Hackers Exploit Milesight Industrial Routers to Send Phishing SMS Campaigns

Fraudsters are abusing unsecured Milesight industrial routers to deliver large-scale phishing SMS messages. According to researchers at Sekoia, these campaigns have been active since 2023.

The routers, manufactured by the Chinese company Milesight IoT Co., Ltd., are widely deployed IoT devices. They connect critical infrastructure such as traffic lights, electricity meters, and remote industrial equipment to central hubs using 3G/4G/5G cellular networks. Each unit is equipped with a SIM card and can be managed via SMS commands, Python scripts, or web interfaces.

Sekoia’s investigation began with the analysis of “suspicious network traces” flagged by its honeypots. The traces revealed that one of the cellular routers was being used to send SMS messages containing phishing URLs. A broader search uncovered more than 18,000 internet-accessible devices, at least 572 of which exposed their management interfaces to anyone without restriction. Most were running outdated firmware—over three years old—with known vulnerabilities.

Evidence of Ongoing Phishing Campaigns

By querying unauthenticated APIs, researchers were able to access the incoming and outgoing SMS logs of compromised routers. These logs revealed active phishing operations running since October 2023.

• The fraudulent texts targeted phone numbers in multiple countries, with Sweden, Belgium, and Italy among the hardest hit.
• Messages typically urged recipients to log into accounts tied to government services to “verify their identity.”
• Embedded links directed victims to phishing sites designed to harvest login credentials.

To evade detection, some phishing sites deployed JavaScript filters that blocked content from loading unless viewed on a mobile device. Others disabled right-clicking and browser debugging tools—tactics intended to hinder analysis and reverse engineering.

Attribution and Infrastructure

Analysts also identified a Telegram bot, GroozaBot, used to record victims’ activity on the phishing pages. The bot is operated by an actor using the alias Gro_oza, who appears to communicate in both Arabic and French.

“In this case, the campaigns were carried out through the exploitation of vulnerable cellular routers—a relatively primitive but effective delivery channel,” the researchers noted. “Such devices are attractive to attackers because they enable decentralized SMS distribution across multiple countries, complicating detection and blocking.”

Exploited Vulnerabilities

The exact compromise method remains unclear. One possibility is CVE-2023-43261, a vulnerability patched in 2023 with firmware version 35.3.0.7. However, Sekoia points out that some compromised devices were running firmware not affected by this flaw, suggesting attackers may be exploiting additional weaknesses.

Broader Implications

The campaign highlights how outdated but strategically important IoT infrastructure can be weaponized in phishing operations. The use of cellular routers offers attackers global reach with minimal resources, underscoring the risks posed by neglected firmware and exposed interfaces.

Researchers warn that the exploitation of Milesight routers is likely not an isolated case and that similar industrial IoT devices may already be leveraged in other phishing campaigns.