phishing icon indicating copy to clipboard operation
phishing copied to clipboard

myhermes-sendungs.com

Open technikamateur opened this issue 3 months ago • 10 comments

Phishing Domain/URL/IP(s):

https://Myhermes-Sendungs.com

Impersonated domain

https://www.myhermes.de/

Describe the issue

This page tries to geht your personal data and says that you need to pay money in order to get "your parcel".

Related external source

Screenshot

Click to expand

technikamateur avatar Apr 28 '24 21:04 technikamateur

I'm currently getting a 404 from the link you reported, do you have any other URIs from that domain? https://urlscan.io/result/aea62ea0-3bdb-4eb5-ade7-dfca444678f4/ image

g0d33p3rsec avatar May 01 '24 14:05 g0d33p3rsec

Get 404 as well, closing as solved

spirillen avatar May 01 '24 16:05 spirillen

Hi @spirillen @g0d33p3rsec , I got another phishing SMS today, with the same URL. I am using a recursive DNS and it is still resoleveable. Urlscan can resolve it too. https://urlscan.io/result/42f4b4d1-e710-44f9-81c4-0f8c22539083/

Screenshot_20240505-110130_Firefox

technikamateur avatar May 05 '24 09:05 technikamateur

Urlscan can resolve it too.

URLScan returns a 404. These screenshots are from the scan you linked. VirusTotal shows the site as malicious but the last scan was 15 days ago. There is a scan on urlscan from the same date, but it includes no results. Does the URL include an endpoint other than that which you scanned? I attempted to find other URIs via a search engine but I'm not seeing anything. I don't doubt that you've received a lure, I'm just unable to confirm the malicious content. This does look like a ruse similar to the USPS/ FedEx/ UPS delivery scams that we see here in the US. If you're still receiving smishing messages, you can forward them to 7726 (Spam). image image image image

g0d33p3rsec avatar May 05 '24 12:05 g0d33p3rsec

Thanks for your reply @g0d33p3rsec. I can still visit the site. Screenshot attached. I tried to access it with a VPN to USA and I get 404. Seems to be based on your location or browser language... If you can't confirm it, than it is what is.

grafik

technikamateur avatar May 05 '24 13:05 technikamateur

I tried to access it with a VPN to USA and I get 404. Seems to be based on your location or browser language

Thank you for the additional information. URLScan allows you to specify the source of the scan as well as the user-agent and referrer headers. I'll try adjusting some of the parameters to see if I can confirm the behavior that you are seeing. image

g0d33p3rsec avatar May 05 '24 14:05 g0d33p3rsec

I'm still unable to reproduce your results but don't doubt that you are seeing the reported behavior. On urlscan, if you click the options button before initiating the scan you can adjust the related parameters. @technikamateur if you can try setting the scan so that it matches the headers you are sending to obtain your reported results you may have better luck than I. I suspect the site may be using a traffic distribution system and geofencing to avoid inspection by researchers.

g0d33p3rsec avatar May 05 '24 14:05 g0d33p3rsec

Hi guys

@technikamateur, is it possible for you to share a screen dump of the mail(s) you have received + the full source of it? That can help us verify that the destination is remaining active and should be blocked.

And thanks for the screenshot you posted, would have witched you had added it to the original post.

spirillen avatar May 05 '24 14:05 spirillen

Hi, thanks for your investigation. I tried to include a Screenshot when I created the pull request on my phone, but seems like it did not work. I'll attach two screenshots of SMS. Both from different numbers. The dates are included in the SMS. The first one is from yesterday.

Is there also a way to report the abuse of phones numbers somewhere?

Screenshot_20240506-084441_SMS_MMS Screenshot_20240506-084446_SMS_MMS

technikamateur avatar May 06 '24 06:05 technikamateur

I will also try to play around with urlscan. Thanks for your explanation! I hope, I will find some time this evening.

technikamateur avatar May 06 '24 06:05 technikamateur

I will also try to play around with urlscan. Thanks for your explanation! I hope, I will find some time this evening.

My pleasure. I think it is an invaluable tool for this sort of thing. Their dataset is also for pivoting through for finding related content. Recorded Future also offers an automated sandbox environment that allows free users many more options than their competitors.

Related to the sms screenshots, I do see related negative intelligence. https://twitter.com/tellows_de/status/1786655299593482533 image https://www.tellows.de/num/017640154775 image

g0d33p3rsec avatar May 06 '24 14:05 g0d33p3rsec

Is there also a way to report the abuse of phones numbers somewhere?

You can forward the message to 7726 (SPAM) which should trigger an investigation from your provider.

https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/scams/7726-reporting-scam-texts-and-calls
https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages
https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726

Another option that I sometimes use is to report the site to the company who they are impersonating. At least in the US, that can offer them grounds to issue a DMCA take down request (a law I'm no fan of but if it's there we might as well make it do something good).

g0d33p3rsec avatar May 06 '24 14:05 g0d33p3rsec

I'm not able to fake everything with urlscan so that it works. I also tried to access the web page with my vserver in Frankfurt: Also 404. I think the webpage allows only IP's from Telekom and Vodafone (our local internet companies for private users), so it will be impossible for you to reproduce.

If you try to access a directory e.g. https://myhermes-sendungs.com/css/ You'll get a 403 (forbidden). Interesting.

I created a full dump of the webpage in case you want to have a look...Hermes Paketversand.tar.gz

Aren't my SMS + wepage screenshots + the comments on https //www.tellows.de/num/017640154775 enough for an entry in your list?

Btw: 7726 does not exist in my country :(

technikamateur avatar May 06 '24 18:05 technikamateur

Aren't my SMS + wepage screenshots + the comments on https://www.tellows.de/num/017640154775 enough for an entry in your list?

Yes, they is, now that I can see them. I'm using tor for privacy, so it ain't all the time I get the images right, sometimes they are just all white.

Can I ask you to rebase the commit?

PS: interesting their are 2 and 1/4 germane in this thread...

spirillen avatar May 06 '24 23:05 spirillen

Thanks for your patience and commit. It's been a pleasure to work together with you both

spirillen avatar May 07 '24 20:05 spirillen

Thanks for your patience and commit. It's been a pleasure to work together with you both

Thanks to you two. I've learned a lot :)

technikamateur avatar May 08 '24 20:05 technikamateur