Named a Visionary in Gartner Magic Quadrant for Secure Web Gateways (SWG)

Back to blog

Have you been Smished? Mass Smishing operation targeting mobile users with fake Amazon and USPS update messages

Share this article

Summary

Earlier this month, mobile users began being targeted with smishing messages in what appears to be an organized spam operation campaign. Smishing is much like phishing, except rather than sending email, the attackers send text messages using SMS (Short Message Service). The smishing campaign has been sending fake United States Postal Service (USPS) or FedEx shipment updates as well as phony Amazon loyalty program rewards via text messages.

In this blog, we’ll focus on the risk of visiting such links from a mobile device, and why mobile devices should be considered for a Zero Trust architecture. Zero Trust assumes that all web content is harmful and prevents any website from running code on your users’ devices. This approach protects users from untrusted actors without inhibiting users’ ability to do work.

Campaign Targets

This smishing campaign seems to be device agnostic. Using redirection mechanisms, the campaign serves different landing pages, depending on the client browser and device:

SMISH_Figure_1

The final landing page links used to serve the fake content are generated only once. Visiting these links offline or trying to replay them results in an HTTP 404 error.

The following image shows the different landing page themes based on the client device:

SMISH_figure2

Although the smishing campaign has targeted both desktop and mobile device users, the focus seems to be on targeting mobile users with fake shipment updates from postal carriers, including USPS, FedEx, and UPS. The users are taken to a landing page where they’re prompted to provide credit card details along with other personal information.

Infrastructure

The following table shows the cloud providers being used to host domains in the different stages of the campaign:

 Initial URLsRedirection URLs (301/302)Landing Page URLs

Protocols

HTTP

Protocol:

HTTPS (Let’s Encrypt Certs)

Protocol:

HTTP/HTTPS (Let’s Encrypt)

Hosting Provider:

Alibaba

Hosting Providers:

Leaseweb

Amazon

UpCloud

Advania Iceland

Hosting Providers:

Cloudflare

Amazon

DNS Provider:

Uniregistry

DNS Providers:

Namecheap

GoDaddy

URL Categorization Is Like Herding Cats

URLs are used in smishing attacks. The lifespan of these URLs is typically very short and categorized as “Unknown.” If the URL is not accessed within a short period of time, the domain disappears or the link returns an HTTP 404 error message.

    • On sampling the initial URL domains, most of these initial URLs were categorized as Unknown by popular URL categorization providers. At the time of writing this blog, only 19 percent of the initial URL domains are being flagged as malicious by AV vendors.
    • The lifespan of the initial URLs is very short. The campaign sends a smishing message to mobile users and expects the link to be clicked relatively quickly. After a few minutes, the domain is either taken down or the link returns an HTTP 404 error.
    • The landing page URLs are generated as one-time-only visit links that will work only when coming through the proper direction chain and initial device. Automated URL scanning or replay tools will most likely get an HTTP 404 error when trying to navigate to these landing page URLs.

Considering the above points, it takes a longer time for URL categorization and detection vendors to catch up. This type of categorization delay is often referred to using the term “Green to Red,” meaning a URL was categorized as benign or unknown at click time (GREEN), but became malicious or spam at a later time (RED).

SMISH_figure3

Source: VirusTotal

Google Safe Browsing (GSB) also had a very poor detection ratio for the initial URLs and landing page URLs. While we were not able to check every URL against GSB, random sampling found five landing page URLs and five initial URLs that were not flagged as unsafe.

SMISH_figure4

 

IOCs

Initial URL Domain IPs (hosted on .com/.info TLDs):

47[.]243[.]34[.]151

47[.]242[.]142[.]35

47[.]242[.]110[.]196

 

Sample Initial Link URLs (Mobile):

hxxp[://]w7fzc[.]info/fU8rPoxD35

hxxp[://]w4fza[.]info/jdSdORwYco

hxxp[://]t9fzc[.]info/Hxpl1o5BD2

hxxp[://]eb31g[.]com/kbLAFmo4Ir

hxxp[://]gh18n[.]com/LtEYd8wmA5

 

Landing Page IPs (hosted on .best / .today TLDs):

3[.]233[.]37[.]12

104[.]21[.]29[.]241

 

Sample Landing Page URLs (Desktop):

hxxps[://]boot-upextremely-bestprogressivefile[.]best/uim0AfFkHwfxTeqfd8Q4XELJ60aE4zNesPm7hMpvzaU?cid=71c7b44bf1e965b9afc7a61c63d26f98&sid=14872535

hxxps[://]boot-upnewest-bestextremelyfile[.]best/yJmtjUqT15z23HF9oHcxRXL0hiJfhbK010nUOq99M60?cid=09e93672f5d209ac48f4f7751a109c6f&sid=14872535

hxxps[://]boot-uporiginal-bestoverlyfile[.]best/zlzPDmrPvKfxNouZCNqRJx5_rYYjjCCQlcH7LCSRvH0?clck=401228329111265625&sid=3877104

hxxps[://]boot-upgreatly-bestlatestfile[.]best/rRoVk9jjBC9piCZuupV3NpxwMio9v49EQjoUcwvEXJQ?cid=65562769b11b8011f6c59dce3b2f751d&sid=15888588

 

Sample Landing Page URLs (Mobile):

hxxps[://]usps-na[.]winnerof[.]today/mm/u25k7hbp/index[.]php

hxxps[://]ups-na[.]winnerof[.]today/mm/k9bcvi9c/index[.]php?clickid=out&crid=80002437&cg=T2B8T38q0npYJ7&source=187425779&target=ts5603-sms-a-3-us&camid=59639&br=Unknown&ca=Unknown&lpkey=160d173c74f1044011&clickcost=0[.]06&s2=de03b2tbzdubgi47eb&s3=27&s4=80002437&s5=US&s6=1&domain=redirect[.]winnerof[.]today&uclick=2tbzdubgi4&uclickhash=2tbzdubgi4-2tbzdubgi4-16ir-0-e2ci-gmzwwj-gmikwj-d5d8f8&user=bc9b36b878374b8e85cc3f2ece0f9aa6&country=en

hxxps[://]fedex-na[.]winnerof[.]today/mm/h26slqns/index[.]php

 

Conclusion

With the surge in remote work in the last year, we’re seeing growth in both mobile smishing and phishing attacks. People are more likely to be using their personal devices for work. Not being on the corporate network may also make people more vulnerable. Mobile devices and browsers are an enticing target for cyberattackers looking to exploit zero days and conduct socially engineered phishing attacks. In many organizations, however, mobile security is treated as an afterthought. To help combat these attacks, we recommend that companies look into deploying a mobile browser isolation solution—one that’s designed to eliminate the threat of smishing, phishing, and malware attacks when users are accessing the Internet and email from their smartphones and tablets.

Tips for Protecting Your Company and Users from Smishing

    • Invest in visibility solutions from trusted security vendors that extend to mobile devices.
    • Adopt a Zero Trust architecture for mobile devices.
    • Train and build awareness with your users to resist the temptation to click on links in text messages that come from an unknown source.

Menlo Labs provides insights, expertise, context, and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. Learn more about this elite collective and their work in the Isolation Security Operations Center

 

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.