Malware Analysis Spotlight: Phishing Site Spread through SMS

Jun 17th 2020

In this Malware Analysis Spotlight, the VMRay Labs looks at the behavior of a phishing site distributed through an SMS message. Based on the content of the SMS message, this does not seem to be part of a targeted attack but rather part of a massive phishing campaign that aims at users of Apple products. This analysis will show how the threat actor used a fake Apple website to trick victims into entering login credentials, banking information and a photo of a driver’s license/passport.


SMS Message

Figure 1: SMS Message with a link to the phishing site


VMRay’s Automatic Web Analyzer detects the delivered URL as malicious and classifies it as a phishing attempt (Figure 2).


Phishing URL

Figure 2: Analysis Result of the Phishing URL.


Looking at the VMRay Threat Identifiers (VTIs) in Figure 3, there are several heuristic matches that characterize this as a phishing site:

  • Use of the Apple favicon
  • Use of HTTP versus HTTPS for entering sensitive information (e.g. login details)
  • The page presenting itself as a login page for Apple ID

The combination of these matches, we can see how the threat actor tries to masquerade the site as an official Apple website (Figure 4.).


VTI Automatic Analysis

Figure 3: VTIs that triggered during the Automatic Analysis.


Apple ID Login Screen - Phishing Site

Figure 4: Screenshot of the Initial Phishing Page (Left); Actual Apple ID Login Screen (Right)


For a closer look, we analyzed the phishing site with VMRay Analyzer’s Interactive Web Engine.

After clicking on the unlock account link, we are directed to a page that displays multiple forms asking for the user’s Apple ID credentials (Figure 5), credit card information (Figure 6) and a copy of a passport/driver license (Figure 7).


Apple ID login

Figure 5: Screenshot of the dialog asking for the Apple ID.


CC info

Figure 6: Page asking for Credit Card Information


Passport/Driver License

Figure 7: Page asking for Passport/Driver License.


The sequential interaction of sub-pages, including unlock, log in and dialog page, is visible in the Behavior Tab together with their resources which includes JavaScripts, CSS files, images, and fonts (Figure 8).


Behavior Tab

Figure 8: Behavior Tab showing the interaction between pages.


In addition to the sequential interaction, the IOC tab (Figure 9) shows a filtered view of the 119 artifacts extracted during analysis. There were 2 URLs classified as IOCs based on the VTI rules.


IOC tab

Figure 9: IOC tab showing the relationship between artifacts and VTIs


With the information presented in the IOCs and Behavior tabs Security Teams have the ability to block further phishing attempts using this domain and understand how the user’s information is being sent back to the threat actor by analyzing the extracted resources.