Fake Chase SMS Text

If you receive a text like this:

It is a credential stealer.

I’ve modified the phone number in the screenshot and following post and also “defanged” the URL by placing brackets around it.

Automated Analysis

When analyzing a suspicious link you may think going to a site like urlscan.io would be the best approach. This works in some cases, however, be aware that some bad guys will actively evade calls from these types of sites (URL analysis sites). They will do this based on user-agent or the source IP address making the call.

Urlscan.io

In our case if you try to look up the malicious URL at urlscan.io you will see the site doesn’t even load:

VirusTotal

Virustotal shows nothing malicious

Joe Sandbox

Joe Sandbox was able to find the malicious redirect. Report here.

Manual Analysis

A standard curl to the site will 302 redirect you to a chase login stealer:

A curl with a user agent for an Iphone with IOS 11 will return a javascript that will also direct you to the password stealer:

curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" https://zrruqhmedbbghufdta.page.link/Go1D?17735551234

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.