Facts about FluBot malware and why criminals targeted Australia
“FluBot is spreading via SMS messages from other mobile phone numbers, which makes it incredibly hard to block from a telco perspective”
Gizmodo and others.
This is a myth. There’s nothing new or different about the FluBot SMS phishing messages hitting Australia today, and the phishing messages reported in March 2020.
Cybercriminals started to target mobile subscribers in Australia with FluBot because they know operators are unable to stop their SMS phishing scams — it’s that simple. Telstra reported the same type of SMS phishing attacks in March 2020. Other nuances exist but I’d like to keep this article as simple as possible.
FluBot doesn’t spread, SMS phishing messages spread. Stop the SMS messages and we stop FluBot.
FluBot can only be downloaded via an SMS phishing message:
a) directly from cybercriminal’s message, or
b) a message sent from an infected handset.
- FluBot cannot automatically infect a mobile device, computer, or computer network.
- FluBot cannot spread across a mobile network.
- FluBot cannot spread across a corporate network.
- Anti-malware solutions are ineffective and unreliable because FluBot automatically rotates URLs inside SMS messages to avoid detection.
- To stop FluBot, subscribers must be protected from SMS phishing messages.
- The protect subscribers from SMS phishing messages we must make it easy for them to spot a scam before they tap “download”.
- To stop every malicious URL, we need to change our entire approach to Internet Security. We need to change to a “Zero Trust” strategy for SMS — assume every URL on the Internet is dangerous, unless verified.
- A “Zero Trust SMS” strategy requires the verification of tens of billions of URLs.
- SMS Firewalls are not designed to authenticate verified URLs, so they can’t implement a Zero Trust strategy.
Here’s a real demo of how MetaCert addresses SMS phishing:
If you’re interested in SMS phishing you might enjoy the following articles:
- An Open Letter to Mobile Operators: How to Stop SMS Phishing Attacks
- Phishing Predictions for 2021, 2022, 2023, 2024, 2025
- Why we can’t use AI for URL recognition inside SMS messages
- How Mobile Operators, Brands, and Banks Can Build Better SMS Marketing Campaigns
- Email Phishing vs SMS Phishing And Why We Should Stop Blaming Mobile Operators for SMS-Led Attacks
- How SMS stakeholders can reduce spam and phishing messages on behalf of mobile operators
- How Vodafone and Three Can Protect Subscribers in Ireland From SMS Phishing Attacks Like FluBot
- Zero Trust SMS Explained