Researcher: {Alan Ho}
Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or installing malware. Similar to phishing, cybercriminals use smishing, the fraudulent attempt to steal credit card details or other sensitive information, by disguising as a trustworthy organization or reputable person in a text message.
ref: https://www.barracuda.com/glossary/smishing
Real Case Analysis
We often receive SMS that tell us there are some issues about the delivery from SF-Express.
We’d like to know about what information the attacker wants.
When we clicked into it (We tested it in a laptop instead of mobile phone), it will open a page which shows the delivery status and requires user to update the address.
So we clicked and update the delivery address. We also filled in the details
Then continued to the next page. WTF it asked us to input the credit card information too 😒
We submitted the credit card info and waited …
A few moments later, it redirected back to the index page.
Quick Analysis
We start with basic analysis, view source … Since it stuck for a few moments in wait.html, we take look in the HTML source.
The wait.html will do redirect according the status code returned, so we check /index/index/getRecord too.
Ok, “data” is “null”, from wait.html, it will go back to index.html. After viewing the source, we just click around and change the URL until we found different errors.
Try another URL, and seems we got some detailed information. (we simply removed /index/ from the URL (/index/index/getRecord) we found in wait.html
From Server/Request Data, we can the attacker server address (we blurred the Remote Address which was our IP Address)
Quick nmap
We also learned that it’s using thinkphp 5.0.24
We did some research and found that there are other vulnerabilities for 5.0.24, but no RCE for 5.0.24 (yet) 🥲 Anyway we also check other ports.
Anyways, we did a quick check on the attacker servers and got some knowledge of the infrastructure of such SMS phishing servers.
Recommendations
The SMS phishing this time is more like a common for the public, not really a spear-phishing type.
As normal users, be aware of strange SMS which requires you to fill in personal information. Check the tracking no. from official website, or even contact official customer service to verify. (of course you can simply ignore if you did not do any online shopping …) And pay extra caution if it’s asking for credit card details which normal company will not do.
As network administrators / cybersecurity analyst, you may block the attacker IP address in your Firewall / IPS, also report it as spam.
