Riding CVE-2023-43261 to Compromise Thousands
How the Vulnerability Works
The key to these attacks lies in CVE-2023-43261, an information disclosure vulnerability in Milesight routers that was discovered by security researcher Bipin Jitiya. This flaw stems from a misconfiguration that makes sensitive files accessible through the router’s web interface. One particularly problematic type of file contains the router’s passwords—encrypted for security—but conveniently also includes the encryption key and initialization vector (IV) needed to decrypt them.
This kind of vulnerability represents a textbook example of “security through obscurity” gone wrong. Attackers who find these files can easily decrypt the admin passwords, giving them full control over the routers. Once compromised, these industrial devices can be repurposed as SMS gateways for sending thousands of phishing messages.
Scale of the Problem
According to security firm Sekoia, their investigation identified more than 18,000 such routers accessible on the Internet, with at least 572 allowing completely unauthenticated access to their programming interfaces. This represents a truly massive potential attack surface—imagine thousands of hidden SMS broadcasting stations, each capable of reaching thousands of victims.
Most disturbingly, the majority of these routers were running firmware versions that hadn’t been updated in over three years, leaving them vulnerable to attacks that could have been prevented with simple maintenance. This neglect creates what cybersecurity experts call “long-tail vulnerabilities”—systems that are forgotten and left exposed for years.
Targeting Specific Regions with Phishing Bait
Geographic Distribution Tactics
The smishing campaigns detected through this method have been targeting individuals in specific countries, with Sweden, Belgium, and Italy being primary targets. This geographic specificity suggests that the attackers are not sending random spam but are instead conducting more focused campaigns, likely based on the SIM cards installed in the compromised routers.
- Sweden: Targeted with messages mimicking government services
- Belgium: Recipients receive fake notifications about account verification
- Italy: Citizens receive SMS messages prompting login to official portals
The phishing messages typically instruct recipients to log in to various accounts—often related to government services—to “verify their identity.” This approach leverages people’s trust in official institutions, making the messages more convincing than generic spam.
Technical Sophistication in Deception
The phishing websites these messages link to aren’t simple affairs. Sekoia found that many have implemented anti-analysis measures that would make malware researchers proud:
- JavaScript code prevents the sites from delivering malicious content unless accessed from a mobile device
- Additional JavaScript disables right-click actions and browser debugging tools
- Mobile-only access restrictions hinder automated analysis and security scanning
These protections make it significantly harder for security researchers to study and shut down these sites, playing into the attackers’ hands by increasing their operational lifespan.
Telegram Bots in the Criminal Infrastructure
GroozaBot and Its Role
In what appears to be a well-orchestrated operation, some of these phishing sites integrate with Telegram bots to track their effectiveness. Specifically, sites have been found using a bot named “GroozaBot,” operated by someone with the handle “Gro_oza” who appears to speak both Arabic and French.
This bot is used to log visitor interactions, essentially serving as a real-time dashboard for the attackers to monitor how many people are clicking their links and potentially entering their credentials. This integration of messaging platforms like Telegram into phishing operations shows just how interconnected and sophisticated modern cybercriminal infrastructure has become.
Implications for Industrial IoT Security
Broad Security Concerns
This campaign represents a significant and concerning development in cybersecurity because it highlights several disturbing trends:
- Expansion of IoT Attack Surface: Industrial devices are increasingly connected but rarely receive the same security attention as corporate IT systems
- Rogue Infrastructure at Scale: Small devices hidden in industrial settings can provide massive phishing capabilities
- Long-term Neglect: Devices neglected for firmware updates become part of criminal infrastructure for years
According to the European Union Agency for Cybersecurity (ENISA), the security challenges in IoT stem precisely from these factors: “The proliferation of IoT devices increases the attack surface dramatically, and many of these devices lack basic security features.”
Recommendations for Organizations
Organizations using industrial IoT devices, especially cellular routers, should take several steps to protect themselves:
- Inventory Management: Know exactly what IoT devices are deployed in your network
- Regular Updates: Implement a rigorous firmware update schedule, as recommended by NIST guidelines for IoT security
- Network Segmentation: Isolate IoT devices from critical corporate networks
- Monitoring: Implement continuous monitoring for anomalous behavior as suggested by CISA best practices
Conclusion: The Hidden World of Industrial Spam
What makes this discovery particularly troubling is that it reveals another dimension of how cybercriminals are adapting to our increasingly connected world. Rather than relying on traditional botnets or purchased SMS services, they’re finding creative ways to hijack legitimate infrastructure for their malicious purposes.
The industrial routers acting as unwitting accomplices in these schemes were never intended to be spam broadcasting stations. They were designed to quietly connect essential infrastructure, making our cities smarter and our utilities more efficient. Yet through simple neglect—a failure to update firmware, to secure access credentials, to monitor for unauthorized access—these vital devices have become weapons in the cybercriminal arsenal.
This story serves as a reminder that in our hyperconnected world, security isn’t just about protecting our computers and smartphones. It’s about securing the countless invisible devices that keep our modern infrastructure running. As the boundary between IT and operational technology continues to blur, everyone—from IT security teams to facility managers—needs to be vigilant about maintaining what might seem like innocuous equipment. Because that unassuming box in the corner might just be sending thousands of phishing texts right now, and you wouldn’t even know it.
Sources:
Leave a Reply