“A $781.91 charge has been made?!” Analyzing a phishing attempt

,

Imaging this scenario: You get a text message from your bank saying a nearly $800 charge was posted to your account. Unless you were paying a large bill or you are just a high-roller, you likely didn’t make this transaction. You may panic and decide to click the link to review the activity. But not so fast?

Screenshot of text message.

My wife got this text a few weeks ago. She was spooked, but consulted me first before reacting. She asked if I should click the link. My response was more like the gif below.

I was unsure if the link would sneak any malicious code on her device; therefore, I highly recommended her to not click on anything. 

For security reasons, the name of the bank and some identifiers have been redacted. 

A few questions came to my mind, and knowledge obtained in recent months gave me ways to find the answers: 

  1. Is this text really from her bank?
  2. If it’s likely not, then who is it that’s sending this text?

From her bank?

I asked my wife to check her bank’s app or website and not click on the link sent to her. She discovered such a transaction was not made. In the following hours and days later, no such charge ever came up. It appeared very unlikely that this text originated from her bank.

Who sent it?

For the second question, it was time to do some digging. I fired up an instance of Kali Linux on a cloud service to anonymize any pings and tracing of the URL that I would perform. 

The “traceroute” command used had little success until I changed the command line options to ensure that TCP (transmission control protocol) was set as well as port 443 (basically, encrypted web traffic or HTTPS). 

The traceroute command traced the packet from the cloud service’s sever I was using to a data center listed as Tencent Cloud Computing (Beijing), Co. Ltd., according to info from whatismyipaddress.com. The server for the website was located in New Mexico, but the Beijing tag widened me eyes. I later discovered that Tencent Holdings Limited is based in China with infrastructure in the United States

A screen capture of The whois domain information.

whois domain registry search tied the domain name back to a Chinese-based company called Eranet. It also showed the the domain was created within the last 24 hours. Unless her bank got a new website without telling their customers, this website is not from her bank.

An attempt to look at the website’s HTML code using the domain name yielded a 301 error, noting that the site has permanently moved and that links need to be updated. But when a curl command was used to inspect the IP address, the results were different. 

The code hinted the use of a reverse proxy manager, which intercepts internet traffic before hitting the web server. 

At this point of trying to inspect the website sent to my wife’s phone, it was later that night. It probable that someone removed the website at this stage in the game. 

Conclusion

It is safe to say that this was not from her bank and was a phishing attempt that very likely originated from China.

Precautions to take

What to do if you get a link from a financial institution asking you to log in to verify something such as a charge, overdraft, new account, or something else?

If any doubt arrises, do not click anything. A link may either instal malware on your device and/or ask you to insert a username and password that will instead go to a malicious actor. Once a bad actor has this info, they could use it to gain access to an account.

It’s best to go directly to your bank’s website or app to verify claimed charges or other alerts. You could also call your bank.

Be sure to have strong passwords that are not reused on other websites. If available, ensure that multi factor authentication (MFA) is enabled.

Featured image credit: r. nial bradshaw via Flickr (CC BY 2.0)