I got phished, but its for science!

I got phished, but its for science!

We often hear about scam, phising.

Today, I have a special note for you: I was deliberately phished to show you the other side of the world!

Point VERY important!

The manipulations that you will see below (and in particular the fact of voluntarily going on a phishing site) can be dangerous for your system and/or your personal data. They have been made in a sandbox environment and must not be reproduced without prior protection.

It all starts with an e-mail...

Like the vast majority of Internet scams, it all starts with a simple email. Great, I won a great mobile phone!

The images are blocked on the mail because Thunderbird detects the message as fraudulent.

Well, already, you can feel the scam coming on because of several things:

  • First of all, I don't subscribe to Free, so I don't see why Free would give me a mobile phone...
  • Free doesn't give gifts (like many companies)
  • You will notice spelling and grammar mistakes, this comes from the "Google translations" used.

The phishing mail I've taken there is a bad one, however you can't necessarily rely on the form, but also on the content, and the links they contain.

In my case, all the links on this mail point to the same URL:

http://***********.com/?Z289MSZzMT03NjQ1MzAmczI9NjM4MDc5NzUmczM9RlI=

I deliberately hid the domain name because I don't want to offer them free SEO.

First reflexes, a little nslookup, which will give us the IP behind it, and a Whois on this IP.

Well, the doubt is growing, why would Free use an infrastructure based in Germany when they have their own hosting Online.net?

However, at this point, nothing that is really very suspicious. I would have seen an address in Russia, India or China, I would have been much more suspicious.

Avoid blocking of the browser

As you know, modern browsers block sites considered dangerous. Nevertheless, more and more scammers are looking for parries to appear legitimate.

In the case of my email, when you access without the payload (the whole chain behind the "?" in the URL), you arrive on a site that seems harmless.

But once again, you will notice at least two pieces of information that I have framed in red:

The title of the page hasn't been modified since the template I used.
A nice spelling mistake in ... the company name!

Let's go to payload

Like I told you, I removed the associated payload from the address bar. Without it, the site looks harmless. The format of the payload will surely speak to many people, it is a string of characters encoded in base64. Hop, a little decode, and you get something much more understandable for a flesh-and-blood being.

In fact, it's this payload that will determine on which site you go and who you are! One of the identifiers corresponds to your id in the base of the scammer the second one, the associated scam, and there are tons of different ones!

Point to remember: Never click on a phishing link, even "just to see", as this allows the scammer to validate that the email address is functional and read. Also, the sites you are about to land on can be dangerous for your computer.

As you can see, there are some very distinct sites behind, even if some of them use the same kits, in a bad way.

We find once again:

  • Spelling/grammar errors: "des millions de euros" (spelling error in french - top left)
  • Urgency: you have to go fast, and don't think about it, otherwise someone else will get the gift instead of you!
  • The FREE side: put a lot (too much) forward
  • The necessary download of a program

As a joke, the survey sites Lidl and Free share the same comments, the same users (with always exotic translations), posted at the same time, there are still people who are lucky to win two mobile phones!

Well, I still wanted to get a free Samsung Galaxy S20! So I clicked on the poll, a poll to win a free state-of-the-art phone, it's profitable, isn't it?

From the first question, I remained... doubtful, I hesitated for a long time because it was very complicated!

(You are : - A man - A woman - Other)

Well, the following ones have the same level:

  • Am I happy with Free (which, I remind you, is not my operator)...
  • Am I happy with the customer service
  • and so on...

Once the questionnaire is filled in, I finally get to the page that will check if a phone is available. After a small loading bar in javascript (which does not call any resource to see if a phone is really available), victory, I have my phone.

I only have a small form to fill in, and 2€ to pay, probably for the shipping costs! Great, I have a Galaxy S20 for 2€, that's going to make some people jealous!

The most observant will have noticed a small clause at the top of the page (in light grey on white...).

Here is this same clause, zoomed :

In fact, I didn't win a phone, I'm taking part in a contest to win one (and I think you already know the result of the contest), the 2€ I'm being asked for is only a trial period, and 48 hours later, I'll be deducted 67€ per month!

In conclusion

Let's get back to reality now.

As you can see, that phishing was rude, and I, for one, would never have gone for it. However, you have to keep in mind that many people get ripped off by this kind of practice every day! All it takes is a little bit of inattention, a little bit of ignorance of the internet, or even not seeing the Internet.

In case of doubt, do not hesitate to :

  • Search for the offer on your favorite search engine the reputation of the site
  • Check the reputation on dedicated engines, such as: https://global.sitesafety.trendmicro.com/.
  • Be wary of "too good to be true" offers.

Also, as I said in one of my previous articles, don't rely on the fact that the sites are provided in https. In my case, all the sites were hidden via Cloudflare, and they all had a valid certificate!