This morning I received a text message (SMS) that claimed to be from the Royal Mail. The message came from a mobile number and the contents within the text message was notifying me that I had an unpaid fee that had to be paid or my parcel would be returned to the sender. To pay the unpaid fee, all I had to do was click on a link and fill in my details along with my card payment information. Now, being a cyber security professional, I always analyse things like this before proceeding, furthermore, I wasn’t expecting any packages. Nevertheless, after examining this message some more, my suspicions of this being a phishing attempt were quickly realised. Although some may perceive this to be a legit message from the Royal Mail (especially when clicking the link), there are some tell-tale signs to show that its not from the Royal Mail. With that in mind, I have decided to create this article to spread awareness to those that may receive the same link and/or text message in hopes that you are not caught out and have to suffer the consequences.
This article will walk you through the text message and the contents of the website link contained within. It will also give guidance on some of the signs to look for in the future to help better protect you.
Disclaimer: I am not responsible for the actions that may occur as a result of clicking on any of the phishing links presented in this article. This article has been created to provide awareness and guidance on what to do if you receive such links.
The Text Message
Here is a picture of the text message that I received.
Breaking it Down
Now that you’ve seen the text message, you know not to click on the link if you receive similar as this is an attempt to gain your personal information as well as card details. But lets break it down so that you can see what would happen if you clicked the link and the sort of things to look out for.
Analysing the Text Message
A couple of things stood out here:
- The text message has come from a random mobile number, not registered by the Royal Mail. A few checks reveal that it has recently been reported as a scam as well as other things and is an EE network provider telephone number.
- Next, if we look at the link we can see that it is secured with a certificate (https) but this doesn’t necessarily mean that it is safe to use as anybody could get a certificate to secure a website. Lastly, if we look at the actual link, it is very random, not something you would expect from the Royal Mail. In fact you would expect to see something the Royal Mails domain assigned to it, for example: send.royalmail.com but we don’t see this here.
Clicking the Link
I hope that this article has got to you before clicking the link! If it has and you haven’t yet clicked on the link…great, DON’T click on it. I have analysed the contents of the link and I want to share what you would find.
The whole point of a Phishing attack is to try and gather/steal information and to do this, fake websites are a good way of doing this. To try and convince the victim into believing they are on a legitimate website, the bad people behind the scheme will often attempt to mirror a website. When mirroring a website, the fake website is made to look exactly like the real deal but the links and URL’s can be different.
Now when I first clicked on this link, I was presented with the following page:
No bare the following in mind…when I clicked on this link directly from the text message on my phone, the browser I was using did not detect this as a deceptive website. Therefore, for any unsuspecting victim, this could easier be missed if going off the look and feel of the website alone. However, if I visit this link on my computer (shown in Website Screenshot 1) using Firefox; before I am allowed to visit the website, Firefox lets me know that the website is deceptive and won’t let me proceed (shown in Website Screenshot 2) unless I manually accept the risk. This means that the website has likely been reported and Firefox and verified that it is indeed a deceptive website.
Spot the Difference
Looking at the face of the website in more detail, for some this would arguably seem like a legitimate Royal Mail website but let me point out a few things. If I compare the fake website above and the real Royal Mail login page, we can see the following difference:
- The fake website asks for your mobile number, whereas the real website asks for your email address
- The fake website has additional text that the real website doesn’t and there is also text that isn’t on the real website but is on the fake website
- The two URL’s (links) are totally different – as I mentioned before, you should expect to see .royalmail.com, something that the fake website doesn’t show
A few things that are not immediately noticeable unless you’ve explored are the following:
- The only links that redirect you to the real Royal Mail website are the links at the very bottom of the page. You can see this by hovering over them and/or clicking on them
- When clicking ‘Register’ on the fake website, all it will do is redirect you to the same page. Whereas if you click register on the real Royal Mail website, you are presented with different options that actually allow you to register
Another thing that is not obvious to many is the way that website forms validate the data that is entered into these forms. In a well designed website, you wouldn’t just be able to enter anything into the fields. However, on the fake website, we can do just that! As shown in the screenshots, I can enter anything I want, this is because the bad people haven’t spent enough time putting this together…they just expect people to fall for it and enter the information that is asked of them.
As long as you put numbers in the ‘Phone Number’ field, you can proceed and it doesn’t have to be 11 numbers (UK mobile numbers).
On the next page, there is an attempt to get you personal information. One this that stood out here is the fact that they are asking for a ‘Memorable name’ here. This wouldn’t typically be asked unless it was for password recovery purposes and therefore I think that the bad people want to try and use that information to try and access your real Royal Mail account or any other accounts.
Again, I entered all 0’s and it still let me proceed onto the next page.
Moving onto the next part of the form, the bad people now want you to put in your card details. Notice that they are asking for all your card details and not just the typical long card number, 3 digits on the back and expiry date. Anyone falling victim to this may as well have given their card to a stranger in the street because this is what you are effectively doing online.
Again, I entered all 0’s (including three 0’s in the CVV field) and pressed submit…the result was…a green check before you are redirected to the real Royal Mail website. Your information that was entered on the other hand is sent to the bad people and that’s their job done! For anyone falling victim, you’ve just given your personal details away and your card information and your bank account will probably be emptied in less than 10 minutes. Unfortunately the Royal Mail won’t be able to help you here and your bank may not be able to do anything other than put a stop to any transactions on your card until a new on is issued.
Another things to point out here is the text ‘Please verify the card used when purchasing your product’. What is it that you are purchasing? Where is the mention of the “package” that is being held and where is the mention of the cost which was mentioned in the text message? From a “package” why would the Royal Mail want to know all these details? They can’t verify your Date of Birth and other bits of information so why would they ask for it?
Conclusion – Guidance
The point is there’s a lot of questions that you should be asking yourself when you come across things like this. Don’t just assume that because you see a familiar logo that everything must be legit. Here are some things you can do to spot these Phishing attempts and protect yourself moving forward:
- If you are unsure, don’t click on any links
- Always verify the message/email with the company. You can call them or email them
- Visit their website directly (not clicking any received link) and look for information about scams. Often websites now have information about what could be considered a scam, what information they may ask for if it is legit and they often have an option to verify and report potential scams. The Royal Mail has the following link here which talks about Royal Mail scams and how to protect yourself. The Royal Mail specifically talk about the topic I have just covered above and note that they would not ask for payment without leaving a ‘grey’ card first.
- Don’t send any money if you are unsure what it is for and especially if the website is not what it should be
- Don’t enter your personal details on any website that you are unfamiliar with and/or have no reason to enter them
- Verify the website is not malicious using websites such as https://www.urlvoid.com. Note that depending on how new the domain is, it may not be picked up as malicious straight away so if you are still unsure of the results, always double-check with the company in question
- If you have clicked on the link, close it as soon as possible
- Report suspicious behavior to the company
- Change your DNS to use Cisco Umbrella, this will block any known malicious URL’s – see this link for more information: https://www.opendns.com/home-internet-security/
- Block the IP address 220.127.116.11 on any security devices you may have on your network. Depending on the security device, you can also block the domain and/or the URL
I hope this information has been helpful and I hope that you have read this before receiving the above message. Please share it with your friends and family so that they are aware.
If you are not bothered about the technical analysis of this Phishing attempt, you don’t have to read any further, however, if you are interested in my technical analysis please continue reading.
No redirect occurs with the URL and the IP address is currently set to: 18.104.22.168
As of 01/07/2021, the domain was registered on 29/06/21 and is showing as located in Switzerland
The URL has associated URL’s which are considered malicious
DNS activity is recent as mentioned above
Below is the following WHOIS Record which has associated malicious domains
Cisco Umbrella are not currently classifying this as malicious
The website has a digital certificate assigned with a short validity period
The following is the certificate chain
I have submitted this information to Cisco Talos for review and I have also notified the Royal Mail of this issue. If there is any further developments I will update this article.
02/07/21 – Update
- After reporting the issue to Cisco Talos, the threat category has now been changed to Phishing
- Google is now flagging this URL as Phishing
- More threat intelligence engines are reporting the URL as not trusted
08/07/21 – Update
For those using Cisco products, the URL should now be blocked and the threat score is set to 100 (see screenshot below).