SMS scam and phishing web sites

This post will describe the phishing campaign that target myself, among other individuals. In this review I will explain the reasoning (both technical and social) in assessing the validity of the sites, messages and the logic behind an attempt to obtain personal data from individuals.  The whole story began when I received this SMS message on my mobile.
The SMS itself looks pretty much regular, even though the URL it directs you to is not exactly what I'd expect from a courier company. Not only it does not contain the names of either DHL, FastTrack, Post or any similar courier, but rather obscure name (gh4). Anyway, this was not my primary trigger - my primary trigger was an "every day life practice" - I could not remember I purchased anything! So, first thing firs, I contacted my wife to check if we're expecting anything. No. Ok, something's weird here...Let's investigate. I started with simple domain lookups to see who owns this web site.
Ok, not much here -just another cloud based service. The next step was to inspect the web content of this strange URL. I ran wget within isolated virtualised machine to see what comes back.
There is one URL reference in the file downloaded linking to the blogger.com - site used for various blogs, mostly hobbists, enthusiasts...Why would a parcel delivery be connected to sites that host blogs? I fired up my browser to the blogger's site.
Rather obscure, wouldn't you say - FR, SE, DK - does this mean there are sites variants for different countries, maybe different languages. I needed to see what these sites are, so let's start with the first one from the list, orig1TRK. Clicking this link opens the following page:

This is the parcel tracking site with the parcel ID as from the SMS. A strange source for my parcel, isn't it - blogger site?  A couple of things here:
a)       You can change parcel ID to any other number, it will still show the same delivery message. Doesn’t make sense.
b)      This is not a real tracking page (orig1 from the URL corresponds to the orig1 from the URL published on the blog).
You land to the same web if you click the original http://www.gh4.best/s/3p4rd3/bne from the SMS.  As a matter of fact, HTTP 302 redirect request makes sure you land here. Orig1-ie.blogspot.com is the same server as track-ie.blogspot.com (makes sense as both sites are just aliases running on the same domain/machine)

I followed the game - clicked "Pay shipping" which leads me to yet another page, b3.yocourse.com
At this stage, I filled in the bogus details and clicked Next.
Note the phone number for questions : +4542907339. Two things that require further investigation here - b3.yocourse.com domain and the phone number. First, the domain lookup comes with this:
Who or what is WhoIsGuard Protected?
The phishing authors used WhoisGuard service for anonymisation (the original SMS came with no identified phone number).  That explains why there was no phone number displayed on the original SMS. Second artefact to inspect was the said phone number. Googling the number shows us that it's sourced from Denmark.
That makes sense because remember that the web sites from blogger.com indicated FR (France), DK (Denmark) and SE (Sweden) language options. My guess at this stage was that the perpetrator was from Denmark, although they may be using the fake info to misdirect the investigation. Further, when I browse b3.yocourse.com , this leads me to what it seems like fake yoga site. There is nothing on the webpage (yoga training) except the form for personal data. No contact, no address,no names of instructors, no description of Yoga classes…This is a suspicious lack of essential information for any decent web site, too.
Roughly a month after I received the original phishing SMS, I went to check the web reputation of the fake yoga site. It was accessed via corporate filtering engine.
Unfortunatelly, Fortiguard was among the rare ones that flagged this site as malicious. Very few online web reputation filters did the same(2 out of 35 that I checked). Many others showed nothing suspicious around this one.
Conclusion: the identified area/address in Denmark might be the perpetrator, assuming they control the payment interface. If not, the perpetrator may only be using couple of redirect URLs to point to a legitimate payment site.
However, based on the analysis it seems the whole b3.yocourse.com is being a phishing site and as such is owned most likely by the blogger above.

Comments

Post a Comment

Popular posts from this blog

Signature verification bypass vulnerability in some Huawei routers

Image
This blog will describe the discovery of the digital signature bypass on some Huawei routers.  The idea of digital signature check is simple - you have a piece of code and you calculated the checksum/hash of that file. The hash or checksum can be thought of as a "signature", a mathematical value that is uniquely assigned to the code (in our case the code was a firmware file). As soon as you change anything in the file and recalculate the hash, it should be significantly different from the original value - that is the feature of the hashing algorithm. Even the small change in the code will change the hash significantly. Vendors in most cases provide the such a pre-calculated hash so that the customer or the system may check if the hash of the image is indeed the same as vendor required. What was found in this investigation was that the system command on the Huawei AR1220E router does not perform this check properly. As a consequence, the attacker might be abl
Read more

Attacking encrypted VOIP (SIP) protocols

Image
In this post I will be explaining the approach in attacking the encrypted voice over IP (VOIP) protocol, more specifically, SIP (Session Initiation Protocol).  When we are talking about the SIP encryption, it will most likely assume some kind of SSL/TLS wrapping (SIP over TLS). An example below shows the solution design that allows interception, decryption and manipulation of SIP messages. The central component consists of mitm_relay.py and BURP. It is not required that both BURP and mitm_relay run on the same machine, but my setup did run both of them on the same virtual instance. The communication chain looked like this: Client -> mitm_relay->BURP->SIP Server->Client 2 The mitm_relay.py is a python script available at https://github.com/jrmdev/mitm_relay Before we fire up the mitm_relay, we need to configure couple of things- its certificate (self signed in my case, and private key). Once this is in place, we can run it: Few details about the mitm_relay setup:
Read more

DNS insights - UDP vs TCP and EDNS

Image
In this article I will elaborate the research I did in relation to DNS (Domain Name Service). The particular issue discussed here is when and how DNS uses TCP or UDP transport layer in relation to the packet size. Normally, DNS will run queries and replies via UDP protocol unless there is a Zone Transfer , incremental or full (IXFR or AXFR , respectively). According to the original DNS specification as given in the RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt), DNS will also use TCP for packets larger than 512 bytes. However, there was another RFC issued in 2013 which is RFC 6891 (Extension Mechanism for DNS), labelled as EDNS(0). https://tools.ietf.org/html/rfc6891 I came across this issue accidentally, but as we will see in the text, some issues were noticed that are some not well documented reasons why DNS may fail to comply with EDNS. To do the proper investigation, here are some assumptions I worked with: a) I wanted to check DNS clients from both Windows and Linux b) I wan
Read more