SMS Phishing – A real world kill chain review

A few days ago as I was walking out to the door headed to a meeting when my phone dinged.  It was a new SMS message that read “do not show anybody i sent that” and contained a linked.  It came from a number not in my contact list so I just ignored and thought I would revisit after my meeting.

Being a security professional I’ve seen too many phishing scams to count, and am aware that it’s not wise to click on links that are unfamiliar.  Most internet users these days are aware to stay away from email from unknown sources and most email providers do a decent job in filtering out these unwanted scams.  SMS however is the wild west and our ISP are doing little to help.  The good news is that the there is a federal bill that was reintroduced that will help stop robocalls and unwanted texts.  The text for the bill states, “The term ‘robocall’ means a call made (including a text message sent)—”  If you want to read the bill it can be found here

The text message I received was from (816.766.0680) which appears to be a US number with area code in Kansas.  I personally use Hiya to help detect/block unwanted calls and this number wasn’t listed in their database of bad numbers.  I searched different reverse lookup systems for known spam numbers and nothing flagged this as malicious.  In talking with family and friends this is about as far as they would take this and since nothing was found malicious the likelihood of clicking on the link would increase.

I wanted to jump into my sandbox environment were I do threat research to find out more about this scam.  There was no way I was going to click on this via my phone and risk malware getting on my device.  The url was and once I logged into my sandbox I started my research. Looking at WhoIs and not surprising there was “No data available” concerning this domain.

Doing a DNS DIG led me to this IP address:


; EDNS: version: 0, flags:; udp: 4096


; IN A


This address is for AWS which is used by scammers as it’s easy to spin up and down websites to use in malicious activity.  Organizations are not going to block AWS as it’s used across enterprises for all types of cloud computing.  Visiting the link provided by the SMS phish took me to a site survey that indicated that I would receive $1,000 Walmart reward card for completing a survey.  Since this was a SMS scam the bad actor was targeting Android users in the hope that they would click on the link.

Looking at the source code the page manipulates the browser history through the pushState introduced in HTML5.  If the user clicks back or forward it would replace and redirect to function (b).  Code extracted from the page shows this technique: {history.pushState({},””,”#”)}onpopstate=function(b){b.state&&location.replace(“#”)} — In this case the code looks to focus on Android devices…

These redirects can send visitors to a range of rootkit distribution gateways (Exploit Kits), inadvertent ads, pop-ups, unauthorized scripts and much more.  This an injection based attack and should be monitored using File Integrity Monitoring systems.

I continued following the scam which loaded the site  To make the site look more legit the scammer pulled in what would look like to be feeds from Facebook where users were saying how they actually received gift cards.  At a first glance it’s easy to think that this is indeed real.  Again looking the code the scammer is simply creating a look and feel similar but just using static text to mimic this behavior.





I thought it was worth doing more digging and seeing if this is known bad in the security community.  Looking to ProjectHoneypot to see if any of the associated IP address are known.  ProjectHoneyPot, “Project Honey Pot is a web-based honeypot network. It uses software embedded in web sites. It collects information about the IP addresses used when harvesting e-mail addresses in spam, bulk mailing, and other e-mail fraud. The project also solicits the donation of unused MX entries from domain owners.”

In looking through the associated IPs several came up on as known.  


Following the scam to the point of where they tried to collect personal information led me to — Trying to make the site look legitimate they use trusted logos like Visa and call themselves the National Consumer Center.  Researching this further led me to several articles talking about these types of scams.  These are well documented from the FTC and Consumer Reports

Researching is known to cause unwanted pop-ups, adware, etc.  There was a recent blog detailing this and how to remove these unwanted pop-ups / adware.

I also checked with other reputable sources to see if this is something that is known and should be blocked at corporate firewalls and proxies.  According to McAfee this is an infected site that should be avoided.  To make things more difficult we can see this site is again being fronted by Cloudflare.  Cloudflare is a well known CDN (content delivery network).  This adds another layer of obfuscation for the attacker.  


In conclusion it is a highly recommended to add SMS phish scams to your security awareness programs.  Attackers are constantly trying to use mobile compute and open Bring Your Own Device to work as a way to gain access.  You should also use DNS protection layers to detect when someone clicks on a malicious link.  None of this is a guarantee but will help to be proactive against these types of attacks.