{"id":809,"date":"2020-05-10T19:30:53","date_gmt":"2020-05-10T19:30:53","guid":{"rendered":"https:\/\/osintme.com\/?p=809"},"modified":"2020-05-11T15:47:52","modified_gmt":"2020-05-11T15:47:52","slug":"a-guide-to-investigating-scam-text-messages-and-websites-fake-revenue-online-page","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2020\/05\/10\/a-guide-to-investigating-scam-text-messages-and-websites-fake-revenue-online-page\/","title":{"rendered":"A guide to investigating scam text messages and websites – fake Revenue Online page"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Today a reader contacted me with a suspicious text message they received from a purported Irish Revenue Online Service (ROS) number.<\/p>

Sometimes even a cursory examination can reveal the true nature of these scams and no technical skills at all are required to determine that a text message containing a URL can be dangerous.<\/p>

Let’s have a look.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Straight away, there are a number of giveaways here:<\/p>

  1. The phone number<\/strong> – this is a US phone number, as indicated by the +1 country code.<\/li>
  2. The URL link<\/strong> – here we have a URL shortened using this free service<\/a>. The legitimate reason for shortening URLs is to make really long links appear neater. It is very unlikely that ROS would use a URL shortener. In this case, the intention of the scammer was to hide the true URL of his website…<\/li>
  3. …which in this case has been partially revealed<\/strong> by the phone’s text messaging software.<\/li><\/ol>

    \u00a0<\/p>

    If you are using the Revenue Online Service, you will know that the real ROS login link is:<\/p>

    https:\/\/www.ros.ie\/myaccount-web<\/a><\/p>

    So this is clearly a scam.<\/p>

    But let us dig deeper.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    1. Prepare your virtual environment<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Before conducting any field research on malicious URLs, which at some point will inevitably require you to visit the rogue website, you must ensure that you protect your own system from potential compromise.<\/p>

    Even when investigating potential phishing links you cannot be sure that this is the only threat vector.<\/p>

    You don’t know if the website is free from malware that you might inadvertently install on your machine via a drive-by download.<\/p>

    Any standard virtual machine will do for this purpose. More information on what steps to take when preparing your virtual environment can be found here<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
    Virtual environment from Virtual Box<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    2. Phone number OSINT<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    The first point of focus should be the phone number – after all, this was the delivery method of the malicious link to the user.<\/p>

    Good place to start is Google, plain search first, then including search operators:<\/p>

    “+12568417086” OR “256-8417086″ OR ” 1 2568417086″<\/strong><\/p>

    intext:”+12568417086″<\/strong><\/p>

    allintext:”+12568417086″<\/strong><\/p>

    site:”<whatever site you search<\/em>>” intext:”+12568417086″<\/strong><\/p>

    These methods might or might not yield the desired results, which will also vary in accuracy and details.<\/p>

    Phone lookup websites come and go. Searching for EU-based phone numbers has been hampered since the introduction of the GDPR. However, searching for non-EU numbers on specific websites might still be effective.<\/p>

    I searched for the phone number on the following sites (with no results, sadly):<\/p>

    https:\/\/sync.me\/<\/a><\/p>

    https:\/\/www.truecaller.com\/search<\/a><\/p>

    https:\/\/spamcalls.net\/en\/<\/a><\/p>

    https:\/\/800notes.com\/<\/a><\/p>

    https:\/\/www.unknownphone.com\/<\/a><\/p>

    https:\/\/whocallsme.com\/<\/a><\/p>

    https:\/\/www.anywho.com\/reverse-phone-lookup<\/a><\/p>

    https:\/\/www.zabasearch.com\/<\/a><\/p>

    https:\/\/www.spydialer.com\/<\/a><\/p>

    http:\/\/www.phonelookuper.com<\/a><\/p>

    This list is by no means exhaustive, there are dozens more reverse phone lookup sites.<\/p>

    The ones that did yield some results included:<\/p>

    https:\/\/www.whitepages.com\/phone\/1-256-841-7086<\/a><\/p>

    https:\/\/www.411.com\/phone\/1-256-841-7086<\/a><\/p>

    https:\/\/www.revealname.com\/256-841-7086<\/a><\/p>

    https:\/\/www.numlookup.com\/<\/a><\/p>

    The revealname and numlookup websites both offered an additional snippet of information that allowed me to pivot into a more specific direction.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    Twilio is a Voice over IP (VoIP) provider and its business model is to create a bridge between the traditional and cellular telephony and the Internet.<\/p>

    More details on how it works here<\/a>.<\/p>

    As a Twilio customer you can buy a virtual phone number and use it as if you’re using your own real mobile, with the exception that Twilio provides a degree of separation and an extra layer of privacy.<\/p>

    This is what the scammer availed of in this case.<\/p>

    To conduct look-ups with Twilio, you need to have an account with them. You can avail of a free trial, which will also give you some free credits towards look-ups.<\/p>

    Twilio look-ups cost:<\/p>