It’s been a while since we’ve done anything investigative, so in this article we’re going to pick apart a SMiSHing attempt we received. This one is a little more on the technical side because punycode is used in this attack, so we’ll do our best to break it down. Because this attempt is so poorly executed, it brings up more questions than answers, so brace yourself for an inconclusive outcome.
Before we get started, some of the screenshots we’re sharing have the potential to harm your systems and/or steal sensitive data. DO NOT BROWSE TO ANY URLS OR USE ANY OF THE CONTACT INFO in any of the SMiSHING screenshots. If you do, you do so at your own risk. This article is to only show you some investigative tools and techniques. Lastly, we aren’t going to visit these sites phishing sites for obvious reasons plus malware analysis isn’t our strong point.
To begin, SMiShing is a portmanteau of SMS(Short Message Service. Plainly, texting.) and phishing. In short, this is phishing over text messages. Phishing is a subset of Social Engineering, for those of you that are new to this world. When we talk about Social Engineering in the cybersecurity/cybercrime sense, there’s two optimal outcomes. The first outcome being the bad actor getting you to give up something sensitive like passwords. The second one is getting you to do something that that’s out of character for you like clicking/tapping on a link that’s malicious. Social Engineering is exploiting human behavior.
How lucrative is Social Engineering?
Well, according to the FBI’s 2021 Internet Crime Report, Social Engineering (Phishing/Vishing/Smishing/Pharming) was responsible for 323,972 victim complaints. The activity resulted in $44,213,707 in victim losses [Source: FBI].
The next question on your mind is probably “How did they get my number?”
A bad actor can get your number a few ways:
- From a data breach.
- Infecting the phone of someone associated with you, collecting their contact list, and then sending out the SMiShing text to all of the contacts.
- Using programs to scrape various platforms for phone numbers.
- In a more targeted approach, manually going through the platforms you use to find your number and other information to custom craft a malicious text. Technically this is spear SMiShing because this is extremely targeted. The others we listed above is like casting a wide net hoping several people get caught in it, but the success rate drops in those instances.
If you’re still with us, let’s get to the good stuff. Here’s the text message we received:
The first thing we can pick apart is the email address. By doing strict query searches, which have quotation marks around the keyword(s), this will tell search engines to return results that exactly match what you’re looking for. With our target email address, this leads us nowhere on Google, Bing, DuckDuckGo, and Yandex.
We can also check the mail exchange (MX) record to get more technical information such as what the hostname is for the email address and it’s IP address. One tool to help find this info is MX Toolbox.
As you see in the results, the hostname is gmail-smtp-in.l.google.com and it resolves to the following IP address 172.253.63.26.
We also have another thing to look at: domain names.
Because gmail.com and google.com are both owned by Google, a WHOIS lookup on both reveal near identical results with the exception of domain name expiration dates as you can see in the side to side comparison screenshot. What we would hope to see are things like contact information that isn’t behind a privacy guard, when looking at a domain name registration record. With respect to our SMiShing text, if the email address had a custom domain name, in an ideal world we’d like to see it in a domain name registration record because that would help identify any other domain names they operate. We digress. Let’s see what else is available to us that’s of value in these records.
There is more information we can use, such as the name servers and resolving them to IP addresses. We can do the same for the domain names themselves and find what their IP addresses are.
The IP addresses, domain names, mail server host, and name servers are also searchable. Because this is Google, there won’t be any interesting results, however here are some resources you can try to get used to threat hunting: Alienvault’s OTX[Link], and VirusTotal[Link]. These sources give you information if there’s anything malicious associated with your findings and and anything else of relevance to your search.
Now we get to the interesting part, the text of the text message. There isn’t any sort of message itself that would entice someone to open up the link with the exception of pure curiosity. Speaking of which, the link looks pretty jacked up.
There is one little clue in the link that makes this really interesting.
In the URL there are a few characters that are important. They are “xn--.”
“xn--” is an indicator that punycode is used to create the domain name portion of this URL.
What is punycode?
In a very watered down explanation, punycode is a way to create domain names in languages that use characters like the umlaut (Ö) or don’t use the Latin alphabet like Greek (e.g. γεια which translates to “hi”). In order to create domain names with characters like these, they can only be done alphanumerically (a-z, 0-9) as the Domain Name System (DNS) has a limited character set. The only special character that is permitted is a hyphen (-).
If we use our Greek “hi” (γεια) example, in punycode it looks like xn--mxadgq.
How does punycode relate to phishing?
Some letters from different languages look like letters in the Latin alphabet. For example, in Cyrillic the letter “er” (р) looks exactly like the Latin letter “p.” Let’s say that there’s a company called Pet Example. Their domain name could be petexample.com. Someone creating a phishing site to look like this domain name could use punycode in order to leverage the Cyrillic letter “er” as a substitute for the first Latin “p.” in the name . The result is xn--etexample-k3h.com. You can play around converting things into punycode with this converter https://dnschecker.org/idn-punycode-converter.php
But that doesn’t look anything like petexample and you’re right if you’re thinking that. How can someone be fooled then? It all comes down to how your web browser renders punycode. If your web browser, regardless of the device you’re using, prevents punycode from running, the telltale sign is you’ll see the prefix “xn--” followed by the encoded domain name. Top level domains (tld) like .com, .net, .biz, etc. can also be encoded using punycode. If your web browser allows punycode to render domain names, then the tip you get from us security professionals to make sure these names are spelled correctly before visiting them go out the window. It’s very difficult to detect.
With this crash course in punycode, let’s take a look at the SMiShing attempt again:
In the text we see “sz8hfa0a[.]xn--mk1bu44c/ followed by what looks like a “randomly” created directory name and we have our punycode: xn--mk1bu44c.
The next step is to convert the punycode to text which is in the screenshot below.
The result is this: 닷컴
To figure out what this character is, we can use Google Translate.
As you can see in the screenshot, the character is Korean for “dot com.” This is punycode for a TLD.
This raises some questions. First, is the domain name part of this, sz8hfa0a, also punycode? Did our notification cut off the xn-- prefix or was it not included? We deleted the text immediately after taking the screenshot, so we don’t have reference to the original message.
Let’s explore what happens if we turn the domain name part into punycode: xn--sz8hfa0a.