Once I modify my Chrome VM to pretend to be “Safari on iPhone”, we revisit the URL that was sent to my phone:
We have written many times in the past about these never-ending investigations. Their goal is to collect as much personal data about you as possible and show you as many ads as possible. They then generate revenue by showing you ads during the survey, but also by selling the personal information they collect from you to organizations that need “qualified leads.” They will tell these organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc., and you will start receiving more spam from the from those organizations who believed that you had asked. their spam!
We asked our friends at Zetalytics, via their Zone Cruncher tool, “So where in the world is the n9cxr(.)info IP address?” They told us it was located in Hong Kong on a server hosted by Alibaba Inc.
It’s very interesting! Thank you Zetalytics! Could you also tell us any OTHER DOMAIN NAMES that have recently been seen on this same IP address? After all, we received three of these domains in the three messages I received on my home phone!
All of these domains are of course registered with the crummy domain registrar NameCheap. They claim that if we notify them of bad domains, they will deregister them. Once I publish this I will send them a copy and report back what happens.
Moreover, the content is not exactly the same on each visit. My next visit to the n9cxr URL gave me this pop-up:
So how can we access the fake AT&T page? This is where a tool that CAUCE Director Neil Schwartman showed me comes in. While I don’t necessarily recommend the company, this little Chrome plugin is gold for tracing redirect paths! (Search for the Chrome extension “Ayima Redirect Path” and remember that you should only examine potentially hostile URLs in a virtual machine!)
What does all this mean? It tells us that the web server at the first URL claimed that the page we were looking for “dhmxmcmBTQ” had been temporarily redirected to “themechallenge(.)club” and that we should ask that server for a particular “key”.
This key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a “META redirect” to the web server “go.metreysi(.)info” where we should tell them that we were sent by a certain “cnv_id”. This server then pretended that we had clicked on it and sent us through another “temporary 302 redirect” to a web server called “redirect.usersupport(.)net”. UserSupport then performed another redirect which took us to the “att.usersupport(.)net” website.
https://themechallenge(.)club/click.php?key=abrrkduwznt79g18cx66
go.metreysi(.)info => hosted on LeaseWeb at 23.108.57(.)187
redirect.usersupport(.)net => hosted on 2606:4700:3032::6815:2b25
att.usersupport(.)net => hosted on 2606:4700:3031::ac43:da02
My guess is that all these other “go” sites that share the same IP address will also be involved in illegal “redirect” scams that start with SMS Blast.
By the way, do you remember the “key” we had to pass? Similar to our user agent, if you visit one of these sites and fail to pass it a “key”, it will simply redirect you to 127.0.0.1, which means “visit your own machine” .
Not just AT&T!
One of Zetalytics’ other tricks is that it can show me other hostnames on the same domain. (The term for this is called “PassiveDNS”)
It appears that “UserSupport(.)net” is also used to impersonate TikTok, CostCo, Walmart and Google, shipping company UPS, FedEx and US Postal Service, as well as cell phone providers AT&T, Comcast, Spectrum, T- Mobile. , and Verizon!
Since I haven’t received these particular SMS messages, I can’t access them. (I have the wrong “key” to start the channel.) But I’d love to see more if you’re willing to share a screenshot!
List of .info (and .xyz) domains abusing SMS spam that would be associated with these campaigns. It makes sense that there are exactly 100 of them.
1find(.)info
1fwnx(.)info
1nvc(.)info
2edcc(.)infos
2gtex(.)info
2ofgm(.)info
3mgie(.)infos
3ohmd(.)info
4gogm(.)info
4onnr(.)info
4onnr(.)info
6ghme(.)infos
6nbfu(.)infos
6omrf(.)infos
6wqbv(.)info
7botm(.)info
7gboe(.)info
7gboe(.)info
7uwhn(.)info
7wxcd(.)info
8bmxw(.)infos
9bmdx(.)info
a2sct(.)infos
a7tev(.)infos
applicationsc(.)info
applicationsf(.)info
bjdz2(.)xyz
bmeq9(.)info
bookc(.)info
bookx(.)info
cartm(.)info
cartm(.)info
map(.)info
faceg(.)info
faceg(.)info
faceh(.)info
facem(.)info
faceu(.)info
facey(.)info
fuwd2(.)info
gg0l(.)info
gi3t(.)info
gi3t(.)info
gitn4(.)info
go4(.)info
gotr6(.)info
gr8f(.)info
havec(.)infos
havec(.)infos
havec(.)infos
havec(.)infos
havec(.)infos
havec(.)infos
havej(.)info
have(.)info
hidej(.)info
hidej(.)info
hide(.)info
hide(.)info
hide(.)info
j1bcs(.)info
j1bcs(.)info
j2bmf(.)info
k2ave(.)infos
k4acr(.)info
k4acr(.)info
k8bvz(.)infos
kpl5(.)info
kpp8(.)info
kpp8(.)info
kse0(.)info
ktf4(.)info
l1bmz(.)info
l5brv(.)info
lgte3(.)info
m2cxn(.)info
m6cda(.)info
mbdz2(.)xyz
mqbvn(.)info
n4csv(.)information
n9cxr(.)info
name(.)info
pexw0(.)xyz
qkkk2(.)xyz
raini(.)info
rain(.)info
Rainz(.)info
s1vrk(.)info
s2avr(.)info
s2avr(.)info
s4asc(.)information
s6axe(.)info
s7axm(.)info
s8avx(.)info
toer9(.)info
toer9(.)info
vbjh9(.)xyz
wodm7(.)info
word(.)info
wosn9(.)info