Scammers Going Mobile: Just to be with you.

Anyone on the Internet has more than likely seen one or more email scams. Even with spam-filters in use, there is always going to be the occasional one that slips through.

The scammers however are coming at us from multiple approaches, or what could be referred to as ‘attack vectors’. This post relates to the SMS text message vector, which is becoming more popular. In the last week alone, I have gone from never receiving one of these scam messages, to receiving two in the same day.

Don’t Click the Link.

Scam text messages, just like scam emails wish to dupe you into doing something that the scammer wants you to do, but you will not realise that you don’t want to do it until it is too late.

However, scam text messages are more limited in the content that they carry, and therefore are more likely to require you to click on a link to download any malware. And so it was with both of the scam text messages I received. So, I made sure that in neither case did I click the links that they contained.

The Clues

How did I know that these were likely scams? Take a look at both of the text messages, whilst both of them appear to address a specific individual by name, neither name used matches my own name. So that is the first clue.

The second clue is that I do not have a Bitcoin account. So the first SMS message is very likely a scam. Even if I did have a Bitcoin account, I would go through a registered Bitcoin exchange, not some random link sent to me in a text message. Most likely, this message was crafted to try and dupe recipients into thinking that they have mistakenly received a message intended for ‘Kaitlyn’, and the scammers are hoping that at least some recipients are silly and dishonest enough to take their change of collecting Kaitlyn’s money.

The third clue, from my perspective is the use of the sender name “WOOLGIFTS”. To my mind that stands out like a sore thumb. Why is it capitalised? Why not “Woolworths Gift Cards”?

Confirming Suspicions

The link provided in the first text message has used a URL shortening service to hide the real link. However, the second message has a link that is a little more intelligible straight up. This allows us to put the domain into IP-address.org to see who might own it.

The results for “woolworths.msggft.com” were uninspiring – as that does not exist as a registered domain. Possibly it could be a subdomain of “msggft.com”, and IP-address.org confirms that such a domain exists, and that it was registered with GoDaddy.com in the United States. Some scammers live in the US, so there is no good news there.

As the link came via text message, it is likely that the content of the malware behind it is targeted at mobile phones, likely iOS or Android phones. As these are different operating systems to some of my other devices, and because I do trust my anti-malware software, a day or two after receiving the text messages, I use a different device to attempt to navigate to “woolworths.msggft.com”.

Good news. Appears that someone has already reported this site. Both “woolworts.msggft.com” and “msggft.com” both show an account suspended page. Either that or the scammers are so crafty, that they have created an account suspended page to navigate non-mobile devices to, to try and fool researchers. Either way, it confirms my suspicions that it was all a scam.