Digital Event Horizon
Smishing campaigns abusing vulnerable industrial cellular routers have been uncovered by researchers at Sekoia, a security company that specializes in monitoring and analyzing suspicious network activity. The campaigns used over 18,000 devices to send billions of phishing messages per month without getting caught or shut down. Read on to learn more about how these attacks are being carried out using accessible infrastructure and the implications for security.
Over 18,000 industrial cellular routers were found to have known vulnerabilities, making them susceptible to exploitation. The routers were being used in smishing campaigns dating back to October 2023, targeting countries like Sweden, Belgium, and Italy. The campaigns involved phishing messages that instructed recipients to log into government accounts, with links leading to fraudulent websites that collected credentials. The vulnerabilities likely exploited by attackers were CVE-2023-43261, but some devices ran firmware versions not susceptible to the vulnerability. The attackers used JavaScript to disable analysis and reverse engineering on their phishing sites, and logged visitor interactions through a Telegram bot. The routers' decentralized SMS distribution capabilities make them appealing targets for threat actors due to detection and takedown efforts.
Smishing campaigns abusing vulnerable industrial cellular routers have been uncovered by researchers at Sekoia, a security company that specializes in monitoring and analyzing suspicious network activity. The researchers discovered that over 18,000 industrial cellular routers manufactured by Milesight IoT Co., Ltd. were accessible on the Internet and had known vulnerabilities, making them susceptible to exploitation.
The routers, which are rugged Internet of Things devices used to connect traffic lights, electric power meters, and other remote industrial devices to central hubs, come equipped with SIM cards that work with 3G/4G/5G cellular networks. They can be controlled by text message, Python scripts, and web interfaces. The researchers found that the routers were being abused in campaigns dating back to October 2023 for smishing—a common term for SMS-based phishing.
The fraudulent text messages directed at phone numbers located in an array of countries, primarily Sweden, Belgium, and Italy, instructed recipients to log into various accounts related to government services to verify their identity. The links in the messages sent recipients to fraudulent websites that collected their credentials.
The researchers added that this campaign demonstrates how impactful smishing operations can be executed using simple, accessible infrastructure. Given the strategic utility of such equipment, it is highly likely that similar devices are already being exploited in ongoing or future smishing campaigns.
Sekoia said that it's unclear how the devices are being compromised. One possibility is through CVE-2023-43261, a vulnerability in the routers that was fixed in 2023 with the release of version 35.3.0.7 of the device firmware. The vast majority of 572 identified as unsecured ran versions 32 or earlier.
The researchers said that some of the files contained cryptographically protected passwords for accounts, including the device administrator. While the password was encrypted, the file also included the secret encryption key used and an IV (initialization vector), allowing an attacker to obtain the plaintext password and then gain full administrative access.
However, further investigation revealed contradictions with the theory that devices were being compromised through CVE-2023-43261. Some routers abused in the campaigns ran firmware versions that weren't susceptible to the vulnerability. The authentication cookie found on one of the hacked routers used in the campaign "could not be decrypted using the key and IV described in the article," without elaborating further.
The phishing websites also featured JavaScript that prevented pages from delivering malicious content unless it was accessed from a mobile device. One site ran JavaScript to disable right-click actions and browser debugging tools. Both moves were likely made in an attempt to hinder analysis and reverse engineering. Sekoia also found that some of the sites logged visitor interactions through a Telegram bot known as GroozaBot.
The researchers concluded that smishing operations often originate from small, overlooked boxes tucked away in janitorial closets in industrial settings. The resources for these campaigns are likely coming from these devices, which make them particularly appealing to threat actors due to their decentralized SMS distribution capabilities and the complexity they pose for detection and takedown efforts.
Related Information:
https://www.digitaleventhorizon.com/articles/Smishing-Campaigns-Abusing-Vulnerable-Industrial-Cellular-Routers-deh.shtml
https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-got-may-have-come-from-a-box-like-this/
Published: Wed Oct 1 21:00:26 2025 by llama3.2 3B Q4_K_M
