What happens when a Cyber Security analyst is sent a phishing text?
This blog post is my first post on the topic of Phishing where I try to analyse an SMS Phishing text, not in great technical detail but enough whereby the reader is able to understand how phishing links work and the hallmarks of a phishing site. In later blog posts I will be going into greater technical detail.
The Phishing text
We received an innocent looking text shown below claiming to have come from "Post Office" letting us know they failed to deliver our parcel and we need to reschedule.
Compared to a legitimate text message from Royal Mail, the Phishing text actually looks somewhat convincing. Although the two main giveaways are the phone number the text was sent from and the link within the text message.
The below text message was one I received recently from Royal Mail, even though this is a legitimate text, it may not be immediately apparent to the average person.
Lets click the link
I should start by saying, if you're in doubt, don't click the link! If you know it looks suspicious, definitely do not click the link! Now we're done with the warning... lets click the link. When we do click it, it takes us to a webpage which to the average person would look totally convincing and wouldn't raise any alarm bells. As shown below, the first thing you see is what looks like the Royal Mail website with a pop-up asking you for your postcode which would be normal, if this was a legitimate website.
I enter an obviously fake postcode as highlighted below. With correctly sanitised user input this should throw errors because this is not a valid postcode, nor is this the correct format. But, we're in luck, the phishing website does not care what we enter because it is not validating any of our information, its just stealing it :)
It's also worth noting that nothing on this webpage works apart from the pop up we see, none of the links in the background work and there is no scrolling. This should be a massive red flag.
When we click on the continue button, we are taken to the next page, which shows us a map with a number of branches near us. There are just a few problems with this, "FAKE POSTCODE" is not a real postcode so those branches are obviously not anywhere near us. The map is really just an image of a map with a marker places on the United Kingdom which also tells us that this is a UK targeted scam. There is a Coronavirus disclaimer added for realism at the top of the page indicating this is a recent scam.
After a few seconds, we are redirected to another page asking us for our full name and our home address. This may not seem like such a big deal, but once a criminal has your postcode, house address and full name they could impersonate you and possibly start to commit identify fraud.
Once we click continue, we are taken to another page where apparently we have one item in transit for my fake name and address. Now they want our date of birth and mobile number, is this concerning for you yet?
After we click continue we are asked to select a new delivery date to apparently rearrange our non-existent parcel. Lets click continue again.
Now this is where this phishing site gets really interesting and dangerous. A sense of urgency is created in that we need to pay a fee to redeliver our parcel and to do so, they need our bank details. Of course we know this is a not the real Royal Mail website so by filling this in, you're sending your card details directly to the scammers. From here the scammers behind this phishing site would now be able to commit identify fraud, use your card details to spend your money and even open accounts in your name.
Before we click continue, lets have a look where this information is going to. We see a POST request to finish.php with our session ID being sent as a URL parameter. This is how the scammers receive our entered card details and all of our other information. This phishing site is Posting our details directly to the scammers who probably just sit back and collect all of our details in their log files or wherever they are directing these details.
When we click continue, we are taken to one of the final phishing pages where we see that our redelivery request was apparently processed. Its even being sent to our fake address! How nice of them :)
After a few seconds, the page automatically redirects us to the real Royal Mail website. This is very sneaky, to the non tech savvy they would have thought they had just entered their details in the real Royal Mail site. The fact that they are redirected to Royal Mail after just adds a level of false security to the victim who wouldn't question a thing.
Lets do some OSINT
So now that we have given the scammers some fake details to play with, we can go ahead and run a whois on the domain. We can see from the below that the domain was registered on the 16th September 2021 which is really recent and the registrar PublicDomainRegistry is known for being abused by scammers. This really is not looking too positive.
If we go ahead and take a look at a genuine whois on the Royal Mail's domain, we see that it was registered before 1996 and its registrar is MarkMonitor. Both the reputation of the registrar and the fact that the domain has been registered for more than 20 years adds to its legitimacy. A newly registered domain should always be treated as suspicious as new phishing sites are being erected and used all the time.
If we take a look at Palo Alto's link checker, where we can enter a URL to view their own classification. We see that the Link was classified as a newly registered domain and as a phishing site, this confirms our suspicions. If we knew this was a phishing site but Palo Alto did not have a classification for the site, we could request a change and request that it be classified as phishing.
Whilst browsing around the phishing site, I came across a number of subdomains, admin panels and interesting directories. One of which was the 'codes' directory as shown below, I will leave it to your imagination as to what this is.
I would also just like to point out, when going to a website you are unsure about or websites in general. Look out for the padlock symbol at the top of the address bar, in the case of this phishing website it is red and says "dangerous". This should be a massive red flag and enough to exit the website.
And if in doubt, google the phone number that text you. A quick google for the scammers phone number revealed a number of complaints mostly originating from the UK indicating this is a UK based targeted phishing campaign.
What can I do to help?
If you come across a phishing link, report it via the Palo Alto link checker and also perform a whois lookup on the domain and see if you can find an abuse contact email address. Send them an email notifying them of the phishing site so that they can take it down. The NCSC also have a new webpage for reporting suspicious websites, the more people that are proactively reporting phishing sites the harder it is for them to operate and hopefully the less successful they become.
We have now completed a very quick and simple analysis of an SMS Phishing text and a Phishing website.
I hope I explained this well for anyone wondering how to do spot a phishing site and wanted to know how they worked. If you have any feedback, I would love to hear it as I want to keep improving. I am still learning and if you spot any mistakes or inaccuracies, please let me know!