security-alert_web.jpg


We’ve detected an active smishing campaign targeting Australian mobile phone numbers from multiple providers, including Optus and Vodafone. The link within the text message redirects the mobile phone user to a cost-per-acquisition landing page, which collects personally identifiable information and upon submission generates the cyber-gang a small sum of money.  

It unknown how this information is currently being utilised or if the data is stored in a third-party location. However, it is likely the data will be used in a follow up attack with an associated payload. 

Original SMS message: 

While the message comes from different sender numbers, the link and package identification are always consistent.  

The user is lead to a fake UPS delivery page, upon clicking the URL within the original SMS. This then leads to a separate landing page, where the users is requested to pay a $3.00 customer fee.
 

The following IOCs were detected in this campaign: 

Goto.track-go.info :  

18.184.38.55 

Parcelau.trackyourparcel.site:  

104.27.165.53, 172.67.140.119, 104.27.164.53 

Go2.link-track.top:  

18.184.38.55 

Hugedynasty.com:  

104.31.80.48, 104.31.81.48, 172.67.213.166 

Eee.justworm.com:  

104.28.18.117, 172.67.135.88, 104.28.19.117 

Api.mdsyzz.info:  

104.31.88.46, 104.31.89.46, 172.67.214.33 

CPA Link:  

http://visionadz.go2cloud.org/aff_c?offer_id=181&aff_id=1&aff_click_id=dj2u6rrode8vi0d3i40446as 

Supporting graphics:  

 


Image description: Original smishing SMS message.  

 


Image description: fake UPS landing page  

 

Details
Category