A new phishing campaign was launched against the Irish users, providing an opportunity to review some tools for investigating this kind of activity.
This time the bad actors have crafted a HSE (Health Service Executive) themed phishing page. Victims will receive the malicious link via SMS, from a spoofed mobile number.
Malicious domains are being hosted on IP address 84.32.248.121, which belongs to a Lithuanian hosting service UAB Cherry Servers.
At the time of writing, the following domains registered between the 22nd – 23rd January were observed:
- https://omicron-covid19-pcr-test[.]com
- https://omicron-covid19-pcr-test1[.]com
- https://covid19-pcr-test2[.]com
It appears that the scammers will likely iterate domain names using digits, at least until they are successfully shut down by the hosting provider.
Interestingly, in December 2022 the same IP address was used to host another phishing site – previously scanned by URLscan:
- my.secure-income-verify[.]info
*
The fake HSE website is a crude phishing attempt not only due to the modus operandi, but also the execution level and the lack of attention to details.
Blatant capitalisation and spelling errors like “varient”, “apparant”, “recieved” or “havingg” should be an early red flag, even if the visual theme of the website might appear deceivingly legitimate.
Also, some of the links that were meant to be hyperlinked don’t open at all.
No phishing would be complete with the usual illicitation attempt of your credit card details!
The page actually performs a validation check on whatever card number is entered, making it impossible to proceed if an invalid card number is given.
A handy tool comes to the rescue – Credit Card Generator and validator from neaPay – used legitimally for testing purposes. It allows for generating invalid, non-existing card numbers in a valid format.
Snippet of source code performing the credit card number validation check:
The credit card details page is followed by a generic, fake 2FA verification prompt. The logic behind this part is to validate the phone number a user provides – so the scammers actually do send a code to the phone number provided by the prospective victim:
The final step looks like it will be “processing” in perpetuity, but in the event of providing an incorrect “one-time code” you will see an error message and a request to re-enter the code.
Although I would imagine that at least some people might at this stage get suspicious about this site.
Malicious site details
- Hosting provider – UAB Cherry Servers
- IP address and related domains:
- IP address reputation check:
- Subdomain scan (currently no subdomains detected):
- Virus Total scan:
- DNS iteration search:
- SSL certificate serial number: 04:86:6E:2D:66:12:C0:2F:3C:55:91:D7:BE:82:E5:95:23:76
- Shodan query for checking it – ssl.cert.serial:
- Certificate fingerprints:
- SHA256 – A5 86 64 83 95 2F 58 2A FB 6D 76 31 64 6F 09 E5 0E 05 54 CE B3 FE BE AE 63 DB B6 5E 6B 91 35 86
- SHA1 – 89 78 18 EC 55 3C B5 E8 FF 01 E8 11 7F AD 05 43 0D C9 EC 8F