Odd SMS phishing attempt, for NZTA

Forums › IT Pro and developers › Odd SMS phishing attempt, for NZTA

1 | 2 | 3 | 4 | 5 | 6

11002 posts

Uber Geek

Subscriber

#3085669 6-Jun-2023 17:26

BlakJak: kingdragonfly: Please defang malicious URLs if you must share them.

Will do. As mentioned, they killed the shortcut a few hours after my complaint.

TinyURL is pretty fast when responding to complaints.

The domain provider "Gname.com" didn't reply to my complaint.

It has a high number of phishing sites, in particular for the number of site they maintain.

Cybercrime Information Center

AliExpress

Shop now on AliExpress (affiliate link).

Eva888

2351 posts

Uber Geek

Lifetime subscriber

#3085690 6-Jun-2023 18:02

On Stuff...A circulating scam has seen many lose large amounts of money, and more than 100,000 complaints have been made, so far.

https://www.stuff.co.nz/national/300898351/over-100000-reports-received-life-savings-lost-over-nzta-toll-scam

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3086372 8-Jun-2023 09:11

There's an exact clone of the last one I just posted, except the TinyURL link changed.

TinyURL has hidden their complaints / abuse form, so I've emailed them asking where it is. I'll post it here.

The domain company Gname.com also makes it difficult to report, as they add many unneccessary steps before reporting, but at least the form is easy to find. Granted a CyberCrime report paints them as a crime enabler.

I've already reported to Google and Microsoft. This time I added sending an email to "info@antispam.govt.nz" per the Stuff article sent by Eva888

With people losing their life savings to this scam, you'd think the government would at the least require antispoofing for international phone numbers.

============================================

TinyURL redirects totollingonlinenzta.icu a week later after my complaint to the domain provider

It uses Javascript to detect browser type.

If it's being used on a smart-phone, it redirects to redirects to same phishing website.

==================================

+61 432 313 090

NZTA: Your unpaid toll invoice is overdue now. Please pay immediately. More details: https[:]//tinyurl[.]com/yc3eebjs

boosacnoodle

953 posts

Ultimate Geek

#3086374 8-Jun-2023 09:15

Eva888: On Stuff...A circulating scam has seen many lose large amounts of money, and more than 100,000 complaints have been made, so far.

https://www.stuff.co.nz/national/300898351/over-100000-reports-received-life-savings-lost-over-nzta-toll-scam

100,000 complaints and telcos cannot be bothered to do anything.

How hard would it really be to quarantine messages sent in bulk or with URL shorteners / dodgy TLDs? Surely not hard.

Alternatively, if the messages are coming from outside NZ, block that mobile carrier. If in NZ, prosecute.

I can only assume that mobile carriers in NZ are happy with this situation, as they certainly haven't come out and said otherwise.

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3088848 12-Jun-2023 09:58

It looks like the scammers have switched away URL shortener

from tinyurl.com
to is.gd

Again it's using Javascript to redirect only mobile phone users

You can unshorten the URL by adding a "-" to the end

https://is.gd/nz_govtc-

It forwards to domain https://tollingonlline.com

The domain provider dnspod.com is out of China.

SMS text from +61 432 308 491

"NZ Transport Agency Toll Roads You have an outstanding fee to be processed as soon as possible within 24 hours. So as not to https[:]//is[.]gd/nz_govtc"

I've reported to is.gd and abuse@dnspod.com

If our mobile providers would add some text like "Warning: possible scam" to SMS messages with tinyurl.com / is.gd, it may save some elderly to losing their life savings.

I guess it's asking too much for them to give a damn. Maybe some politicians wanting to get some votes for re-election could pressure them to act?

freitasm

BDFL - Memuneh
79015 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3088853 12-Jun-2023 10:11

On Android the Google Messages app will do the basic work of filtering suspected spam. You can also install something like Microsoft Defender Android or Microsoft Defender iOS for additional URL filtering. It needs a Microsoft account (Hotmail, Outlook, etc)

My technology disclosure

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3088944 12-Jun-2023 11:56

Unfortunately iPhone is limited to "Filter Unknown Senders" and blocking the phone number.

"Filter Unknown Senders" can screw up two-form authentication (which I use heavily).

This mean people who are not in your contact list go into another folder.

There's an almost useless "report junk" button, but only reports it to Apple, and doesn't block the contact.

Come on Apple, get your act together, with SMS messages with URL's.

frankv

5678 posts

Uber Geek

Lifetime subscriber

#3089037 12-Jun-2023 13:52

To get to NZTA, use https://cone.cone.cone.cone.cone.cone.30kph.cone.cone.cone.cone.cone.cone.www.nzta.govt.nz/online-services/

You're welcome.

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3089369 13-Jun-2023 12:03

The Chinese domain provider dnspod.com ignored my first complaint. But when I followed up, they sent me their well hidden report web page.

Looks like it's Tencent Holdings Ltd. It is a Chinese multinational technology and entertainment conglomerate and holding company headquartered in Shenzhen. It is one of the highest grossing multimedia companies in the world.

https://intl.cloud.tencent.com/zh/report-platform

I passed it along to NZTA, since they won't accept submissions from individuals

Tinkerer

7 posts

Wannabe Geek

#3091250 17-Jun-2023 20:48

Thanks kingdragonfly for the explanation.

This one got me intrigued, so I opened up the TinyURL on Chromium from a quarantined environment on a Raspberry Pi, even with a Developers Tools window open. Everything looked legitimate right down to the 2FA response on the Paymark page; so I thought it was doing some kind of really sophisticated keystroke or screen capture stuff. Even the certificate worked, so I was really scratching my head. No wonder, I was running the real thing!

Regards,

Duncan

kingdragonfly: I raised one to NZTA, Google, Microsoft and the domain provider yesterday.

TinyURL blocked it, so kudos to them.

It's targeting mobile phone users.

a TinyURL hides the actual address
redirects to tollingonlinenzta.icu
which runs Javascript
if Internet browser is a PC, redirect to legimate NZTA site

+61 468 410 012

"NZ Transport Agency Toll Roads You have an outstanding fee to be processed as soon as possible within 24 hours. So as not to fine https://tinyurl.com/mrxnpbdn"

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3091326 18-Jun-2023 08:46

The domain provider website running the NZTA scam is still up.

dnspod.com
Also known as Tencent Holdings

If Tencent sounds familar, the mega-app "Wechat" was mentioned as Elon Musk, as a way to improve Twitter.

I definitely complained to the domain provider, which they didn't action because I wasn't the NZTA.

I complained to the NZTA, with instructions on how they could file a complaint. No response from NZTA, except from a robot. Makes you wonder how much the NZTA is actually doing to shut down this phishing scam.

Part of the domain provider terms of conditions

REPRESENTATION & WARRANTIES. You represent and warrant that:
(a) your registration and use of any Domain Name do not and will not infringe the intellectual property rights of a third party and are for legitimate purposes and not for the purpose of:
(i) disrupting the business of a competitor;
(ii) confusing or misleading Internet users; or
(iii) cybersquatting, which is defined as the registration or acquisition of a domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the owner of a trademark reflected in the domain name or to a competitor

The closest they get to phishing is maybe intellectual property rights and misleading users.

You'll notice there's no reference to crime and laws, except IP. So here's a handy tip to child pornographers, scammers and other criminals: you have friends in China's TenCent.

Also Dnsprod.com/Tencent don't mention is you must be the intellectual property right owner to file a complaint; they won't accept complaints from crime victims.

Bung

6351 posts

Uber Geek

Subscriber

#3091332 18-Jun-2023 10:01

kingdragonfly: />I complained to the NZTA, with instructions on how they could file a complaint. No response from NZTA, except from a robot. Makes you wonder how much the NZTA is actually doing to shut down this phishing scam.<

Send a complaint off to the Minister responsible. It's currently Kieran McAnulty who might get onto it faster than Michael Wood..

BlakJak

1245 posts

Uber Geek

Trusted

#3091356 18-Jun-2023 12:54

Oh come on. When the malicious content host are making it that difficult why do you think the Minister will in any way get further? It's whack-a-mole, another host will appear.

I get the frustration but be reasonable. You don't know what Waka Kotahi are doing in the background, perhaps they're too busy dealing with actual threats to email you back?
Perhaps theyve had so many reports thy can't acknowledge each one personally?

No signature to see here, move along...

boosacnoodle

953 posts

Ultimate Geek

#3091364 18-Jun-2023 13:22

So, DIA has finally responded. It turns out that each of the NZ telcos, as well as Telstra AU, are getting sent a daily updated list of reported scam / spam TXTs and the numbers they are being sent from. Goes to show when people are receiving these days later from the same number that telcos are doing absolutely nothing to get these shutdown.

kingdragonfly

11002 posts

Uber Geek

Subscriber

#3093535 22-Jun-2023 15:48

NZTA spam still continues

Now it's

https[:]//is.gd/nz_govtt1

which redirect to

https[:]//nzsxdell.buzz

which is domain provider namesilo.com

I'm making the usual complaints to companies.

Thanks NZ mobile phone companies. You're really doing a great job. It must be hard to spot the exact same text, and these well known shortened URL.

1 | 2 | 3 | 4 | 5 | 6