Phishing Threats
In today's digital age, most people have a bank account that they use daily. Criminal groups have adapted and modernized their methods to steal and extract user information.
SMS Spoofing: A Deceptive Technique
SMS spoofing involves sending falsified text messages where the sender appears legitimate, such as a bank. These messages are often grouped with genuine ones from the bank, making the deception more dangerous. Cybercriminals typically hire external services to carry out these falsifications.
Case Study: A Fraudulent Message
On one occasion, I received a message that appeared to be from my bank, inviting me to access a fraudulent link.
So I thought it might be interesting and entertaining to see how that site was displayed.
The Original Message
The message was presented as a reliable communication from my bank. The criminals knew the last numbers of my card, suggesting a possible information leak from the bank.
Link Analysis
The link only contained the bank's name, which might seem normal to someone who is not familiar with how domains are constructed.
When running a whois
query on the domain, it returned some interesting data.
Domain was created on May 27th.
Domain Name: banorte.link
Creation Date: 2024-05-27T05:21:53.892Z
At least, they went to the trouble of not providing certain information.
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
However, there are points where it states that the registrant is located in Mexico.
Registrant State/Province: Oaxaca
Registrant Country: MX
Site At First Sight
The site was, in some way, "well-made," featuring colors distinctive to the bank and similar icons, enough to deceive a non-technical person into entering their information.
However, it lacked a security certificate, which is a significant red flag.
It's important to remember that just because a site has a security certificate doesn't mean it is safe and free from scams or phishing. In this case, the criminals didn't even bother to add a certificate.
Investigating the Site
Upon examining the site, there's a field for entering data, which suggested that any information submitted would be stored in a database. I used a Python script with Selenium to inject false data into the form.
Although, I'm not an expert in web programming, but it never hurts to get a little help from ChatGPT, which assisted me in creating a script to inject information into a form.
Script Implementation
With the help of a Python script, I managed to inject false information into the site to counter the attack.
I adapted the script to inject random data, starting with 10 entries, then 30, and finally 50. The data consisted of random characters and numbers with a minimum length of 8 characters, as specified by the criminals for the form submission.
I won't go into the details of the generated script, but I'll focus on the crucial part:
input_field = form.find_element(By.NAME, 'form')
This line is pivotal, as it uses the find_element
method of the form object to locate an element within that form. The find_element
method is used to search for a single element in the Document Object Model (DOM) of the webpage.
In this case, the code is looking for an element within the form that has name "form". This is the value of the name attribute of the HTML element being searched for.
After leaving the script running for at least 1.5 hours, I came back after some time to check and it turns out that nothing was displayed in the site.
I consulted it using a VPN and using proxychains, to rule out that it was a ban of my IP address, however when I made the query, the page showed the same thing.
Final Reflections
I don't claim to have caused a DDoS attack or something similar, but it seems the criminals deactivated the site after receiving false and random data in a short period of time, instead of the expected user credit card or account name information.
This small counterattack was gratifying, knowing that I might have contributed to preventing innocent people from falling into the trap, at least for that day.
This case illustrates how criminals can create millions of fraudulent sites daily to steal information and how small actions can have a positive impact on user security.
Contributing to Combat Phishing
There are many platforms where you can submit phishing URLs to be reported and indexed on the Internet, assigning them a bad reputation for when someone tries to access them.
Personally, I use PhishTank, a service managed by Cisco Talos Intelligence Group. This cybersecurity team is dedicated to security research and employs various artificial intelligence techniques to analyze numerous URLs and IPs on the Internet, assigning them a positive or negative score to protect users.
Top comments (2)
Buen artículo y caso Diego...
Por cierto, al parecer la zona de DNS completa fue desactivada. Probablemente múltiples reportes de mal uso:
% dig banorte.link a
; <<>> DiG 9.10.6 <<>> banorte.link a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;banorte.link. IN A
;; AUTHORITY SECTION:
link. 156 IN SOA ns.trs-dns.com. trs-ops.tucows.com. 1722006090 1800 900 604800 300
Es interesante también como después de un par de horas, el sitio ya es considerado como malicioso.
Muchas gracias por tus comentarios Berni.