A few days ago, as I was heading out the door to a meeting, my phone dinged with a new SMS message. The message read: “Do not show anybody I sent that,” and included a link. It came from a number not saved in my contacts, so I decided to ignore it and revisit it after my meeting.
As a security professional, I’ve encountered more phishing scams than I can count and know better than to click on unfamiliar links. Most internet users today understand the dangers of emails from unknown sources, and email providers do a decent job of filtering out unwanted scams. However, SMS is still the wild west, with ISPs doing little to protect users.
The good news is that a federal bill has been reintroduced to help combat robocalls and unwanted text messages. According to the bill’s text, “The term ‘robocall’ means a call made (including a text message sent)…” If you want to read the bill it can be found here —
The text message I received was from (816.766.0680) which appears to be a US number with area code in Kansas. I personally use Hiya to help detect/block unwanted calls and this number wasn’t listed in their database of bad numbers. I searched different reverse lookup systems for known spam numbers and nothing flagged this as malicious. In talking with family and friends this is about as far as they would take this and since nothing was found malicious the likelihood of clicking on the link would increase.
I wanted to jump into my sandbox environment were I do threat research to find out more about this scam. There was no way I was going to click on this via my phone and risk malware getting on my device. The url was http://neumll.kim/iekgj5 and once I logged into my sandbox I started my research. Looking at WhoIs and not surprising there was “No data available” concerning this domain.
Doing a DNS DIG led me to this IP address:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;neumll.kim. IN A
;; ANSWER SECTION:
neumll.kim. 1632 IN A 3.19.90.242
This address is for AWS which is used by scammers as it’s easy to spin up and down websites to use in malicious activity. Organizations are not going to block AWS as it’s used across enterprises for all types of cloud computing. Visiting the link provided by the SMS phish took me to a site survey that indicated that I would receive $1,000 Walmart reward card for completing a survey. Since this was a SMS scam the bad actor was targeting Android users in the hope that they would click on the link.
Looking at the source code the page manipulates the browser history through the pushState introduced in HTML5. If the user clicks back or forward it would replace and redirect to function (b). Code extracted from the page shows this technique: {history.pushState({},””,”#”)}onpopstate=function(b){b.state&&location.replace(“#”)} — In this case the code looks to focus on Android devices…
These redirects can send visitors to a range of rootkit distribution gateways (Exploit Kits), inadvertent ads, pop-ups, unauthorized scripts and much more. This an injection based attack and should be monitored using File Integrity Monitoring systems.
I continued following the scam which loaded the site yt.tweeche.com. To make the site look more legit the scammer pulled in what would look like to be feeds from Facebook where users were saying how they actually received gift cards. At a first glance it’s easy to think that this is indeed real. Again looking the code the scammer is simply creating a look and feel similar but just using static text to mimic this behavior.
I thought it was worth doing more digging and seeing if this is known bad in the security community. Looking to ProjectHoneypot to see if any of the associated IP address are known. ProjectHoneyPot, “Project Honey Pot is a web-based honeypot network. It uses software embedded in web sites. It collects information about the IP addresses used when harvesting e-mail addresses in spam, bulk mailing, and other e-mail fraud. The project also solicits the donation of unused MX entries from domain owners.”
In looking through the associated IPs several came up on as known.
Following the scam to the point of where they tried to collect personal information led me to www.surveysandpromotions.com — Trying to make the site look legitimate they use trusted logos like Visa and call themselves the National Consumer Center. Researching this further led me to several articles talking about these types of scams. These are well documented from the FTC and Consumer Reports…
Researching SurveysandPromotions.com is known to cause unwanted pop-ups, adware, etc. There was a recent blog detailing this and how to remove these unwanted pop-ups / adware. https://malwaretips.com/blogs/remove-national-consumer-center-virus/
I also checked with other reputable sources to see if this is something that is known and should be blocked at corporate firewalls and proxies. According to McAfee this is an infected site that should be avoided. To make things more difficult we can see this site is again being fronted by Cloudflare. Cloudflare is a well known CDN (content delivery network). This adds another layer of obfuscation for the attacker.
In conclusion it is a highly recommended to add SMS phish scams to your security awareness programs. Attackers are constantly trying to use mobile compute and open Bring Your Own Device to work as a way to gain access. You should also use DNS protection layers to detect when someone clicks on a malicious link. None of this is a guarantee but will help to be proactive against these types of attacks.