advertisement
Smishing Attack That Says “Mobile Payment Problem” – Don’t Fall For It!
Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps…
Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram, and Signal.
But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.
That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set, or ability to access the internet.
advertisement
Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.
But O2 is one of the UK’s “big four” providers, with a market share of around 25%, giving the crooks, in this case, a 1-in-4 hit rate on purely random grounds.
Additionally, the first few digits of a UK mobile number are determined by the network that first issued it.
advertisement
So, for any user who hasn’t switched networks, or who dumped their old number when switching to a new SIM card, their current network provider can be deduced correctly anyway.
What’s the right link?
Assuming that the crooks have guessed your mobile provider correctly, it’s understandable to take a message like this one seriously.
Even if you know your account is paid up, it’s reasonable to assume that the error lies at the other end and needs checking out. (How often have you received a bill from a utility company that insists you owe money, tells you to pay up at once, yet also advises you to ignore the demand if you recently made a payment, because the legacy accounting system sometimes takes a while to catch up with internet reality?)
advertisement
So it’s tempting to check anyway, just in case.
Of course, you should spot that this message is fraudulent because even though the left-hand end of the website name in the clickable link looks realistic (o2.uk), it’s the right-hand end of any domain name that determines the owner.
In this case, the domain is [REDACTED].com – we’ve suppressed the actual name used here, but it was a string of unlikely characters that as good as told you that “this has nothing to do with O2 and is merely a random dot-com domain name that happened to be available”.
Once you have the right to use, say, example.com, you also have the right to use all the subdomains that end in example.com, all the way from aa.example.com to zz.zz.zz.[up to 254 characters in total].example.com.
Find your own way there
We strongly recommend that you pay close attention to links not only before you click them, especially if they arrived in an email, but also after you get to the final destination, which could be several hops – known as web redirects – from where you thought you would end up.
But in this case, there’s a better way to handle the situation than looking at the domain name – because if the crooks had tried harder they could have acquired a more believable, less phishy-looking name to use in their scam.
What better way is to avoid login links altogether.
After all, even though o2.uk.pnkduiwv.com looks obviously bogus, where do you draw the line between clearly fraudulent and possibly correct?
Many large companies have numerous variations of their mainstream domain name as landing pages for different parts of the business, in the way that Microsoft has the obvious microsoft.com, but also uses domains such as live.com, outlook.com and even microsoftedgeinsider.com, which is the official starting point for experimental builds of the Edge browser.
So, although o2.uk.pnkduiwv.com just doesn’t look legitimate, what about a domain such as o2-accounts-global.com, or a URL such as mobile-billing-and-payment.co.uk/o2?
Those would both be fake, but much less obviously so.
Both those domains were available when we checked. For under £4 we could have acquired them for a year, in both their dot-com and dot-co-dot-uk forms. Furthermore, the domain name company we used to get pricing has a default registration option that “send[s] our details to the domain registry, rather than yours, giving you anonymity and privacy.”
The obvious solution in cases like this, where you want to check if there really is a problem with your mobile phone account balance – or your credit card statement, or, your latest home delivery, or your streaming video subscription, or whatever it might be is to go directly to the account provider’s login page yourself, following a trusted link that you figured out for yourself earlier.
For O2, the genuine link right now seems to be https://accounts.o2.uk/signin, but don’t take our word for it, or anyone else’s word, for that matter.
If you know you are going to be paying O2 regularly, or any other online provider, get hold of the right web address directly from the company, or via the paperwork you received when you opened the account, and store it somewhere safe.
A password manager works well here: if you tell it exactly which login pages to use for which accounts and passwords, you’ll avoid being phished by fake URLs because your password manager simply won’t be able to help you on fake sites.
Browser bookmarks are another option; so is a simple text file saved on your laptop; or even a written list that you keep at home in your desk drawer for emergencies.
What if you click?
In this case, the scam site that asks you to sign in will look and feel familiar to any O2 customer:
It’s surprisingly close to the real deal – not pixel-perfect, but nearly so:
Amusingly, the crooks made one ironic mistake in cloning the text of the real sign-in page, mis-spelling the word “out” as “oot” (see the second-last line in each image), which we suspect will make our Canadian readers smile, eh?
You might expect that hovering over the [Sign in] button in the login forms above would pop up the URL to which your data is about to be sent, in the same way that hovering over a regular web link generally shows you where you will end up next.
But as we’ve lamented before, no mainstream browser does this, and the only way we know that helps you find out where your data is about to go is to use your browser’s developer tools and manually search the raw HTML for the relevant <form> tag.
In Chrome/Chromium and Edge, you can use 3 dots menu > More tools > Developer tools > Sources; in Firefox, we used Hamburger icon > Web Developer > Page Source to reveal the following HTML source code in the bogus page shown above:
If the <form> tag has an attribute (i.e. the text of the form key=value) stating action=, that’s where the data will ultimately end up.
By the way, many browsers let you type Ctrl-U in a web page to pop up the HTML in source form, but many rogue sites (and some legitimate ones) use JavaScript in their web pages to detect when you hit that combination in order to deceive you or to make it harder to view the raw content.
One scam site we examined recently, for instance, used this simple JavaScript to inhibit numerous keyboard shortcuts:
Trying to view the source of a scam web form directly from the page with Ctrl-U, therefore, produced a popup like this:
Use the Developer menus instead, as noted above, and – as far as we are aware – you will reliably get to the source code of the web page because the browser’s user interfaces themselves can’t be reprogrammed from JavaScript inside a web page you just visited.
What to do?
- Find your own way there. As we explained above, if you need to check the details of account X, ignore links in emails, IMs, or text messages, even if you think they are genuine. Find your way to X’s login page yourself. If you never click email login links, you always sidestep crooks who send them to you!
- Look for every hint of bogosity you can. This smishing attempt was surprisingly believable, with a legitimate-looking text message and a sign-in page that had an HTTPS URL, a valid encryption certificate, and near-perfect visuals. But the telltale signs were there nevertheless – a giveaway spelling blunder by the crooks on the login page, and obviously incorrect URL in the address bar, and a web form that uploaded your personal data to the very same bogus site. Take the time to look for signs of fakery – if the crooks make a visible mistake, take advantage of their error, and make sure they don’t get away with it!
- Consider an anti-virus with web filtering. Phishing prevention isn’t really about keeping the bad stuff, such as malware, out. It’s about keeping the good stuff, such as passwords, in. An anti-virus such as Sophos Home (available free for Windows and Mac) or Sophos Intercept X for Mobile (free for Android) doesn’t just block malware that tries to get onto your device but can help to stop you from getting to rogue web pages in the first place, thus keeping you one step further away from harm.