Ismail HakimMaret 2025

Fake BTS Attack was Leveraged to Send Bank Mandiri SMS Phishing aka SMShing Attack

A Fake BTS (Base Transceiver Station) Attack is a type of man-in-the-middle (MITM) attack where an attacker sets up a rogue cellular tower (BTS) to intercept mobile communications. This attack is commonly used for eavesdropping, location tracking, SMS interception, and even injecting malicious payloads into a victim’s device.

Historically, in 2017 fake-BTS attacks were used to distribute banking trojans called “Swearing Trojan”. A trojan that specialized in stealing financial information from online banking systems. It’s a dangerous form of trojan horse malware that can lead to identity theft and other types of fraud.

How Fake BTS Attacks Happen

Every mobile network technology is susceptible to fake BTS attacks. However GSM/2G networks are the most vulnerable because of several reasons.

  1. GSM does not require mutual authentication between BTS and the mobile device.
  2. Weak encryption (A5/1, A5/2) can be easily cracked or even disabled by a rogue BTS.

In Indonesia, SMS services are still supported over 2G networks. While many operators have phased out 3G services to reallocate resources to more advanced technologies like 4G and 5G, 2G networks continue to operate to support basic services such as voice calls and SMS.

Since mobile phones always connect to the strongest available BTS, the rogue BTS may overpower legitimate signals, forcing nearby devices to connect. Once connected, the attacker can intercept calls, SMS, and data traffic, even downgrade encryption (e.g., force 2G with weak encryption) to make decryption easier.

Finally, the attacker can redirect calls, send spoofed SMS, or even deploy malicious software to targeted devices.

Recent Recorded Attack by Leveraging Fake BTS

On 6 March 2025, there was one sample of threat actors who leverage fake BTS attacks to send fraudulent links. Deceptively, the link was sent using 83355, a number used by Bank Mandiri to send financial activity notifications to the user.

The fraudulent message starts with a very convincing word “Mandiri: ”. As if the actor knew that the message would be received by a non-Mandiri user.

Analyzing the Link

By proxying traffic from Android to Burp, we can bypass some limitation that may apply (e.g. User-Agent limitation). The link pointed to https[://]qmandiri[.]top/id.

If we deep dive more to analyze the fraudulent link, we can find that the link was pointed to 124[.]156[.]199[.]25. This IP comes from Tencent cloud network. There are three open ports (22, 80, and 443) and the same IP is used by domain mandiris[.]top.

Even though multiple connection attempts were made, no HTTP responses were returning interesting results. The campaign may either pause or be hidden under a random directory path.

Closing

Traditional SMS messaging is still used as delivery method of information and even authentication method (such as SMS OTP). Without any action to the current state of the national-scale network or any other prevention, the impact of fake BTS attacks can be serious in the near future.

More blog at https://cyberkarta.com/blog

Fake BTS Attack was Leveraged to Send Bank Mandiri SMS Phishing aka SMShing Attack was originally published in Cyberkarta on Medium, where people are continuing the conversation by highlighting and responding to this story.

PT Cyberkarta Tugu Teknologi

Platform belajar cyber security bersama komunitas cyber

Copyright © 2025 Cyberkarta

KelasBlogLoginDaftar
Layanan CyberkartaTerms & ConditionsPrivacy & PolicyFAQ
LinkedInInstagramYoutubeTwitter

Hubungi Kami

layanan@cyberkarta.com

+62 851 6183 5865

Yogyakarta