Today a reader contacted me with a suspicious text message they received from a purported Irish Revenue Online Service (ROS) number.
Sometimes even a cursory examination can reveal the true nature of these scams and no technical skills at all are required to determine that a text message containing a URL can be dangerous.
Let’s have a look.
Straight away, there are a number of giveaways here:
- The phone number – this is a US phone number, as indicated by the +1 country code.
- The URL link – here we have a URL shortened using this free service. The legitimate reason for shortening URLs is to make really long links appear neater. It is very unlikely that ROS would use a URL shortener. In this case, the intention of the scammer was to hide the true URL of his website…
- …which in this case has been partially revealed by the phone’s text messaging software.
If you are using the Revenue Online Service, you will know that the real ROS login link is:
https://www.ros.ie/myaccount-web
So this is clearly a scam.
But let us dig deeper.
1. Prepare your virtual environment
Before conducting any field research on malicious URLs, which at some point will inevitably require you to visit the rogue website, you must ensure that you protect your own system from potential compromise.
Even when investigating potential phishing links you cannot be sure that this is the only threat vector.
You don’t know if the website is free from malware that you might inadvertently install on your machine via a drive-by download.
Any standard virtual machine will do for this purpose. More information on what steps to take when preparing your virtual environment can be found here.
2. Phone number OSINT
The first point of focus should be the phone number – after all, this was the delivery method of the malicious link to the user.
Good place to start is Google, plain search first, then including search operators:
“+12568417086” OR “256-8417086″ OR ” 1 2568417086″
intext:”+12568417086″
allintext:”+12568417086″
site:”<whatever site you search>” intext:”+12568417086″
These methods might or might not yield the desired results, which will also vary in accuracy and details.
Phone lookup websites come and go. Searching for EU-based phone numbers has been hampered since the introduction of the GDPR. However, searching for non-EU numbers on specific websites might still be effective.
I searched for the phone number on the following sites (with no results, sadly):
https://www.truecaller.com/search
https://www.anywho.com/reverse-phone-lookup
This list is by no means exhaustive, there are dozens more reverse phone lookup sites.
The ones that did yield some results included:
https://www.whitepages.com/phone/1-256-841-7086
https://www.411.com/phone/1-256-841-7086
https://www.revealname.com/256-841-7086
The revealname and numlookup websites both offered an additional snippet of information that allowed me to pivot into a more specific direction.
Twilio is a Voice over IP (VoIP) provider and its business model is to create a bridge between the traditional and cellular telephony and the Internet.
More details on how it works here.
As a Twilio customer you can buy a virtual phone number and use it as if you’re using your own real mobile, with the exception that Twilio provides a degree of separation and an extra layer of privacy.
This is what the scammer availed of in this case.
To conduct look-ups with Twilio, you need to have an account with them. You can avail of a free trial, which will also give you some free credits towards look-ups.
Twilio look-ups cost:
- $0.01 per Caller Name you look up
- $0.005 per Carrier details you look up
In this case we have hit a dead end. No further information is available on Twilio.
Law enforcement officers investigating a scam like this could explore this further and request additional subscriber information from Twilio under a court warrant / subpoena, such as the IP address used to create this account, email address, personal information (if any), payment details on record, and so on.
3. Dealing with the shortened URLs
I would always advise extreme caution before clicking on any shortened URL – the link can lead absolutely anywhere and it’s not immediately clear what the destination might be.
Luckily there are several methods for unshortening these URLs.
Many shortened links can be explored by simply adding a ‘+’ symbol at the end of the shortened URL in the your browser’s URL tab. This will work majority of the time, but it depends on the compatibility of the URL shortening service.
Note that instead of the ‘+’ symbol, in order to unshorten your link some of these services require different symbols, like:
- a hyphen ‘-‘;
- a question mark ‘?’
- a tilde ‘~’
So in the case of our shortened malicious URL the unshortened result is:
In this case the service used to shorten our link was Rebrandly – the URL shortening platform that offers plenty of additional statistics pertinent to that link, such as the number of total clicks, browsers, devices, social media referrals and more.
You can browse the detailed stats on user interactions with this particular link here.
Other ways to investigate shortened URLs include installing a dedicated browser extension or going directly to online resources that will do the job for you, with varying degrees of details.
Examples of these include:
4. The malicious website
Time to visit the malicious site itself – using the safe virtual machine.
The cursory look at the true URL tells us that this website is hosted on the Azure East US 2 server – a Microsoft cloud computing platform.
The whole website is just one single fake login page, designed to impersonate the real Revenue Online Services website.
This is what the fake page looks like and there we have both login pages compared side by side:
The only functionality the fake web page has is to harvest and store any login credentials a victim would populate into the text fields.
The stolen credentials could then be used to log in to the legitimate web page and steal any information within, leading to potential identity theft and almost certainly a wave of cyber attacks against the victim.
Additional information can be obtained by conducting website OSINT.
One of my favourite tools for this is urlscan.io, which I mentioned many times previously.
It revealed the website’s IP address as well as some further information which I highlighted below:
Urlscan.io detected 5 structurally similar pages hosted on different IP addresses – something that was not obvious to us initially.
It seems that the scammers cloned the malicious website at least 4 more times and loaded it up using separate Microsoft Azure instances, while maintaining the same mode of operation.
Searching for the IP address with Central Ops confirms that it indeed belongs to Microsoft.
More importantly, it gives us an avenue to take action against the scammer – by reporting all the sites to Microsoft and asking for their removal.
To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
* https://cert.microsoft.com. For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
* abuse@microsoft.com.
This is exactly what I did in this case.
All these websites have been taken down since I reported them, and more so, Google Safe Browsing has also classified both the shortened links and the true URLs as malicious.
So right now all the links have a very obvious safety warning displaying before one can continue on to the website – meaning that a Google Chrome user will receive ample warnings before they even have a chance of inadvertently handing over their credentials to the scammer.
So, a small victory in a whack-a-mole never-ending war against online scams!
Great review very detailed and easy to understand
Nice piece of work… found it amusing however that you advise folk not to click on shortened url’s then include them in your article… of course some of the US based engines that you used for searching also decline to assist EU based personnel because of concerns about GDPR, but you can often get around this by either using a van or even on occasion changing your language settings to English (US).
Nice write-up!
May I suggest https://app.any.run for using the malicious URL? It collects a ton of information, without the need to setup or start a complete VM, just for visiting a single website.
OSINT Research
Also the good aul Virus Total will do the job: https://www.virustotal.com/gui/home/url
Hi Matt, thanks for this guide. I would suggest adding to your phone lookup websites list:
1) https://www.reportedcalls.com/ – phone numbers reported to the U.S. Federal Trade Commission and/or Federal Communications Commission.
2) https://www.thisnumber.com/ – phone numbers found in the United States federal, state, local, and other government datasets.
What’s up it’s me, I am also visiting this web page on a
regular basis, this web site is in fact good and the
viewers are genuinely sharing nice thoughts.