{"id":7661,"date":"2022-04-08T13:14:26","date_gmt":"2022-04-08T20:14:26","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7661"},"modified":"2024-04-26T13:20:05","modified_gmt":"2024-04-26T20:20:05","slug":"the-smish-is-coming-from-inside-the-house","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/","title":{"rendered":"The Smish is Coming from Inside the House"},"content":{"rendered":"<h3><strong>Author: Nick Sundvall and Vadym Tymchenko<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>1. Executive summary<\/h3>\n<p>A new technique for bypassing mobile spam filters and distributing malicious content was recently observed in text messages received by a number of users. Where mobile phishing often includes a fake sender phone number, these malicious messages appear to come from the victims themselves. The messages include a link that, if clicked on, enables threat actors to steal victims\u2019 information. We analyzed one campaign in depth and uncovered a large infrastructure and a complex pattern of redirection to overcome automated security filtering. Operations of this size require significant planning but allow the actors to profit even when only a small number of users fall victim to the lures.<\/p>\n<p>In this report, we will step through a case study of a malicious text message, an analysis of the domain names, and an overview of the threat actor\u2019s redirection infrastructure, including what we will refer to as the front-end domains, campaign broker domains, clickbait pages\/domains, and final landing pages\/domains.<\/p>\n<h3>2. Smishing Background<\/h3>\n<p>Smishing is the combination of the terms \u201cphishing\u201d and \u201cSMS\u201d (short message service, also known as text messages). Smishing messages are sent by bad actors to get victims to reveal private information, including passwords, identity, and financial data. The messages typically include some incentive for the recipient to click a link, which may be for a site that hosts malware or a page that attempts to convince the user to submit data through a form.<\/p>\n<p>Actors have regularly used spoofed sender numbers in the text messages to evade spam filters. However, those messages that are not automatically detected by the mobile provider can be stopped by blocking the sender\u2019s phone number. In response, threat actors continue to evolve their own techniques. In a well-known version of mobile phone spoofing, a recipient receives a text or phone call from someone who appears to be in the area close to the recipient. Users are hesitant to block local phone numbers for fear it would also block legitimate phone calls and messages.<\/p>\n<p>Spoofing the recipient&#8217;s phone number is another advance by actors to overcome spam filtering and blocking, and to convince users to click on the embedded links.<\/p>\n<h3>3. Case Study<\/h3>\n<p>On March 29 and 30, we observed multiple smishing texts from one campaign, and we will analyze the details on one of the messages, as a case study, below. All of the messages we saw in this campaign began with the same content; the only part that changed was the URL. The text we will discuss is shown in Figure 1 below.<br \/>\nFigure 1. Case study message; the full URL is redacted because it may uniquely identify the recipient<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-1.png\" alt=\"\" \/><\/p>\n<p>The link in Figure 1 above used the domain oifc21[.]xyz, but we saw a variety of domains used. We will call the domains in the text messages the \u201cfront-end domains\u201d. We saw these domains use only the top-level domain (TLD) .xyz. When we clicked on the link, it did not lead us to oifc21[.]xyz; instead, multiple redirects occurred before a final landing page was presented. In this instance, we were redirected to goodasgold[.]shop, then takeoneforlove[.]com, and then eshatl[.]xyz, which presented a fake Verizon survey page. After completing the survey, a message appeared that thanked us \u201cfor being a great customer\u201d and asked us to click the displayed button to claim a new Apple Watch.<\/p>\n<p>Figure 2. Example of one of the faked survey questions<br \/>\nFake Verizon survey<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-2.png\" alt=\"\" \/><\/p>\n<p>The threat actors tried to imbue their content with a sense of urgency; this is a common tactic used to pressure victims into complying with the scam. After we completed the survey, the webpage warned: \u201cif you leave this page without claiming your reward, we have no choice but to give another loyal customer\u201d. Clicking the button again redirected us to a new website, smartfashiondaily[.]com, where the actors asked us to pay $6.85 for \u201cShipping &amp; Handling\u201d. The actors also asked for our name, email address, phone number, mailing address, and credit card information.<\/p>\n<p>Figure 3. Fake checkout page<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-3.png\" alt=\"\" \/><\/p>\n<p>After providing the information, we were told that our credit card number was not valid.<br \/>\nFigure 4. The message shown after we submitted shipping and credit card details<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-4.png\" alt=\"\" \/><\/p>\n<h3>4 Campaign Study<\/h3>\n<p><strong>a. Campaigns<\/strong><\/p>\n<p>Our analysis shows that the same actor carried out at least two campaigns in March:<\/p>\n<ul>\n<li>The first took place between 6 and 8 March. We call it the CDC campaign because the requests that did not pass the actor\u2019s validations were redirected to cdc[.]gov.<\/li>\n<li>The second took place between 26 and 31 March; it appears that the campaign may have stopped after less than a week, because no activity has been observed after March 31. We call it the 1TV campaign because the requests that did not pass the actor\u2019s validations were redirected to 1tv[.]ru or 1tv[.]com.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Both campaigns share the same set of domain names registered on 6 March.<\/p>\n<p><strong>b. Domain Names<\/strong><\/p>\n<p>From several examples, we have noticed that the domains used in the SMS messages have a distinct pattern: four or five alphabetical characters followed by one or two digits, all in the TLD .xyz. This allowed us to create a simple regex and apply it to data for March and the start of April.<\/p>\n<p>Figure 5. Domain creation and update activity<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-5.png\" alt=\"\" \/><\/p>\n<p>The activity histogram shows when the domains associated with this campaign were registered (\u201ccreated\u201d) and\/or updated. All of the domains we believe to be associated with the campaign have the following characteristics:<\/p>\n<ul>\n<li>All the domains were registered between 5 and 10 March.<\/li>\n<li>Their names follow the regex pattern ^[a-z]{4,5}[0-9]{1,2}.xyz.<\/li>\n<li>The numeric components of their names use consecutive numbers.<\/li>\n<li>Their registrar is Hosting Concepts.<\/li>\n<li>They use CloudFlare for their name servers and hosting.<\/li>\n<\/ul>\n<p>There were several groups of domains registered in March. Most of the domain names followed a pattern of 4 or 5 alphabetic characters followed by a sequential number within the group.<\/p>\n<p><strong>c. Observed Activity<\/strong><\/p>\n<p>Figure 6 below shows activity related to the domains associated with this campaign. We can see a small amount of activity from 5 to 8 March, and then a much greater spike between 26 and 31 March. This second, larger spike is associated with the smishing campaign that our case study above came from.<\/p>\n<p>Figure 6. Observed activity from 1 March to 2 April<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-6.png\" alt=\"\" \/><\/p>\n<p>Figure 7. Sample of dates and smishing campaign URLs<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-7.png\" alt=\"\" \/><\/p>\n<h3>5. Campaign Generalization<\/h3>\n<p>The structure and activity we observed in the two campaigns described in this paper match that of several older smishing campaigns that we have analyzed. The domains used in the redirect patterns all appear to share similar naming conventions and other properties. A deep study of both older and these more recent campaigns show that they have similar structures of redirect requests and groups of domains used for very specific purposes. The diagram below illustrates the flow of requests and redirects between domains in the infrastructure and the assumed functionality of each layer. We think this is a valid model of infrastructure that, with variations, is likely used by multiple threat actors.<\/p>\n<p>Figure 8. Smishing campaigns\u2019 redirection layers and activity<br \/>\n<img decoding=\"async\" src=\"\/wp-content\/uploads\/the-smish-is-coming-from-inside-the-house-figure-8.png\" alt=\"\" \/><\/p>\n<p>Analyzing the redirect structure showed that it consists of at least 4 layers, all with clearly identifiable purposes. Note that there are some minor differences between the 1TV and CDC campaigns, which we will identify below.<\/p>\n<ul>\n<li>Front-end URL:\n<ul>\n<li>The domain in the smishing URL typically has a short lifespan because it is the most exposed component of the campaign and thus the most easily identified and blocked by security providers. In most of the previous campaigns, threat actors used the domain within a few hours after registering it. In the 1TV campaign, however, the front-end domains were \u201caged\u201d for about two weeks before the threat actor put them to use. This aging approach allows the actor to bypass the security provider\u2019s attempts to block threats based on newly registered domains.<\/li>\n<li>The URL provided in the SMS provides unique identification of the user. The front-end code seems to have very limited functionality checking if the request has not expired (we observed some links expiring in under 2 days). The link will not work with any other domain associated with the campaign, probably due to redirect conditions coded in the web server\u2019s configuration.<\/li>\n<li>In most cases, the front-end URL is accessed by HTTP protocol. This is likely due to the throw-away nature of the front-end domains. Redirects from these domains to subsequent layers are always encrypted with HTTPS.<\/li>\n<li>In some cases, we observed the front-end domain perform additional validation of incoming requests, such as user-agent string comparison. If a user-agent string does not match the targeted device, it redirects to a \u201csafe\u201d domain, in our case 1tv[.]ru or 1tv[.]com.<\/li>\n<\/ul>\n<\/li>\n<li>Redirect domain (campaign broker):\n<ul>\n<li>This domain receives the HTTPS request redirected from the front-end domain. The request contains the victim identifier (in many cases the phone number), mobile provider, campaign name, and other information.<\/li>\n<li>The redirect domain verifies the user-agent header; if any mismatches are found, the domain redirects the victim to the \u201csafe\u201d domain.<\/li>\n<li>There may be several redirect domains in the chain.<\/li>\n<li>There is often a call to a click-tracking site, for statistics-collection purposes.<\/li>\n<li>After all the checks are successfully passed, the user is redirected to a clickbait page that matches the content of the SMS message.<\/li>\n<li>Threat actors typically keep their redirect domains active much longer than their front-end domains because users never see them. We have seen redirect domains live for over a year and serve several campaigns.<\/li>\n<\/ul>\n<\/li>\n<li>Clickbait domain or page:\n<ul>\n<li>Our understanding of the purpose of this layer is that it introduces an interaction point that prevents automated URL-tracing tools from reaching the final phishing site. We have seen several variations of this layer; typically, it is a button that when clicked, takes a user to a \u201csurvey\u201d site. In other cases, it is a simple single-click page that takes the user directly to the final phishing page.<\/li>\n<li>In many cases, the clickbait domain is short-lived due to its relatively high visibility.<\/li>\n<\/ul>\n<\/li>\n<li>Landing page (phishing site): this is the final phishing site that requests credit card information or other sensitive data.<\/li>\n<\/ul>\n<h3>6. Prevention and Mitigation<\/h3>\n<p>Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions for avoiding smishing attacks:<\/p>\n<ul>\n<li>Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondences, documents, or links.<\/li>\n<li>Never click URLs in text messages from unknown sources. In the campaign under discussion, the source was the recipient, who did not send the message, and that is a red flag.<\/li>\n<\/ul>\n<h3>7. Conclusion<\/h3>\n<p>In this campaign, threat actors sent spam SMS messages to Verizon Wireless customers. The messages contained malicious links and appeared to have come from the recipients themselves. The links led to fake survey pages where the victims were asked to submit their personal and financial information, which ended up in the hands of the threat actors.<br \/>\nThe actors redirected victims through a series of domains to avoid analysis and detection. We have observed multiple campaigns that used this kind of technique in the past; it makes it particularly challenging for researchers to analyze the malicious URLs. Our analysis of the URL data enabled us to discover additional domains used by the actors.<\/p>\n<h3>8. Indicators of compromise<\/h3>\n<p>For a downloadable list of our IOCs on this topic, see the cta_indicators folder of our GitHub repository infobloxopen:threat-intelligence.<\/p>\n<table width=\"689\">\n<tbody>\n<tr>\n<td width=\"201\"><strong>Indicator<\/strong><\/td>\n<td width=\"108\"><strong>Registration Date<\/strong><\/td>\n<td width=\"232\"><strong>Properties<\/strong><\/td>\n<td width=\"148\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"201\">smsw1[.]xyz<\/p>\n<p>mfso1[.]xyz<\/p>\n<p>pely2[.]xyz<\/p>\n<p>wtwx2[.]xyz<\/p>\n<p>khed3[.]xyz<\/p>\n<p>mgdi3[.]xyz<\/p>\n<p>laea4[.]xyz<\/p>\n<p>omyq4[.]xyz<\/p>\n<p>qyef5[.]xyz<\/p>\n<p>idvk5[.]xyz<\/p>\n<p>dqvy6[.]xyz<\/p>\n<p>dnmc6[.]xyz<\/p>\n<p>igtf7[.]xyz<\/p>\n<p>kiwv7[.]xyz<\/p>\n<p>jjao8[.]xyz<\/p>\n<p>kvde8[.]xyz<\/p>\n<p>okil9[.]xyz<\/p>\n<p>harn9[.]xyz<\/p>\n<p>nill10[.]xyz<\/p>\n<p>ulht10[.]xyz<\/p>\n<p>nijf11[.]xyz<\/p>\n<p>qgjt11[.]xyz<\/p>\n<p>hcip12[.]xyz<\/p>\n<p>jcal12[.]xyz<\/p>\n<p>rezb13[.]xyz<\/p>\n<p>tslz13[.]xyz<\/p>\n<p>hlns14[.]xyz<\/p>\n<p>izhm14[.]xyz<\/p>\n<p>bgfv15[.]xyz<\/p>\n<p>jbeq15[.]xyz<\/p>\n<p>mbdq16[.]xyz<\/p>\n<p>acgv16[.]xyz<\/p>\n<p>nkeh17[.]xyz<\/p>\n<p>wzae17[.]xyz<\/p>\n<p>rtpe18[.]xyz<\/p>\n<p>yhan18[.]xyz<\/p>\n<p>yamn19[.]xyz<\/p>\n<p>sjwf19[.]xyz<\/p>\n<p>zdip20[.]xyz<\/p>\n<p>culs20[.]xyz<\/p>\n<p>ezks21[.]xyz<\/p>\n<p>ysfz21[.]xyz<\/p>\n<p>cmrc22[.]xyz<\/p>\n<p>vuau22[.]xyz<\/p>\n<p>jqiz23[.]xyz<\/p>\n<p>hadq23[.]xyz<\/p>\n<p>ixyv24[.]xyz<\/p>\n<p>lhkp24[.]xyz<\/p>\n<p>hpfd25[.]xyz<\/p>\n<p>vjhk25[.]xyz<\/p>\n<p>uyqb26[.]xyz<\/p>\n<p>chkn26[.]xyz<\/p>\n<p>aust27[.]xyz<\/p>\n<p>ltsg27[.]xyz<\/p>\n<p>lcsh28[.]xyz<\/p>\n<p>aqfo28[.]xyz<\/p>\n<p>erae29[.]xyz<\/p>\n<p>mgjg29[.]xyz<\/p>\n<p>ithn30[.]xyz<\/p>\n<p>qinh30[.]xyz<\/p>\n<p>mszp31[.]xyz<\/p>\n<p>pomz31[.]xyz<\/p>\n<p>ciww32[.]xyz<\/p>\n<p>nooa32[.]xyz<\/p>\n<p>mvfe33[.]xyz<\/p>\n<p>zmtt33[.]xyz<\/p>\n<p>jzwc34[.]xyz<\/p>\n<p>ktfu34[.]xyz<\/p>\n<p>opdb35[.]xyz<\/p>\n<p>rrhn35[.]xyz<\/p>\n<p>gptp36[.]xyz<\/p>\n<p>dtus36[.]xyz<\/p>\n<p>qjag37[.]xyz<\/p>\n<p>swbt37[.]xyz<\/p>\n<p>upah38[.]xyz<\/p>\n<p>ixbc38[.]xyz<\/p>\n<p>qfac39[.]xyz<\/p>\n<p>xifj39[.]xyz<\/p>\n<p>aped40[.]xyz<\/p>\n<p>jaig40[.]xyz<\/p>\n<p>ckex41[.]xyz<\/p>\n<p>wgrp41[.]xyz<\/p>\n<p>hegz42[.]xyz<\/p>\n<p>ciuu42[.]xyz<\/p>\n<p>lawn43[.]xyz<\/p>\n<p>zoqw43[.]xyz<\/p>\n<p>zcyj44[.]xyz<\/p>\n<p>qbas44[.]xyz<\/p>\n<p>usha45[.]xyz<\/p>\n<p>zvlg45[.]xyz<\/p>\n<p>zlxg46[.]xyz<\/p>\n<p>qhrq46[.]xyz<\/p>\n<p>fuir47[.]xyz<\/p>\n<p>ixsf47[.]xyz<\/p>\n<p>vtpf48[.]xyz<\/p>\n<p>ejia48[.]xyz<\/p>\n<p>pvut49[.]xyz<\/p>\n<p>sgqz49[.]xyz<\/p>\n<p>glju50[.]xyz<\/p>\n<p>zmxu50[.]xyz<\/td>\n<td width=\"108\">5 March 2022<\/td>\n<td width=\"232\"><strong>100 domains<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Registrar<\/strong>: Hosting Concepts<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>NS<\/strong>: *.ns.cloudflare.com<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Pattern<\/strong>: ^[a-z]{4}[0-9]{1,2}.xyz<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Numeric part<\/strong>: Sequence of numbers from 1 through 50, each number used twice<\/td>\n<td width=\"148\">Front-end domains from SMS<\/p>\n<p>&nbsp;<\/p>\n<p>It was observed in two campaigns: a small CDC-associated campaign on 2022-03-06, and one large 1TV campaign on\u00a0 2022-03-26<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">hggq1[.]xyz<\/p>\n<p>wkcq2[.]xyz<\/p>\n<p>vfar3[.]xyz<\/p>\n<p>svgd4[.]xyz<\/p>\n<p>fgoy5[.]xyz<\/p>\n<p>gvhj6[.]xyz<\/p>\n<p>bepf7[.]xyz<\/p>\n<p>vkri8[.]xyz<\/p>\n<p>eknz9[.]xyz<\/p>\n<p>mslx10[.]xyz<\/p>\n<p>dfys11[.]xyz<\/p>\n<p>djzy12[.]xyz<\/p>\n<p>gytr13[.]xyz<\/p>\n<p>qhdd14[.]xyz<\/p>\n<p>sbqs15[.]xyz<\/p>\n<p>pmlx16[.]xyz<\/p>\n<p>iphk17[.]xyz<\/p>\n<p>opqk18[.]xyz<\/p>\n<p>ntfr19[.]xyz<\/p>\n<p>cvwm20[.]xyz<\/td>\n<td width=\"108\">6 March 2022<\/td>\n<td width=\"232\"><strong>20 domains<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Registrar<\/strong>: Hosting Concepts<\/p>\n<p>&nbsp;<\/p>\n<p><strong>NS<\/strong>: *.ns.cloudflare.com<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Pattern<\/strong>: ^[a-z]{4}[0-9]{1,2}.xyz<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Numeric part<\/strong>: Sequence of numbers from 1 through 20<\/td>\n<td width=\"148\">Front-end domains from SMS<\/p>\n<p>&nbsp;<\/p>\n<p>Observed in the 1TV campaign on\u00a0 2022-03-26<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">wtmz1[.]xyz<\/p>\n<p>xwjv1[.]xyz<\/p>\n<p>nyxk2[.]xyz<\/p>\n<p>pwnx2[.]xyz<\/p>\n<p>dbmy3[.]xyz<\/p>\n<p>nvso4[.]xyz<\/p>\n<p>vooy4[.]xyz<\/p>\n<p>hzkr5[.]xyz*<\/p>\n<p>gddr6[.]xyz<\/p>\n<p>hhjx7[.]xyz<\/p>\n<p>shcw7[.]xyz<\/p>\n<p>oxwe8[.]xyz<\/p>\n<p>rpws8[.]xyz<\/p>\n<p>aqsz9[.]xyz<\/p>\n<p>ijph9[.]xyz<\/p>\n<p>sqyc10[.]xyz<\/p>\n<p>wszd10[.]xyz<\/p>\n<p>cegs11[.]xyz<\/p>\n<p>odkp11[.]xyz<\/p>\n<p>gshu12[.]xyz<\/p>\n<p>tfll12[.]xyz<\/p>\n<p>dysj13[.]xyz<\/p>\n<p>tbsb13[.]xyz<\/p>\n<p>ccpt14[.]xyz<\/p>\n<p>oyfn14[.]xyz<\/p>\n<p>fgvz15[.]xyz<\/p>\n<p>hquu15[.]xyz<\/p>\n<p>jenh16[.]xyz<\/p>\n<p>nrfe16[.]xyz<\/p>\n<p>fjow17[.]xyz<\/p>\n<p>flgk17[.]xyz<\/p>\n<p>anwa18[.]xyz<\/p>\n<p>dtxp18[.]xyz<\/p>\n<p>inen19[.]xyz<\/p>\n<p>ozhn19[.]xyz<\/p>\n<p>avyc20[.]xyz<\/p>\n<p>oifc21[.]xyz*<\/p>\n<p>ukuu21[.]xyz<\/p>\n<p>dcdh22[.]xyz<\/p>\n<p>htur22[.]xyz<\/p>\n<p>ohmv23[.]xyz<\/p>\n<p>qflr24[.]xyz<\/p>\n<p>xnrh24[.]xyz<\/p>\n<p>snqu25[.]xyz<\/p>\n<p>hklk26[.]xyz<\/p>\n<p>vqsr26[.]xyz<\/p>\n<p>ahct27[.]xyz<\/p>\n<p>umlp27[.]xyz<\/p>\n<p>kdvi28[.]xyz<\/p>\n<p>xuuv28[.]xyz<\/p>\n<p>lefx29[.]xyz<\/p>\n<p>atsk30[.]xyz<\/p>\n<p>vflu31[.]xyz<\/p>\n<p>zhnv32[.]xyz<\/p>\n<p>xdhh33[.]xyz<\/p>\n<p>refp34[.]xyz<\/p>\n<p>rczt35[.]xyz<\/p>\n<p>gxkk36[.]xyz<\/p>\n<p>gmec37[.]xyz<\/p>\n<p>ahur38[.]xyz<\/p>\n<p>asqb39[.]xyz<\/p>\n<p>bjas40[.]xyz<\/p>\n<p>jnmj41[.]xyz<\/p>\n<p>mfis42[.]xyz<\/p>\n<p>tyer43[.]xyz<\/p>\n<p>spmu44[.]xyz<\/p>\n<p>bxqi45[.]xyz<\/p>\n<p>islf46[.]xyz<\/p>\n<p>gjdl47[.]xyz<\/p>\n<p>ztib48[.]xyz<\/p>\n<p>ytqk49[.]xyz<\/p>\n<p>cepf50[.]xyz<\/p>\n<p>kcap51[.]xyz<\/p>\n<p>dfeo52[.]xyz<\/p>\n<p>lcrn53[.]xyz<\/p>\n<p>tgav54[.]xyz<\/p>\n<p>sctn56[.]xyz<\/p>\n<p>cfzb57[.]xyz<\/p>\n<p>lpdl60[.]xyz<\/p>\n<p>bikm61[.]xyz<\/p>\n<p>doif62[.]xyz<\/p>\n<p>ovel63[.]xyz<\/p>\n<p>bkhr64[.]xyz<\/p>\n<p>vhjp65[.]xyz<\/p>\n<p>guxv66[.]xyz<\/p>\n<p>qgud67[.]xyz<\/p>\n<p>ngkl68[.]xyz<\/p>\n<p>wfug69[.]xyz<\/p>\n<p>rhlw70[.]xyz<\/td>\n<td width=\"108\">8 March 2022<\/td>\n<td width=\"232\"><strong>89 domains<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Registrar<\/strong>: Hosting Concepts<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>NS<\/strong>: *.ns.cloudflare.com<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Pattern<\/strong>: ^[a-z]{4}[0-9]{1,2}.xyz<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Numeric part<\/strong>: Sequence of numbers from 1 through 70, with a few gaps. Some numbers from 1 through 28 were reused twice.<\/td>\n<td width=\"148\">Front-end domains from SMS<\/p>\n<p>&nbsp;<\/p>\n<p>Observed in the 1TV campaign on 2022-03-26<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">eaiys1[.]xyz<\/p>\n<p>upxut2[.]xyz<\/p>\n<p>obkom3[.]xyz<\/p>\n<p>bsqnt4[.]xyz<\/p>\n<p>rninf5[.]xyz<\/p>\n<p>lrcoq6[.]xyz<\/p>\n<p>hacpg7[.]xyz<\/p>\n<p>dfooh8[.]xyz<\/p>\n<p>slsvv9[.]xyz<\/p>\n<p>eiwku10[.]xyz<\/p>\n<p>tuafv11[.]xyz<\/p>\n<p>pvtcb12[.]xyz<\/p>\n<p>aekse13[.]xyz<\/p>\n<p>sbbwr14[.]xyz<\/p>\n<p>iiddf15[.]xyz<\/p>\n<p>nqldt16[.]xyz<\/p>\n<p>ceewi17[.]xyz<\/p>\n<p>uzzau18[.]xyz<\/p>\n<p>vnaeg19[.]xyz<\/p>\n<p>bpdmk20[.]xyz<\/p>\n<p>dyzhu21[.]xyz<\/p>\n<p>yhqxk22[.]xyz<\/p>\n<p>ebtxe23[.]xyz<\/p>\n<p>lutod24[.]xyz<\/p>\n<p>fxzzc25[.]xyz<\/p>\n<p>rjebg26[.]xyz<\/p>\n<p>ibjme27[.]xyz<\/p>\n<p>svjem28[.]xyz<\/p>\n<p>jbbsg29[.]xyz<\/p>\n<p>qodmu30[.]xyz<\/p>\n<p>yyaad31[.]xyz<\/p>\n<p>plzjc32[.]xyz<\/p>\n<p>velfu33[.]xyz*<\/p>\n<p>kxyps34[.]xyz<\/p>\n<p>cnwfz35[.]xyz<\/p>\n<p>zhgsb36[.]xyz<\/p>\n<p>bypmz37[.]xyz<\/p>\n<p>xnqno38[.]xyz<\/p>\n<p>ccpxd39[.]xyz<\/p>\n<p>qsbhi40[.]xyz<\/p>\n<p>qhacw41[.]xyz<\/p>\n<p>iwbxe42[.]xyz<\/p>\n<p>snqwr43[.]xyz<\/p>\n<p>gxrgf44[.]xyz<\/p>\n<p>jfbku45[.]xyz<\/p>\n<p>einsj46[.]xyz*<\/p>\n<p>sirdt47[.]xyz<\/p>\n<p>gcfed48[.]xyz*<\/p>\n<p>hnxxd49[.]xyz<\/p>\n<p>jpjhz50[.]xyz<\/td>\n<td width=\"108\">8 March 2022<\/td>\n<td width=\"232\"><strong>50 domains<\/strong><\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Registrar<\/strong>: Hosting Concepts<\/p>\n<p>&nbsp;<\/p>\n<p><strong>NS<\/strong>: *.ns.cloudflare.com<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>Pattern<\/strong>: ^[a-z]{5}[0-9]{1,2}.xyz<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Numeric part<\/strong>: Sequence of numbers from 1 through 50<\/td>\n<td width=\"148\">Front-end domain from SMS<\/p>\n<p>&nbsp;<\/p>\n<p>Observed in the 1TV campaign on 26 March<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">pycrm2[.]xyz<\/td>\n<td width=\"108\">10 March 2022<\/td>\n<td width=\"232\">Single domain matching common pattern<\/p>\n<p>Registrar: Hosting Concepts<\/p>\n<p>NS: *.ns.cloudflare.com<\/p>\n<p>Pattern: ^[a-z]{5}[0-9]{1,2}.xyz<\/p>\n<p>Numeric pattern: only number 2<\/td>\n<td width=\"148\">Front-end domain from SMS<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">easyechoes[.]com<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/td>\n<td width=\"108\">18 February 2022<\/p>\n<p>&nbsp;<\/td>\n<td width=\"232\">Registrar:Hosting Concepts<\/p>\n<p>NS: ns1.openprovider.nl<\/p>\n<p>NS: ns2.openprovider.be<\/p>\n<p>NS: ns3.openprovider.eu<\/td>\n<td width=\"148\">Middle-layer domain (campaign-broker \/ redirector)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">flagshipsteak[.]com<\/td>\n<td width=\"108\">5 March 2022<\/td>\n<td width=\"232\">Registrar:Hosting Concepts<\/p>\n<p>NS: ns1.openprovider.nl<\/p>\n<p>NS: ns2.openprovider.be<\/p>\n<p>NS: ns3.openprovider.eu<\/td>\n<td width=\"148\">Middle-layer domain (campaign-broker \/ redirector)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">glittersisgold[.]com<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/td>\n<td width=\"108\">26 March 2022<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/td>\n<td width=\"232\">Registrar:Hosting Concepts<\/p>\n<p>NS: ns1.openprovider.nl<\/p>\n<p>NS: ns2.openprovider.be<\/p>\n<p>NS: ns3.openprovider.eu<\/td>\n<td width=\"148\">Middle-layer domain (campaign-broker \/ redirector)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">goodasgold[.]shop<\/td>\n<td width=\"108\">29 January 2022<\/td>\n<td width=\"232\">Registrar: NAMECHEAP INC<\/p>\n<p>NS: dns1.registrar-servers.com<\/p>\n<p>NS: dns2.registrar-servers.com<\/td>\n<td width=\"148\">Middle-layer domain (campaign-broker \/ redirector)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">takeoneforlove[.]com<\/td>\n<td width=\"108\">11 March 2022<\/td>\n<td width=\"232\">Registrar: Hosting Concepts<\/p>\n<p>NS: pam.ns.cloudflare.com<\/p>\n<p>NS: patrick.ns.cloudflare.com<\/td>\n<td width=\"148\">Middle-layer domain (campaign-broker \/ redirector)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">u30487[.]xyz<\/td>\n<td width=\"108\">28 February 2022<\/td>\n<td width=\"232\">Registrar: Hosting Concepts<\/p>\n<p>NS: linda.ns.cloudflare.com<\/p>\n<p>NS: rocky.ns.cloudflare.com<\/td>\n<td width=\"148\">Landing domain (clickbait page)<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">eshatl[.]xyz<\/p>\n<p>&nbsp;<\/td>\n<td width=\"108\">28 February 2022<\/td>\n<td width=\"232\">Registrar: Hosting Concepts<\/p>\n<p>NS: linda.ns.cloudflare.com<\/p>\n<p>NS: rocky.ns.cloudflare.com<\/td>\n<td width=\"148\">Final landing domain<\/td>\n<\/tr>\n<tr>\n<td width=\"201\">smartfashiondaily[.]com<\/td>\n<td width=\"108\">17 September 2021<\/td>\n<td width=\"232\">Registrar: NAMECHEAP INC<\/p>\n<p>NS: arnold.ns.cloudflare.com<\/p>\n<p>NS: maeve.ns.cloudflare.com<\/td>\n<td width=\"148\">Final landing domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>* domains observed in malicious SMS<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Author: Nick Sundvall and Vadym Tymchenko &nbsp; 1. Executive summary A new technique for bypassing mobile spam filters and distributing malicious content was recently observed in text messages received by a number of users. Where mobile phishing often includes a fake sender phone number, these malicious messages appear to come from the victims themselves. The [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6722,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[658,657,360],"class_list":{"0":"post-7661","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-cyber-threat-advisory","9":"tag-cyber-threat-intelligence","10":"tag-dns-security","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Smishing Attacks From Spoofed Senders | Infoblox<\/title>\n<meta name=\"description\" content=\"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Smish is Coming from Inside the House\" \/>\n<meta property=\"og:description\" content=\"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-08T20:14:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"The Smish is Coming from Inside the House\",\"datePublished\":\"2022-04-08T20:14:26+00:00\",\"dateModified\":\"2024-04-26T20:20:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/\"},\"wordCount\":2782,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"keywords\":[\"Cyber Threat Advisory\",\"Cyber Threat Intelligence\",\"DNS Security\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/\",\"name\":\"Smishing Attacks From Spoofed Senders | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"datePublished\":\"2022-04-08T20:14:26+00:00\",\"dateModified\":\"2024-04-26T20:20:05+00:00\",\"description\":\"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-33.jpg\",\"width\":612,\"height\":408,\"caption\":\"Big data and hacking concept. Back view of hacker at desktop using creative digital numbers mesh on blurry bokeh background. Multiexposure\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/the-smish-is-coming-from-inside-the-house\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Smish is Coming from Inside the House\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Smishing Attacks From Spoofed Senders | Infoblox","description":"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/","og_locale":"en_US","og_type":"article","og_title":"The Smish is Coming from Inside the House","og_description":"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/","og_site_name":"Infoblox Blog","article_published_time":"2022-04-08T20:14:26+00:00","article_modified_time":"2024-04-26T20:20:05+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"The Smish is Coming from Inside the House","datePublished":"2022-04-08T20:14:26+00:00","dateModified":"2024-04-26T20:20:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/"},"wordCount":2782,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","keywords":["Cyber Threat Advisory","Cyber Threat Intelligence","DNS Security"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/","name":"Smishing Attacks From Spoofed Senders | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","datePublished":"2022-04-08T20:14:26+00:00","dateModified":"2024-04-26T20:20:05+00:00","description":"This report analyzes the new smishing technique and the multiple redirect layers involved in the attack.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-33.jpg","width":612,"height":408,"caption":"Big data and hacking concept. Back view of hacker at desktop using creative digital numbers mesh on blurry bokeh background. Multiexposure"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/the-smish-is-coming-from-inside-the-house\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"The Smish is Coming from Inside the House"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=7661"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7661\/revisions"}],"predecessor-version":[{"id":7673,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/7661\/revisions\/7673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6722"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=7661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=7661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=7661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}