“Don’t Click It”, Applies to SMS as Well: Anatomy of a Facebook / SMS Phish
For years we have been taught to be extra cautious when opening emails and to not click on links in unsolicited emails. Sadly this even applies to emails that appear to be from known sources (spear-phishing attempts). There are a number of “tells” one can look for when viewing the raw source code of the email message or for the less experienced, one can simply hover over the embedded links to make sure they at a minimum match with the company website of the sender. Here is an example of a legitimate email sent by Facebook to reset a password. When hovering over the “Change Password” button you can see that the link will indeed direct you to a location on the Facebook.com website. Given the recent proliferation of malicious apps that can be created and hosted on a social media platform, or the use of “open redirects” it is certainly no guarantee anymore that a link like the one show below is 100% legitimate and non-malicious.
Here is an example of a poorly constructed but legitimate email asking its customers to reset their passwords because of a recent security breach. Notice when hovering over the links in the email that the reset link it not even close to matching the company website and its typical login link. Presumably this company chose to use a third-party service to send out this email to all their customers. If I were to get an email like this I would not be comfortable clicking on that link and would instead go directly to my Cozmoslabs account in a web browser and login in that way. Ninety-nine times out of a hundred, if the alert is legitimate, you would see the same alert and instructions on what to do next by going directly to your account profile page. In our opinion you should NEVER use a third party URL redirect or link shortener for a mass email to all your customers announcing an online security related matter. This was not a well thought out strategy.
So this gets to the more interesting part of the story. For years now we have all been educated to be cautious clicking on links in emails or have at least gotten some exposure and understanding of the dangers in doing this without looking for some of the telltale signs of whether it’s a legitimate email or not.
However, the same can not be said for SMS messages. With the advent of smart phones and mobile apps and apps on your phone that are pre-authenticated it is very easy to click on a link in an SMS message and very quickly in get in a whole heap of trouble. For example this SMS message that was sent to someone’s phone a few days ago. Seems like a reasonably legitimate message coming from Facebook.
You can’t really hover over a link in an SMS message and there really isn’t much you can do other than click on the link or not click on the link. We all know that person who absolutely cannot resist answering their phone if it starts ringing. Whether it is that person standing in line at the Post Office, or sitting in a movie theater or someone who picks up their phone and starts talking loudly right as your airplane is pulling away from the gate, it is those people who need instant gratification or suffer from narcissism that can’t resist not answering their phone or can’t resist not clicking on that SMS text.
Someone with their Facebook app already opened on their phone and who can not resist the urge to click on this SMS link could very quickly give a malicious actor access to their Facebook account and/or give up their Facebook login credentials. Someone with a little bit of experience in information security and is familiar with link shorteners will notice fairly quickly the “bit.ly” portion of this link. Someone with even more experience might actually take that full shortened link “bit[.]ly/2NjSA9V” and see what it actually does. We of course did just that and not too surprisingly the link did not send the user to a legitimate Facebook page. Instead during our testing, we got sent to this rather odd web domain “dulcegustovita[.]com”.
This of course is not a legitimate domain owned or managed by Facebook and for our test the end landing page was a fake Facebook login page. If someone were to enter legitimate login credentials at this page, the user would likely be sending their credentials to some unknown malicious actor. Upon analysis of the redirection chain it is very possible that under the normal environment of a mobile device, clicking on that malicious link would result in a slightly different behavior than just seeing a login page. We did not try to replicate this from an actual smart phone environment.
We reported this phishing operation the same day, June 22ndand by the end of the day Google had the malicious site warning up for that domain, dulcegustovita[.]com.
Analyzing the chain of redirection links, within a relatively safe and controlled environment, yielded the following sequence of URL requests before ending up on the final fake Facebook login page.
As one can see in the above chain, the bit.ly link shortener immediately redirects the user to the dulcegustovita[.]com domain where a series of links to helper files are loaded to create the fake Facebook page. The primary executable is a PHP file containing a query string to an app-token. It is possible this was a simple custom app created within a Facebook account to harvest credentials.
Further OSINT analysis of the “dulcegustovita[.]com” domain and associated webcode using WHOIS tools and threat analysis tools like RiskIQ revealed only that the domain was registered the same day that the phishing kit and operation was deployed, June 22nd. The domain was registered using a common domain name registrar NameCheap dot com. This registration was coupled with the private registration service of WhoisGuard out of Panama.
The domain and webcode was almost immediately deployed, after the registration was completed, to a shared IP address of 199.188.200[.]223 also at NameCheap. Most of the webcode was likely just scraped from Facebook and reassembled at the disposable web hosting account setup on a NameCheap shared server.
The subdomain “mail.dulcegustovita[.]com” was also used and two related SPF records for IP addresses also belonging to the NameCheap network were also created. It is likely that the Facebook credentials harvested were then simply emailed to a disposal email elsewhere under the control of the malicious actors. Without analysis of the app-token by Facebook or a subpoena to NameCheap the OSINT trail ends here for now. One final note, the domain name itself seems to be an amalgamation of these Spanish words; “Dulce Gusto Vita” translated to “Sweet Taste Life”. Although Italian would be a close second, minus the misspelling of “Dolce” and given “life” in Spanish should actually be “vitae”.
Company News, Cybersecurity, Digital Investigations, Website Security