PayPal SMiShing Attack: A Closer Look

If you’ve been reading our blog, you’ll recall not too long ago we dug into a SMiShing attempt that was not super common because of it’s use of punycode. This previous article also discussed what SMiShing is, the victim impact of this activity from the FBI’s Internet Crime Report, and ways spammers/scammers get your phone number, which you can click here to get up to speed on this information.

In this article, we’re going to pick apart a run-of-the-mill SMiShing attempt to show you what you can learn about what’s contained in the text message. We’re going to redact a lot of stuff here, as we work through the searchable information in the text message that was received, but we’ll explain what it is that we’re doing should you find yourself having to research something.  Also a warning.  DO NOT browse to any of the links/domain names contained in the screenshots.  We also link to some threat analysis information that contains IP addresses, hosts, and domain names related to the SMiSHing text.  DO NOT browse to these either.

Firstly, if you suspect that an incoming text message is spam or a scam, delete it. Don’t open the message. You risk infecting your device and having data stolen. What you’re seeing in the redacted screenshot of the text is only the message preview from the notification.

What this SMiShing attempt is trying to do is impersonate PayPal. If anyone reading this ever gets any suspicious text or emails from someone pretending to be them, they have a web page with information on how to submit these suspicious communications

As with the punycode attack we picked apart, we started with looking at the sender contact information. Searching for this contact info and picking it apart has the potential to reveal people reporting similar attempts. It can also give us clues as to the technical infrastructure the attacker is using.

It’s Dorkin’ time!

Hitting up the usual suspects of search engines (Google, Bing, DuckDuckGo, etc), they don’t return any usable results for the email address.

The next thing to check is if the email address is valid. There are several email verification tools out there that will check this. MXtoolbox is a good place to start for this. As far as results, the services we looked at for email verification return that the address doesn’t exist.

Searching the text of the text message only returns articles from PayPal and other web pages warning about scams.

A reverse image search doesn’t turn up any results of people sharing similar screenshots.

A level deeper

Let’s start taking a look beyond what search engines may show.

In this SMiShing text there are two domain names.

The first is the domain name in the email address, and we must eliminate that one as it doesn’t exist. That leaves us with the link in the text.

A WHOIS lookup of this domain name doesn’t reveal much information as it’s behind a privacy guard. What we do know is this entity used the domain name registrar namecheap when buying the domain name. We also know that it was created on July 10th, 2022 and it expires on July 10th, 2023. The registrant country (IS) is Iceland, but this does not necessarily mean the entity behind the domain name is from Iceland. Also listed is namecheap’s abuse email address and phone number. It’s important to know how to access this information should you need to report something malicious.

Using VirusTotal, only one vendor flagged the URL as malicious, but no other useful information is available.

Alienvault’s Open Threat Exchange(OTX) labels the domain name as a “Suspicious TLD.” TLD is “Top Level Domain” (e.g. .com, .net, .org)

While we aren’t going to the explore the malicious site itself, one of a few things are going to happen if someone did browse to it:

  • Your device will be infected with malware which may be used to steal data.
  • You’ll be directed to a web page and asked to fill in sensitive information (e.g username/password, social security number, drivers license/passport info, credit/debit card information, bank account information)
  • A combination of the first two points.

To close out this article, here are some additional sources for reporting incidents like this, especially if you suspect that you’re a victim.

Lastly here are a few things you can do to protect yourself against SMiShing:

  • SLOW DOWN! Take a few seconds to pause for a bit and truly look at what was just texted to you and look at it logically. Is this a text you were expecting? Does it sound like the person or company that is texting you? Does the domain name match the real domain name of a business?  In fact, just report and/or delete the text message.
  • Ensure you have anti-malware installed on your phones.
  • Make sure that your phone is up to date along with the applications installed on them
  • DO NOT use any of the contact information in the SMiShing text.
  • Ensure two-factor authentication is enabled.
  • If you’re a business, invest in security awareness training for employees so they’re up to date on how to recognize and report stuff like this.

While the above points are not exhaustive, these are good first steps to set in motion.

If you found this interesting, or helpful, sign up for our cybersecurity and intelligence newsletter to keep up to date with things. Here’s the sign-up link

To learn more about how our cybersecurity and intelligence services help you, your family, your business, or your law firm, use the form below to contact us. We look forward to chatting with you.

Contact Us | Bsquared Intel

Please fill out the form below, or call 203.828.0012, to learn how bsquared intel can assist you.