There has been an uptick in the number of phones being pwned by adversaries. This is quite perilous as SMS messages as a multi-factor authentication (MFA) security mechanism is now ubiquitous with banks, Internet registrars, and for access to employer networks. Think about this: If your phone or iMessage account gets pwned, then presumably an adversary could read your text messages, including MFA or one-time use passcodes that are texted to your phone via SMS. I’m not saying SMS based MFA is a bad thing. It’s better than NO MFA AT ALL, but not as good as some other MFA solutions like Cisco Duo. That being said, I was recently targeted by a fairly persistent adversary in the form of multiple text message attempts and several voice call attempts before I blocked the number.
It may well be that there is no malicious payload at all here, but rather an attempt to generate revenue through referral bounties from google. When curling this shortened URL, it sends a 302 Redirect to the Android Play Store for a legitimate Google Duo chat app that includes referral information, presumably to allow someone to get a click credit for the app store visit. Or, perhaps the goal is to get the “mark” to install the chat app and then receive some additional payload from the adversary that takes over the target’s mobile device. Of course, without playing this out to the end, it’s on conjecture on the actual intent of this activity.
I found some of the social engineering behind this interesting as:
- The adversary tries to say “hey we’re just all friends here” by referencing her “mother’s number”
- A cute, disarming photo was attached
- The second text included a really creepy photo of a skeleton wearing a bunny costume on a bicycle and the skeleton of an animal.
- After no response from 2 text messages, the adversary made a voice call with a few seconds of a woman with a British accent and then nothing. Of course, I had exhausted the level of risk I was willing to take collecting information for this post, so I subsequently blocked the number. I found this to be oddly persistent if the goal was to make a few cents for an app click.
- The caller-id was spoofed to be from my local area code. (Listen to this podcast episode from Reply All to learn how an adversary does that!)
I took these screen shots of the phishing text messages for the purposes of sharing in this blog post. Of course I did not click any links or open any media files sent by the adversary and immediately deleted the messages. I am currently not in a position to export these media files for detonation in a sandbox, but if you have received these and did so, I would be very interested to see how this chain played out, so please leave me some feedback with the details!
I would posit that if you are reading a blog like mine, you probably would not fall for one of these tricksters’ ploys, so I am leaving you with this challenge: Reach out an educate a loved one or a friend on being careful with SMS and text messaging from untrusted contacts!