SF-Express SMS Phishing and Real Case Analysis

4 min readOct 27, 2022

Researcher: {Alan Ho}

Smishing, or SMS phishing, is the act of committing text message fraud to try to lure victims into revealing account information or installing malware. Similar to phishing, cybercriminals use smishing, the fraudulent attempt to steal credit card details or other sensitive information, by disguising as a trustworthy organization or reputable person in a text message.
ref: https://www.barracuda.com/glossary/smishing

Real Case Analysis

We often receive SMS that tell us there are some issues about the delivery from SF-Express.

sms received

We’d like to know about what information the attacker wants.
When we clicked into it (We tested it in a laptop instead of mobile phone), it will open a page which shows the delivery status and requires user to update the address.

So we clicked and update the delivery address. We also filled in the details

Then continued to the next page. WTF it asked us to input the credit card information too 😒

We submitted the credit card info and waited …

A few moments later, it redirected back to the index page.

back to index page

Quick Analysis

We start with basic analysis, view source … Since it stuck for a few moments in wait.html, we take look in the HTML source.

The wait.html will do redirect according the status code returned, so we check /index/index/getRecord too.

Ok, “data” is “null”, from wait.html, it will go back to index.html. After viewing the source, we just click around and change the URL until we found different errors.

/indexa, nothing interesting

Try another URL, and seems we got some detailed information. (we simply removed /index/ from the URL (/index/index/getRecord) we found in wait.html

From Server/Request Data, we can the attacker server address (we blurred the Remote Address which was our IP Address)
Quick nmap

We also learned that it’s using thinkphp 5.0.24

We did some research and found that there are other vulnerabilities for 5.0.24, but no RCE for 5.0.24 (yet) 🥲 Anyway we also check other ports.

OpenSSH 7.4
haha, https also works
port 888 nothing
port 8888, no ideas yet

Anyways, we did a quick check on the attacker servers and got some knowledge of the infrastructure of such SMS phishing servers.


The SMS phishing this time is more like a common for the public, not really a spear-phishing type.

As normal users, be aware of strange SMS which requires you to fill in personal information. Check the tracking no. from official website, or even contact official customer service to verify. (of course you can simply ignore if you did not do any online shopping …) And pay extra caution if it’s asking for credit card details which normal company will not do.

As network administrators / cybersecurity analyst, you may block the attacker IP address in your Firewall / IPS, also report it as spam.




VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk