April 28, 2017
The National Cyber Incident Response Center (USOM), operating under the Information and Communication Technologies Authority (BTK), conducted an operation targeting the command and control servers of the malicious software named LokiBotnet, which particularly targets smartphone users in Turkey. Cybersecurity experts obtained the phone information of citizens detected on the command servers and dismantled the command centers belonging to LokiBotnet.
Heavy Blow to Botnet from BTK
The malicious application, installed on smartphones via links in SMS messages sent to Android-based devices, disguises itself as a banking application or software that awards prizes through lotteries. The malicious software can be sent to citizens under different appearances and names. Once it infects a smartphone, the malicious software can send the phone's contacts and SMS messages to the attackers' command server and display a fake version of any bank's internet banking page at any time the user wishes.
Command Servers Dismantled
BTK cybersecurity experts, starting from reports provided by a bank and a security firm serving that bank, exploited vulnerabilities detected in the LokiBotnet cybercriminals' command and control servers to expand the operation. BTK experts infiltrated the systems and seized the list of devices infected with the malicious software so far. During the operation, BTK first severed communication between the infected devices and the command server, preventing devices turned into bots in Turkey from receiving commands from the command center. In an operation reminiscent of movies, the attackers noticed the infiltration and attempted to shut down access. Racing against time, USOM experts seized the necessary information from the attackers' systems and then wiped all data from the command server, completely disabling the command center.
BTK Sent Operation Results to BDDK, Police, and Relevant Institutions
BTK detected that the attackers had seized more than 27,000 phone numbers from individuals' contacts. BTK identified that the malicious software had infected a total of 4,116 devices, primarily targeting customers in Turkey (54%) and Iran (27%). Based on this data, through an examination of 2,512 IMEIs compliant with standards, BTK reached 1,441 individuals affected by the malicious software. BTK shared information on devices and individuals affected by LokiBotnet, along with details about the attackers, with the Banking Regulation and Supervision Agency (BDDK), General Directorate of Security, and relevant institutions.
Banks Took Necessary Measures
Banks took the necessary precautions in this regard and issued warnings to their customers. Thanks to the swift measures, some EFT attempts have been blocked so far, and no cases of financial loss have been reported in this context. Customers must adhere to the measures that banks will follow and recommend, and also remain vigilant against fake SMS messages and fraudulent calls.
What Should Citizens Do?
If you have been called by your bank and informed about this issue, you must follow the measures conveyed and recommended to you, but be cautious of scammers' fake calls,
Cyber Army Strikes Botnet