Ethical Hacking News
Smishers have been exploiting unsecured industrial cellular routers in a series of ongoing SMS-based phishing campaigns since 2023. Researchers at Sekoia discovered that the devices are particularly appealing to threat actors due to their ability to enable decentralized SMS distribution across multiple countries, complicating both detection and takedown efforts.
Smishers have been exploiting unsecured cellular routers in industrial settings to blast SMS-based phishing messages since 2023. These devices are rugged IoT devices designed for remote industrial use, but have outdated firmware versions making them vulnerable to exploitation. Researchers found over 18,000 such routers accessible on the internet, with many having known vulnerabilities and being exploited in SMS-based phishing campaigns. The phishing campaigns targeted phone numbers in multiple countries, using fraudulent text messages and links to collect credentials. The use of decentralized SMS distribution across multiple countries makes it difficult for authorities to detect and takedown these campaigns. Some phishing websites used JavaScript to prevent analysis and reverse engineering, while others logged visitor interactions through a Telegram bot. Researchers discovered that some devices were exploiting a known vulnerability (CVE-2023-43261) due to misconfigured storage, but further investigation found inconsistencies in this theory. The discovery highlights the growing threat of SMS-based phishing campaigns and the need for more stringent security measures to protect vulnerable devices like these cellular routers.
Smishers have been exploiting unsecured cellular routers used in industrial settings to blast SMS-based phishing messages, a tactic that has been ongoing since 2023. According to researchers at security company Sekoia, these devices, manufactured by China-based Milesight IoT Co., Ltd., are rugged Internet of Things (IoT) devices designed to connect traffic lights, electric power meters, and other remote industrial devices to central hubs using cellular networks.
These routers come equipped with SIM cards that work with 3G/4G/5G cellular networks and can be controlled by text messages, Python scripts, and web interfaces. While they may seem like simple, low-cost solutions for communication, the researchers discovered that a significant number of these devices are vulnerable to exploitation due to outdated firmware versions.
The researchers conducted an investigation into "suspicious network traces" detected in their honeypots, which led them to identify over 18,000 such routers accessible on the internet. Notably, at least 572 of these routers allowed free access to programming interfaces to anyone who took the time to look for them. The vast majority of the routers were running firmware versions that were more than three years out of date and had known vulnerabilities.
Upon further investigation, Sekoia researchers found that some of these devices had been used in a series of SMS-based phishing campaigns dating back to October 2023. These campaigns targeted phone numbers located in an array of countries, primarily Sweden, Belgium, and Italy. The fraudulent text messages instructed recipients to log into various accounts, often related to government services, to verify their identity. Links in the messages sent recipients to fraudulent websites that collected their credentials.
In a statement, Sekoia researchers Jeremy Scion and Marc N. noted that "the smishing campaigns appear to have been conducted through the exploitation of vulnerable cellular routers—a relatively unsophisticated, yet effective, delivery vector." They added that these devices are particularly appealing to threat actors as they enable decentralized SMS distribution across multiple countries, complicating both detection and takedown efforts.
The researchers also discovered that some of the phishing websites used JavaScript to prevent pages from delivering malicious content unless accessed from a mobile device. Another site ran JavaScript to disable right-click actions and browser debugging tools, likely in an attempt to hinder analysis and reverse engineering. Furthermore, Sekoia found that some of the sites logged visitor interactions through a Telegram bot known as GroozaBot.
The researchers also noted that one of the devices abused in the campaigns was running firmware version 32 or earlier, which was susceptible to CVE-2023-43261, a vulnerability discovered by researcher Bipin Jitiya. This vulnerability stemmed from a misconfiguration that made files in the router's storage publicly available through a web interface, containing cryptographically protected passwords for accounts, including the device administrator.
However, further investigation contradicted some of this theory. An authentication cookie found on one of the hacked routers used in the campaign could not be decrypted using the key and IV described in the article. Additionally, some of the routers running firmware versions that weren’t susceptible to CVE-2023-43261 were still being exploited.
Milesight did not respond to a message seeking comment. The researchers concluded that the resources for these phishing campaigns likely come from small, often-overlooked boxes tucked away in janitorial closets in industrial settings.
The discovery highlights the growing threat of SMS-based phishing campaigns and the need for more stringent security measures to protect vulnerable devices like these cellular routers. As Sekoia’s investigation suggests, scammers are getting increasingly creative with their tactics, exploiting simple yet effective delivery vectors to spread malicious messages.
In a rapidly evolving cybersecurity landscape, it is crucial for individuals and organizations to remain vigilant and take proactive steps to secure themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Abusing-Industrial-Cellular-Routers-The-Rise-of-SMS-Based-Phishing-Campaigns-ehn.shtml
https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-got-may-have-come-from-a-box-like-this/
Published: Wed Oct 1 18:42:48 2025 by llama3.2 3B Q4_K_M
