Scamming explanation



  • I've just received a scam SMS with that invite me to click on a link to check a delivery. Since I was curious about where it could lead, I opened a VM and set up a VPN, then clicked on the link. After different redirects I ended up on Google. So I'm wondering about the aim of this scam SMS.

    Here there the HTTP responses (I obscured the cookies):

    HTTP/1.1 302 Found
    Server: nginx/1.16.1
    Date: Fri, 23 Apr 2021 15:49:07 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 208
    Connection: close
    Access-Control-Allow-Origin: *
    Location: https://track.drerries.com/8d912287-1150-46dc-8dc5-999464f50468?af=39&no=30-35
    Vary: Accept
    
    <p>Found. Redirecting to <a href="https://track.drerries.com/8d912287-1150-46dc-8dc5-999464f50468?af=39&amp;no=30-35">https://track.drerries.com/8d912287-1150-46dc-8dc5-999464f50468?af=39&amp;no=30-35</a></p>
    
    
    HTTP/1.1 200 
    Server: nginx
    Date: Fri, 23 Apr 2021 15:49:27 GMT
    Content-Type: text/html;charset=UTF-8
    Connection: close
    Cache-Control: no-store, no-cache, pre-check=0, post-check=0
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Pragma: no-cache
    Set-Cookie: XXXXXX Expires=Sat, 24-Apr-2021 15:49:27 GMT; Domain=track.drerries.com; Path=/; Secure; HttpOnly;SameSite=None
    Set-Cookie: XXXXXX; Max-Age=31536000; Expires=Sat, 23-Apr-2022 15:49:27 GMT; Domain=track.drerries.com; Path=/; Secure; HttpOnly;SameSite=None
    Content-Length: 359
    
    <html><head><link rel="icon" type="image/gif" href="data:image/gif;base64,R0lGODlhAQABAPAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=="/><meta http-equiv="refresh" content="0;URL='https://track.drerries.com:443/redirect?target=BASE64aHR0cDovL2dvb2dsZS5jb20&ts=1619192967438&hash=ogrCi1dIa7dWRxmVYfvbI_C2LDRrEOdTgzbxKxsLjaA&rm=D'" /></head><body></body></html>
    
    HTTP/1.1 200 
    Server: nginx
    Date: Fri, 23 Apr 2021 15:49:36 GMT
    Content-Type: text/html;charset=UTF-8
    Content-Length: 229
    Connection: close
    Cache-Control: no-store, no-cache, pre-check=0, post-check=0
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Pragma: no-cache
    
    <html><head><link rel="icon" type="image/gif" href="data:image/gif;base64,R0lGODlhAQABAPAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=="/><meta http-equiv="refresh" content="0;URL='http://google.com'" /></head><body></body></html>
    


  • Without being able to see everything that is happening, what other links like this do is to show you Google (or some other benign site), but in passing through other sites, they attempt to compromise your browser and system to install cryptominers or ransomware.

    I'd suggest putting it through a malware analysis sandbox, like cuckoo.ee and see what it really does.

    I put one of these links through VirusTotal and Cuckoo a couple of years ago to show the difference between a URL scan and sandbox analysis.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2