Earlier today our OP Innovate research team received yet another Smishing attempt asking them to provide credit card details.
The SMS looks like a legitimate message from the Israeli post offices and even contains a correctly formatted tracking number:
החבילה שלך: RU0041902037Z מוכן לאיסוף, אנא לחץ על הקישור והשלם את התשלום: https://2u.pw/MT5To
The message requests credit card details in order to pay customs fees associated with a package and enable its delivery – this plays on the victim’s sense of urgency.
The Tiny URL service is legitimate and has been seen in previous phishing campaigns targeting Israelis.
When a victim clicks on the Tiny URL link they are redirected to the following website: https://cobbjones.ca/postal/log/app/
By navigating to the top level of the website, we arrive at the commercial and seemingly legitimate website of a Canadian law firm. The site must have been hacked in order to gain access to the sub folders – we approached the owner and informed them about the unfortunate hijacking of their web resources.
In terms of security, the site suffers from additional misconfigurations. These provide access to server logs and from there we could see the amount of traffic this site received, and of course the clear text credit card details that the victims inserted.
Here are some further insights:
This is how it looks like from an attacker perspective:
Here are some of our insights into the attack:
We took the following action with this information:
Have a safe weekend!