Gotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMS

thank you very much can you hear me yes can you hear me yeah sounds good so hi everyone my name my name is shiron uh and today I'm here to talk to you about scan my SMS this is a hobby side project or a volunteer project that I created together with my friend Amit uh which could not come here today um I'm a security researcher um and I really like to do some side project and I really like to help people so we tried to combine these two Hobbies uh uh into something that could be helpful so how this project started and what is this project uh I'm sure that all of you have received at some

point of your life uh kind of a message from your grandma or your mother or father hey I received this text message do you know if it's a scam uh now obviously 99% of the times that you receive such messages these are actually scams and fishings so I used to receive these me messages from my grandom from my mom she just screenshotted a text message and sent me and obviously it's a scam uh I received it from my father uh from my friend yeah this is a great presentation uh from my friend um again screenshot of a text message asking me if it's a scam or not obviously it's a scam scam come on um and the the straw

the last straw in the sequence was my wife uh she told me hey I got this message don't worry I took care of all the bureaucracy uh all is good you don't need to worry and I was like uh I'm sure it happened to most of you at least from your closed circles closed friends families uh but when this message happened uh story I had uh some difficulties to sleep at night uh and I thought about how is it possible that in 2024 um 2023 we're in Israel the Cyber nation and we don't have a simple solution to understand if a stupid text message is a scam or not so at the same night it was 2: a.m. uh I called my

friend Amit told him hey I have this solution I know how to program everything I have the architecture I have the layout I have everything we need and he was like dude it's 2: a.m. what do you want from me uh I have no idea uh what are you talking about so obviously I explained everything uh and he uh told me he had some similar stories from his friend and families so we was really onto it and we we said yeah let's go let's do this and we invented scan my SMS so basically scan mys is a simple solution platform free for everyone to use uh that you can just paste copy paste a text message uh or

email actually and just click check and you'll receive a very very simple answer is it safe or not suspicious uh malicious or it's trusted the most important thing for us was to make it very very simple to use because we wanted uh the general public to be able to use it for example we wanted to make your grandma happy and easily to use this product but we also wanted to make it more reliable for folks like you that are more technical so we wanted you to trust the platform so we added a lot of different indicators into the platform that will tell you why should you trust the answer so for example we're saying how many times this spe specific text

message uh was searched we also take a screenshot from the automation that I will talk about in a minute uh we're adding some not sure why the slides that doesn't work properly but we're adding some information about the SSL certificates stuff that we're scraping from the uh endpoint uh IP addresses uh and a lot of more indicators that can help you the the nerds or the technical guys to trust the platform now of this platform is completely free it's a side project we're we're using this to help people um and it's completely on a volunteering base but as we started this project we saw more and more and more uh cases of how fishing and scams are being utilized

in Israel so let me tell you about anomy of the modern fishing or smishing in Israel and afterwards I'll will talk about how the platform actually works from a technical perspective so obviously scams in Israel and all over the world have this goal to get more money so it's a financial gain in most cases financial gain um scam that eventually the attackers wants to get credit cards so they start with a single credit card that they're taking from uh kind of a a dark web platform telegram channels they're buying this first um credit card and this credit card is being used alongside with a CSV which is a phone list of all the phones in Israel

and these two elements are entered into a digital marketing a digital marketing platform that basically helps um digital comp digital companies or dig companies in general to send batch of SMS just like you're receiving from your bank just like you're receiving from uh different uh restaurants uh so they're just getting the CSV and the credit card to to buy some tokens and they just send a lot of SMS um the SMS obviously are being sent through the mobile operator to the end users and this is when you receive stuff like this so the attackers are using the stallen credit card along alongside with a huge list of sequen shell running numbers of all the numbers

in Israel so for example 052 00 1 00002 Etc and then you receive these messages so obviously for us obviously it's a scam but for non-technical uh folks it's really difficult for them to understand because they they see post they see a package they're waiting for a package it really makes sense for them that there received this message and we're receiving a lot of different messages from uh Financial Services in Israel like bat Banks we're receiving a lot of different messages and again it's really difficult for folks to understand if it's a a scam or not so once people received the SMS they probably entered the link because they need to do some kind of an action if

they want to receive their parcel they needed to pay some kind of a fee which makes sense makes sense overall right because they are mimicking real SC real SMS real scenarios in in Israel and and generally that when you receive a package you need to pay something uh or sometimes you need to update your uh personal information so for example this is what you see here is a classical uh fishing on bit you need to update your bat credentials or you need update your beat information for example the the owner of the card Etc and the the scammers are using all of these um fishings in order to get pii data and in order to get credit card data so we're

seeing a lot of different examples from Banks to uh tall roads like kishes um to bat as we''re seen even the Israeli government is being uh mimicked into into scams and more and more more and more and more examples this few examples are just from the last month from uh the post office to uh credit card companies to bat to everything that you're seeing I'm sure that you're seeing in uh the messages that you receive in your phone so the most uh attacked or the most mimicked or the most popular scams in Israel are the post office the uh uh Banks specifically Bap um DHL for some reason not sure why um and also the

Israeli government so these are the most uh targeted campaigns in Israel for uh for scams there are hundreds of different fishings and and campaigns and scams against a lot of different organizations but these are the most popular I think it's the most popular because many people are falling for this because for example in the Israeli post they're waiting for a package so it makes sense for them to receive a a text message to pay something for their package because they're actually waiting for this so what I describe up up until now is like the simple uh the most uh intuitive fishing scam you get a text message you enter the website you enter the details of your credit card or your

information and that's it the attacker has this information but the more sophistic sophisticated or the harder fishing campaign is to steal OTP tokens one-time passwords so OTP is really the kind of the modern way to combat uh password stealing and information stealing but there are still today modern fishings and scams that actually steal the OTP so let's see how it goes first of all the victim receives a text message like this this is actually a campaign that that uh was on to Israeli um uh communication uh um uh infrastructure and they received it like two two weeks ago obviously the website here is not celu right but some people do not understand and they still click

on the link now once they click on the link they're greeted with a celum like website obviously this is a scam right but still people are falling for this and they need to enter their phone number so they enter the phone number because they want to log in into their Cellcom account and once they're entering their phone number the automation of the attackers actually take this phone number and put it into the real ccum website now the real ccum website receives the phone number and says oh yeah I know this is one of my customers let's send them OTP message and then the victim receives this kind of a message with the OTP code which

they enter into into the uh fishing website into the attacker's hands and the attacker automation again everything is automated takes the OTP enter it into the real website and then redirects the user into ccum and now the user needs to log in again it doesn't understand what's going on but still it's not very suspicious and here the attacker actually sto the OTP token and they have active session into the victim's account now what can they do with for example uh celum they can sweep swap the Sim into eim and then enter into the uh e um uh credentials and receive all of the victims text messages so the uh further scams here could be to steal the

Gmail could could steal uh crypto tokens they because they receive from now on they have the eim of the victim and they can receive all the text messages of the victim so this is a very dangerous um uh scam to fall in now obviously the result of all of all what we said is a financial gain so the end result for everything is always the same the attacker receives a lot of different credit cards and then they repeat this scam again and again again and again maybe they sell they Mass sell all the credit cards and they get more money your money so this is how Modine scams and fishings work and we wanted to

combat this somehow so we wanted to get all the fishings we want to uh give a really simple solution for people to understand if if something is fishing or not and we developed scan SMS now I have a question for you do you see this message please raise your hand if you think this is a fishing okay almost everyone thinks it's a fishing uh if you don't think it's a fishing raise your hand even it's a binary question okay I just want to see if you participate so this is actually a legitimate SMS from a legitimate uh credit card company and this test just proves that it's possible to to say and to understand if a text message is eff

fishing or not it's impossible because of multiple um elements first of all the link is being uh shortened so they're using a third- party platform to shorten the link so it's impossible for us to just look at the link and say if it's fishing or not right you need to enter actually enter the link second of all the the uh the message is is very short and it has a sense of urgency so it really feels a bit scammy and third the uh sender cards iil can be easily mimicked and can be easily changed and can be easily modified because there is no authentication to the SMS protocol so it's really really difficult up to

Impossible without entering the link to understand if a text message you receive is eff fishing or not so in order to combat this we developed a fully autonom automation that actually takes all the messages and mimics user activity victim activity so it will take the text message it will enter the link and it will actually unfall and follow all the redirects of the link in order to get to actually say to the V to the attacker please give me the fishing now once we receive the fishing we are actually uh scanning all the redirects we're scanning all the indicators and we're scanning a lot of different elements in the end result website so what are we looking at so for example

we're looking at all the domains in the redirect we're looking at all IP addresses we're looking at the certificates we're looking for uh resources in the HTML we're looking for keywords for example if you see uh a bit like you see here it's a financial service in Israel so if you see bit image in a website that is not bit obviously it's very suspicious right obviously it's very suspicious so we're looking at different images we're looking at the text we're looking at the URLs that we're extracting from the HTML and we have all this information which we are uh kind of a converting into indicators that we can work with we're combining this with different um uh

Blacklist and white list uh list uh de third party DB reputations and we're kind of combining everything into one algorithm that outputs eventually if a website is eff fishing or not a fishing so we want to give a very simple answer yes or no because again most people are not Technical and just they just want to know is this a fishing is this a scam or not now sometimes the automation fails because everything looks good there are no indicators on the domains there are no indicators on the IP addresses so everything looks normal uh we didn't find anything suspicious uh but still we're not 100% the the automation is not 100% sure that this is a legitimate

website so what do we do we developed a system for volunteers that can actually uh see all the unclassified um uh links or unclassified messages and they receive from the automation all the technical back ground for example all the domains all the reputation of the domains all the resources all the images so it kind of generates a report that sends to the volunteering system and then the volunteers anyone who is available can actually classify whenever they have time the websites so if you look at this message for example um this component from the volunteering system we see that the website is actually a legitimate one so if you search this in aristal for example or in other uh engines

reputation engines you'll see that this is a really benign website it's a good and trusted website the problem I have in this scam the attackers actually hacked this website and implanted a malicious code a malicious fishing kit that enabled them to actually uh scam people and uh perform the fishing activities so this is for example for autonomous automations this is really difficult to understand easily if it's a fishing or not and using our volunteering system whenever our volunteers have time they just go on the platform and they just classify as you can see here it was the verdict is unknown by the automation but someone actually clicked one of the volunteers clicked uh on the malicious button which

classified this as malicious and it transfers the information in time to uh the user who checked it so they actually get an immediate response if a volunteer is available and If the automation was not able to automatically detect it and we did all of this because we really wanted the people to have a platform they could trust we really wanted people uh to have something that they could rely on because it's so difficult to understand if text messages are actually scams or not so let's go over some statistics uh from obviously from October 23 uh we've seen a a peak we've seen a huge amounts of fishings uh we're seeing from uh October a lot thousand of different

fishing campaigns um hundreds of domains uh every week and uh we're trying to combat everything and how do we combat this uh we're combat this by taking all the fishing that domains that we're finding and we're sending this to the Israel um it's called incd Mar cyber Israeli National cyber direct something uh and they take the domains and they try uh to uh to take them down so it's really uh really a good collaboration between us finding the fishing and uh the incd that are trying to close all the domains now as we mentioned one of the problems with text messages is that they contain shortener links and some of them are actually legitimate for example tiny

url.com is a legitimate service but it's being utilized as a malicious uh service and it is being M utilized by scammers uh into a lot of different uh fishing attempts now to finalize this session um we also created so we have a huge database right of all the fishings in Israel um so we created kind of a small game that you can actually enter the website scan mysms.com uh and play it it's a it's called fish or chips where you can actually play uh with yourself uh you get different text messages and you you need to classify whether it's a fishing or not uh and again we did this uh to um make some more aware awareness

uh we wanted people to understand better how to identify fishing by themselves um so you're welcome to play it uh and that's it thank you very much [Applause]