Odd SMS phishing attempt, for NZTA

Forums › IT Pro and developers › Odd SMS phishing attempt, for NZTA

1 | 2 | 3 | 4 | 5

BDFL - Memuneh
76381 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3067486 24-Apr-2023 09:07

Oblivian: I wonder if the reply 1 to activate is utilising the Samsung hack

Have number, can do naughty

https://mashable.com/article/android-phones-exynos-modem-bug

The "Samsung hack" does not need user interaction. They could have pwned the phone on the first message, no need to ask to "press 1".

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

MyHeritage

Shop MyHeritage and uncover your origins and find new relatives with a simple DNA test. (affiliate link).

evnafets

458 posts

Ultimate Geek

Lifetime subscriber

#3067505 24-Apr-2023 10:31

I don't know about SMS, but I did get a bunch of email spam about car registration expiring.

initially fell for it too, as my registration was due to expire. But because I prefer doing these things on desktop/tablet I switched to one of those to actually do the transaction.
And went to the NZTA site directly rather than clicking any links.

It was only when I received another 'reminder' a week later after having paid it that I started suspecting something was up, and checked the sender details.

kingdragonfly

8796 posts

Uber Geek

Subscriber

#3069281 29-Apr-2023 18:08

More phishing attempts to NZTA

from +61 466 129 668

Notice: You have a bill that will be overdue and incur a penalty. Please check and complete the payment: https://is.gd/DGCEN9

Forwards to
https://nzta.nz.gavlts.com/

I've informed the URL shortener
https://is.gd

I've informed the domain provider
https://gavlts.com/

Also sent to DIA text phone number (this works for many countries)
"SPAM" = 7726

And lastly reported to NZTA

freitasm

BDFL - Memuneh
76381 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3069282 29-Apr-2023 18:11

Search on how to report to Google and Microsoft smartscreen filters so their browsers block the final domain.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

Oblivian

6946 posts

Uber Geek

ID Verified

#3070136 1-May-2023 19:23

CERT have issued an official advisory

https://www.cert.govt.nz/individuals/alerts/phishing-scams-targeting-new-zealanders-to-install-remote-access-software/

Linux

10300 posts

Uber Geek

Trusted

Lifetime subscriber

#3070138 1-May-2023 19:26

Had this SMS like 4 times in the last week

boosacnoodle

653 posts

Ultimate Geek

#3070201 1-May-2023 23:15

This is getting beyond a joke. How hard is it to just block all text messages with an .xyz domain? When did another ever see any legitimate use case for an .xyz domain?

K8Toledo

846 posts

Ultimate Geek

#3070206 1-May-2023 23:57

kingdragonfly: More phishing attempts to NZTA

from +61 466 129 668

Notice: You have a bill that will be overdue and incur a penalty. Please check and complete the payment: https://is.gd/DGCEN9
Forwards to
https://nzta.nz.gavlts.com/

I've informed the URL shortener
https://is.gd

I've informed the domain provider
https://gavlts.com/

Also sent to DIA text phone number (this works for many countries)
"SPAM" = 7726

And lastly reported to NZTA

Aussie Country Code is a big red flag.

K8Toledo

846 posts

Ultimate Geek

#3070209 2-May-2023 00:01

boosacnoodle:

This is getting beyond a joke. How hard is it to just block all text messages with an .xyz domain? When did another ever see any legitimate use case for an .xyz domain?

On Android go to Messages --> Block Messages --> Block Phrases.

Add .xyz

ezbee

1688 posts

Uber Geek

#3072103 4-May-2023 09:33

I just got one of these fake NZTA as well , different number +61413866258

The t.ly etc url as per Kingdragonfly original post today

BlakJak

1094 posts

Uber Geek

Trusted

#3085250 5-Jun-2023 22:53

boosacnoodle:
This is getting beyond a joke. How hard is it to just block all text messages with an .xyz domain? When did another ever see any legitimate use case for an .xyz domain?

Have fun with the whack-a-mole. The scam domains are under just about every TLD.

No signature to see here, move along...

Linux

10300 posts

Uber Geek

Trusted

Lifetime subscriber

#3085310 6-Jun-2023 08:04

I was getting 2 to 3 of these a day over the last 2 weeks. The SMS just look so pathetic I have zero idea how people fall for this scam

kingdragonfly

8796 posts

Uber Geek

Subscriber

#3085393 6-Jun-2023 11:56

I raised one to NZTA, Google, Microsoft and the domain provider yesterday.

TinyURL blocked it, so kudos to them.

It's targeting mobile phone users.

a TinyURL hides the actual address
redirects to tollingonlinenzta.icu
which runs Javascript
if Internet browser is a PC, redirect to legimate NZTA site

+61 468 410 012

"NZ Transport Agency Toll Roads You have an outstanding fee to be processed as soon as possible within 24 hours. So as not to fine https://tinyurl.com/mrxnpbdn"

WyleECoyoteNZ

1040 posts

Uber Geek

#3085399 6-Jun-2023 12:16

Firstly, not NZTA, but phishing.

The one that nearly sucked me in was supposedly from NZ Post. What through me, was that it came in from what looked to be a NZ number. Was a +64 number

BlakJak

1094 posts

Uber Geek

Trusted

#3085525 6-Jun-2023 14:33

kingdragonfly:

"NZ Transport Agency Toll Roads You have an outstanding fee to be processed as soon as possible within 24 hours. So as not to fine https[:]//tinyurl[.]com/mrxnpbdn"

Please defang malicious URLs if you must share them. As i've done so in the quote. (Though this one has now been killed, it's a good habit to maintain)

I also highly encourage the use of the TinyURL preview feature (Google it)

No signature to see here, move along...

1 | 2 | 3 | 4 | 5