Smishing - Information Stealer
Today, I’ve just received the following instant message. The translated message is as follows:
We weren’t able to setup your package deliver because the address that you provided doesn’t match with the postal code, update in:
https[://]estafetaems[.]top/mc
.
It’s clearly this is one of those mass sent smishing, but what is the purpose of these? Let’s explore…
Checking the WHOIS record, there are two red flags about this domain:
-
The domain was bought from those websites that sell low-cost domains.
-
The domain was just bought a day ago (at the time of this writing), which no legit domain is usually this young.
Leveraging tria.ge to explore the site, at first glance, we can see that it attempts to impersonate the estafeta site, even though it seems like an older version of the current one,
as we can observe the clear differences with the second screenshot which is the current website.
Checking at the resources contained in the website, we have proof that this site was cloned towards the end of the year 2023 (likely December).
Checking the .js
file, we can observe that there are some comments in chinese, which means one of two things: the threat actors are chinese/familiarized with chinese or whatever code they copied this from
was written by chinese/familized with chinese.
As soon as the user stops writing, the data is sent to the endpoint /api/input
, along with the timestamp in epoch.
The server then replies with a code: 0
.
Within the request, there’s interesting information that gives us more information on the threat actor infrastructure:
-
The
Server
field isGoFrame HTTP Server
. When googling it, we can see that the first result is in Chinese, within that website there’s a QR code so that we can follow the project inWeChat
, which is a social media platoform only used in China. If we piece together the two evidences that we have until now (comments written in Chinese and the use of an opensource web server that prompts the users to follow them usingWeChat
), we can confidently state that the attacker/s is from China. - There’s a
Via
field with the value of1.1 Caddy
. I’ve found in Google that Caddy is a:Caddy sports a flexible and powerful HTTP reverse proxy, on-line configuration API, and a robust, production-ready static file server, and serves all sites over HTTPS by default with automagic TLS certificates.
- The field
Sec-Ch-Ua-Platform
with the value ofWindows
, let us know that it is able to automatically identify the platform connecting to the site. - There’s a
Token
field, which is unknown at the time what’s its purpose.
Once we hit Submit
, we are then prompted to insert our credit card information.
Once we entered the information (and it was being sent at the same time it was being written), once we submitted it, a secure web socket (wss://
) request was sent to the endpoint /ws
with the previously seen token being passed as argument.
Within that same request, in the result_type
event, we are able to observe the data that was transmitted to the server, the app is able to determine whether or not if the card number is a valid one or not from the first digits (as in
another attempt I invented all the names, in this case I put only the initial real numbers from an HSBC card).
When you submit the info, at the end it redirects you to the legit estafeta.com
website
Reference
(tria.ge)[https://tria.ge/250624-t3qmhswvez/behavioral1]