You know not to click…so we did it for you!

esteria.white

Once I modify my Chrome VM to pretend to be “Safari on iPhone”, we revisit the URL that was sent to my phone:

We have written many times in the past about these never-ending investigations. Their goal is to collect as much personal data about you as possible and show you as many ads as possible. They then generate revenue by showing you ads during the survey, but also by selling the personal information they collect from you to organizations that need “qualified leads.” They will tell these organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc., and you will start receiving more spam from the from those organizations who believed that you had asked. their spam!

We asked our friends at Zetalytics, via their Zone Cruncher tool, “So where in the world is the n9cxr(.)info IP address?” They told us it was located in Hong Kong on a server hosted by Alibaba Inc.

It’s very interesting! Thank you Zetalytics! Could you also tell us any OTHER DOMAIN NAMES that have recently been seen on this same IP address? After all, we received three of these domains in the three messages I received on my home phone!

All of these domains are of course registered with the crummy domain registrar NameCheap. They claim that if we notify them of bad domains, they will deregister them. Once I publish this I will send them a copy and report back what happens.

Moreover, the content is not exactly the same on each visit. My next visit to the n9cxr URL gave me this pop-up:

So how can we access the fake AT&T page? This is where a tool that CAUCE Director Neil Schwartman showed me comes in. While I don’t necessarily recommend the company, this little Chrome plugin is gold for tracing redirect paths! (Search for the Chrome extension “Ayima Redirect Path” and remember that you should only examine potentially hostile URLs in a virtual machine!)

What does all this mean? It tells us that the web server at the first URL claimed that the page we were looking for “dhmxmcmBTQ” had been temporarily redirected to “themechallenge(.)club” and that we should ask that server for a particular “key”.

This key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a “META redirect” to the web server “go.metreysi(.)info” where we should tell them that we were sent by a certain “cnv_id”. This server then pretended that we had clicked on it and sent us through another “temporary 302 redirect” to a web server called “redirect.usersupport(.)net”. UserSupport then performed another redirect which took us to the “att.usersupport(.)net” website.

More domains to search in ZoneCruncher!

https://themechallenge(.)club/click.php?key=abrrkduwznt79g18cx66

go.metreysi(.)info => hosted on LeaseWeb at 23.108.57(.)187
redirect.usersupport(.)net => hosted on 2606:4700:3032::6815:2b25

att.usersupport(.)net => hosted on 2606:4700:3031::ac43:da02

My guess is that all these other “go” sites that share the same IP address will also be involved in illegal “redirect” scams that start with SMS Blast.

By the way, do you remember the “key” we had to pass? Similar to our user agent, if you visit one of these sites and fail to pass it a “key”, it will simply redirect you to 127.0.0.1, which means “visit your own machine” .

Not just AT&T!

One of Zetalytics’ other tricks is that it can show me other hostnames on the same domain. (The term for this is called “PassiveDNS”)

It appears that “UserSupport(.)net” is also used to impersonate TikTok, CostCo, Walmart and Google, shipping company UPS, FedEx and US Postal Service, as well as cell phone providers AT&T, Comcast, Spectrum, T- Mobile. , and Verizon!

Since I haven’t received these particular SMS messages, I can’t access them. (I have the wrong “key” to start the channel.) But I’d love to see more if you’re willing to share a screenshot!

List of .info (and .xyz) domains abusing SMS spam that would be associated with these campaigns. It makes sense that there are exactly 100 of them.

1find(.)info

1fwnx(.)info

1nvc(.)info

2edcc(.)infos

2gtex(.)info

2ofgm(.)info

3mgie(.)infos

3ohmd(.)info

4gogm(.)info

4onnr(.)info

4onnr(.)info

6ghme(.)infos

6nbfu(.)infos

6omrf(.)infos

6wqbv(.)info

7botm(.)info

7gboe(.)info

7gboe(.)info

7uwhn(.)info

7wxcd(.)info

8bmxw(.)infos

9bmdx(.)info

a2sct(.)infos

a7tev(.)infos

applicationsc(.)info

applicationsf(.)info

bjdz2(.)xyz

bmeq9(.)info

bookc(.)info

bookx(.)info

cartm(.)info

cartm(.)info

map(.)info

faceg(.)info

faceg(.)info

faceh(.)info

facem(.)info

faceu(.)info

facey(.)info

fuwd2(.)info

gg0l(.)info

gi3t(.)info

gi3t(.)info

gitn4(.)info

go4(.)info

gotr6(.)info

gr8f(.)info

havec(.)infos

havec(.)infos

havec(.)infos

havec(.)infos

havec(.)infos

havec(.)infos

havej(.)info

have(.)info

hidej(.)info

hidej(.)info

hide(.)info

hide(.)info

hide(.)info

j1bcs(.)info

j1bcs(.)info

j2bmf(.)info

k2ave(.)infos

k4acr(.)info

k4acr(.)info

k8bvz(.)infos

kpl5(.)info

kpp8(.)info

kpp8(.)info

kse0(.)info

ktf4(.)info

l1bmz(.)info

l5brv(.)info

lgte3(.)info

m2cxn(.)info

m6cda(.)info

mbdz2(.)xyz

mqbvn(.)info

n4csv(.)information

n9cxr(.)info

name(.)info

pexw0(.)xyz

qkkk2(.)xyz

raini(.)info

rain(.)info

Rainz(.)info

s1vrk(.)info

s2avr(.)info

s2avr(.)info

s4asc(.)information

s6axe(.)info

s7axm(.)info

s8avx(.)info

toer9(.)info

toer9(.)info

vbjh9(.)xyz

wodm7(.)info

word(.)info

wosn9(.)info

Leave a comment