It’s been a while since we’ve done anything investigative, so in this article we’re going to pick apart a SMiSHing attempt we received. This one is a little more on the technical side because punycode is used in this attack, so we’ll do our best to break it down. Because this attempt is so poorly executed, it brings up more questions than answers, so brace yourself for an inconclusive outcome.
Before we get started, some of the screenshots we’re sharing have the potential to harm your systems and/or steal sensitive data. DO NOT BROWSE TO ANY URLS OR USE ANY OF THE CONTACT INFO in any of the SMiSHING screenshots. If you do, you do so at your own risk. This article is to only show you some investigative tools and techniques. Lastly, we aren’t going to visit these sites phishing sites for obvious reasons plus malware analysis isn’t our strong point.
To begin, SMiShing is a portmanteau of SMS(Short Message Service. Plainly, texting.) and phishing. In short, this is phishing over text messages. Phishing is a subset of Social Engineering, for those of you that are new to this world. When we talk about Social Engineering in the cybersecurity/cybercrime sense, there’s two optimal outcomes. The first outcome being the bad actor getting you to give up something sensitive like passwords. The second one is getting you to do something that that’s out of character for you like clicking/tapping on a link that’s malicious. Social Engineering is exploiting human behavior.
How lucrative is Social Engineering?
Well, according to the FBI’s 2021 Internet Crime Report, Social Engineering (Phishing/Vishing/Smishing/Pharming) was responsible for 323,972 victim complaints. The activity resulted in $44,213,707 in victim losses [Source: FBI].
The next question on your mind is probably “How did they get my number?”
A bad actor can get your number a few ways:
- From a data breach.
- Infecting the phone of someone associated with you, collecting their contact list, and then sending out the SMiShing text to all of the contacts.
- Using programs to scrape various platforms for phone numbers.
- In a more targeted approach, manually going through the platforms you use to find your number and other information to custom craft a malicious text. Technically this is spear SMiShing because this is extremely targeted. The others we listed above is like casting a wide net hoping several people get caught in it, but the success rate drops in those instances.
If you’re still with us, let’s get to the good stuff. Here’s the text message we received:
The first thing we can pick apart is the email address. By doing strict query searches, which have quotation marks around the keyword(s), this will tell search engines to return results that exactly match what you’re looking for. With our target email address, this leads us nowhere on Google, Bing, DuckDuckGo, and Yandex.
We can also check the mail exchange (MX) record to get more technical information such as what the hostname is for the email address and it’s IP address. One tool to help find this info is MX Toolbox.
As you see in the results, the hostname is gmail-smtp-in.l.google.com and it resolves to the following IP address 184.108.40.206.
We also have another thing to look at: domain names.
Because gmail.com and google.com are both owned by Google, a WHOIS lookup on both reveal near identical results with the exception of domain name expiration dates as you can see in the side to side comparison screenshot. What we would hope to see are things like contact information that isn’t behind a privacy guard, when looking at a domain name registration record. With respect to our SMiShing text, if the email address had a custom domain name, in an ideal world we’d like to see it in a domain name registration record because that would help identify any other domain names they operate. We digress. Let’s see what else is available to us that’s of value in these records.
There is more information we can use, such as the name servers and resolving them to IP addresses. We can do the same for the domain names themselves and find what their IP addresses are.
The IP addresses, domain names, mail server host, and name servers are also searchable. Because this is Google, there won’t be any interesting results, however here are some resources you can try to get used to threat hunting: Alienvault’s OTX[Link], and VirusTotal[Link]. These sources give you information if there’s anything malicious associated with your findings and and anything else of relevance to your search.
Now we get to the interesting part, the text of the text message. There isn’t any sort of message itself that would entice someone to open up the link with the exception of pure curiosity. Speaking of which, the link looks pretty jacked up.
There is one little clue in the link that makes this really interesting.
In the URL there are a few characters that are important. They are “xn--.”
“xn--” is an indicator that punycode is used to create the domain name portion of this URL.
What is punycode?
In a very watered down explanation, punycode is a way to create domain names in languages that use characters like the umlaut (Ö) or don’t use the Latin alphabet like Greek (e.g. γεια which translates to “hi”). In order to create domain names with characters like these, they can only be done alphanumerically (a-z, 0-9) as the Domain Name System (DNS) has a limited character set. The only special character that is permitted is a hyphen (-).
If we use our Greek “hi” (γεια) example, in punycode it looks like xn--mxadgq.
How does punycode relate to phishing?
Some letters from different languages look like letters in the Latin alphabet. For example, in Cyrillic the letter “er” (р) looks exactly like the Latin letter “p.” Let’s say that there’s a company called Pet Example. Their domain name could be petexample.com. Someone creating a phishing site to look like this domain name could use punycode in order to leverage the Cyrillic letter “er” as a substitute for the first Latin “p.” in the name . The result is xn--etexample-k3h.com. You can play around converting things into punycode with this converter https://dnschecker.org/idn-punycode-converter.php
But that doesn’t look anything like petexample and you’re right if you’re thinking that. How can someone be fooled then? It all comes down to how your web browser renders punycode. If your web browser, regardless of the device you’re using, prevents punycode from running, the telltale sign is you’ll see the prefix “xn--” followed by the encoded domain name. Top level domains (tld) like .com, .net, .biz, etc. can also be encoded using punycode. If your web browser allows punycode to render domain names, then the tip you get from us security professionals to make sure these names are spelled correctly before visiting them go out the window. It’s very difficult to detect.
With this crash course in punycode, let’s take a look at the SMiShing attempt again:
In the text we see “sz8hfa0a[.]xn--mk1bu44c/ followed by what looks like a “randomly” created directory name and we have our punycode: xn--mk1bu44c.
The next step is to convert the punycode to text which is in the screenshot below.
The result is this: 닷컴
To figure out what this character is, we can use Google Translate.
As you can see in the screenshot, the character is Korean for “dot com.” This is punycode for a TLD.
This raises some questions. First, is the domain name part of this, sz8hfa0a, also punycode? Did our notification cut off the xn-- prefix or was it not included? We deleted the text immediately after taking the screenshot, so we don’t have reference to the original message.
Let’s explore what happens if we turn the domain name part into punycode: xn--sz8hfa0a.
Doing this we get three icons/emojis: 🖱🖨🖥 (mouse, printer, computer).
This is what we can’t make sense of. Were we right to assume the domain name was also punycode based on the top level domain name? If we were right, is there any significance to these three icons/emojis as the domain name because we can’t find any?
Doing a WHOIS lookup of xn--sz8hfa0a.com shows that there isn’t anything registered in that name. Oddly, if you resolve xn--sz8hfa0a.com to an IP address we get two results: 23[.]202[.]231[.]168 and 23[.]217[.]138[.]109. Looking up these addresses, we find out that they belong to Akamai Technologies Inc.
Using whoxy.com to look up the dns registration record of sz8hfa0a.xn--mk1bu44c does reveal very limited information. The registrar is Key-Systems, LLC and the state and country information is pretty diverse. You can see the WHOIS results here https://www.whoxy.com/sz8hfa0a.xn--mk1bu44c. There is a company name mentioned and opening up that information shows 4 more domain names under their control. View them here https://www.whoxy.com/company/48451514. This makes things a little more interesting now when expanding the scope of things beyond this one SMiShing attempt. If we resolve this domain name to an IP address we get 162[.]0[.]235[.]115. Namecheap is the owner of this IP address. We’ll add this to the next section with VirusTotal and Alienvault links.
END UPDATE 1
If we dump the IP addresses into VirusTotal there is nothing of value, as shown below. Alienvault didn’t return results either.
There are some interesting results found in VirusTotal in relation to the IP address discovered in UPDATE 1 which you can look at here. There’s a slew of hosts using the IP address that have over two dozen files flagged as malicious that are communicating with these hosts. And BOOM! Here’s the domain we’ve been looking at https://www.virustotal.com/gui/domain/sz8hfa0a.xn--mk1bu44c/detection
Alienvault’s Open Threat Exchange also has a lot of interesting information on the IP address https://otx.alienvault.com/indicator/ip/220.127.116.11 and the domain name itself https://otx.alienvault.com/indicator/domain/sz8hfa0a.xn--mk1bu44c.
END UPDATE 2
The other questions we have, which we’ll never really know the answers to are:
- Based of the TLD being Korean for “dot com” could this have originated from either North or South Korea? If not, was it made to look like it did and who was responsible for it? Based on the Whoxy whois lookup, the “state” of the registrant is Barisal which is a city in Bangladesh. The registrant country is Austria. This makes the Korean “dot com” TLD that more interesting. Perhaps we shall poke around more for another article.
While we stated at the beginning that this little dive into this text message wouldn’t yield definitive results [Edit to add:] the reason we felt this way was we were so focused on everything being punycode, now that we have more information, what’s behind the malicious text and what’s it’s connected to is interesting. We still strongly feel this was poorly executed as there was nothing to really hook someone into opening the link barring extreme curiosity. We want to share some things to help prevent you from falling victim to SMiShing attacks and punycode related incidents.
- Keep your devices and apps up to date.
- Slow down! Think before you reply or open a link. Do you recognize the phone number/email address? Is the message pressuring or incentivising you to make a hasty decision? If it’s coming from someone you know, does it “sound” like them?
- If the text is purporting to be a trusted company or someone you know, get in touch with them directly. Do not use the contact info in the text message. If the phishing message is saying there’s something wrong with an account (e.g. email, Amazon, bank, mobile service provider, etc), go directly to your account and log in to see for yourself.
For punycode attacks, there really is very little you can do on a mobile device, unfortunately. You can install Firefox Browser (Nightly for Developers) in Google Play then browse to about:config and follow the steps below:
- Once on the about:config page search for “IDN_show_punycode.” The result you’ll see is “network.IDN_show_punycode.” It’s default setting is “False.”
- Change it to “True” by tapping on “network.IDN_show_punycode” and then tapping on “Toggle” so the setting changes to “True.”
That’s it! This means that you’ll have to use the Firefox Browser (Nightly for Developers) from now on as your web browser whenever you want to use Firefox on your mobile device. Even though we’re talking about Firefox on mobile, these settings work on Firefox for your desktop/laptop without the need for installing the Nightly for Developers version.
Chrome may warn you if a site is using punycode and looks suspicious, but they do not have any native settings to change.
This is all we’ve got at this point and we’ll stop here. We hope this was helpful, or interesting, and that you were able to learn something about SMiShing. We also hope you understand the implications punycode adds when someone is phished or SMiShed. All we can tell you is to stay vigilant.
If you ant to learn more about our services for yourself, your business, or law firm, fill out the contact form below. If you have any feedback, comments, ideas, or insight to this SMiShing attack, also send us a message in the contact form. Oh! And don’t forget to sign up for our free newsletter!