AT&T Free Msg: You know you shouldn't click ... so we did it for you!

CyberCrime & Doing Time 2021-09-18

 If you live in the United States and have an AT&T phone, you are almost certainly receiving SMS messages that look something like this: AT&T Free Msg: August bill is paid. Thanks, MARY! Here's a little gift for you: n9cxr[.]info/dhmxmcmBTQ (from +1 (718) 710-0863) 

or 

AT&T Free Msg: August bill processed. Thanks, Mary! Here's a little something for you: l4bsn[.]info/C2Lx3oggFi (from +1 (332) 220-7291) 

or 

AT&T Free Msg: Latest bill is paid. Thanks, Fedencia!  Here's a little freebie for you: k5amw[.]info/VloTBdytEl  (from +1 (870) 663-5472) 

AT&T has sort of trained us that it's cool to get messages from them with links in them.  Every time your bill is available, or paid, or has a new charge, you get a text message from them that starts with "AT&T Free Msg:" and ends with a link such as "att.com/myattapp" or "att.com/myViewBill."

This is where some independent amateur researchers make a mistake.  If you visit the URL in the first message from your Windows computer, you are automagically forwarded to Google.

That's what's happening in the background. My web browser (in red) tells the server, hey look! I want this page dhmxmcmBTQ and btw, here's my user agent.  n9cxr[.]info replies, "Never heard of it - why don't you go to Google instead." by sending a "302 redirect."
If you had clicked on that same message from your phone, you would NOT be sent to Google.  That's because the web server is checking to see if you are asking for the information from a phone or from a computer.  Because they know they only sent their spam via "SMS-blasting" they believe that every legitimate potential victim should be coming from a phone.  Since I don't have a great set of rich monitoring tools on my phone, I'll just tell my Virtual Machine's Chrome instance that it should lie when it visits web servers and pretend to be an iPhone. I'm being a bit lazy here and using another Chrome Plug-in, this one called "User Agent Changer," which gives me a menu like this: 
Once I change my Chrome Virtual Machine to pretend to be "Safari on iPhone" we revisit the URL that was sent to my phone: 
Notice on line 5 that where it previously said I was "Windows NT 10" it nows says I am "(iPhone; CPU iPhone OS 9_2 like Mac OS X)." (Which is super out-of-date, but apparently good enough for this criminal's scheme, because now I get this!
We've written several times in the past about these never-ending surveys.  Their objective is to gather as much personal data from you as they can and to show you as many advertisements as they can.  They then experience revenue by both showing you ads during the survey, but also by selling the personal information that they gather you to organizations that need "qualified sales leads."  They will tell those organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc, and you will start getting more spam messages from those organizations who will have believed that you asked for their spam! 

We asked our friends at Zetalytics, via their Zone Cruncher tool, "So where in the world is the IP address n9cxr[.]info?"  They told us that it is located in Hong Kong on a server that is hosted by Alibaba Inc.  

That's very interesting!  Thanks, Zetalytics!  Could you also tell us OTHER DOMAIN NAMES that have recently been seen on that same IP address?  After all, we've received three such domains in the three messages that I received on my personal phone!

All of those domains are of course registered at the scummy domain registrar NameCheap.  They claim that if we inform them of bad domains, they will de-register them.  Once I post this, I'll send them a copy and report back what happens.

By the way, the content is not exactly the same with each visit.  My next visit to the n9cxr URL gave me this pop-up instead:

So how are we getting to the fake AT&T page?  That's where a tool that CAUCE Director Neil Schwartman showed me comes in.  While I don't recommend the company necessarily, this little Chrome plug-in is gold for mapping out redirect paths!  (Search for the Chrome Extension "Ayima Redirect Path" and please remember you should only be reviewing potentially hostile URLs in a Virtual Machine!)

What does all that mean? It tells us that the first URL's webserver claimed that the page we were looking for "dhmxmcmBTQ" had been temporarily redirected to "themechallenge[.]club" and that we should ask that server for a particular "key."
That key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a "META Redirect" to the webserver "go.metreysi[.]info" where we should tell them we were sent by a certain "cnv_id."  That server then pretended that we had clicked on it, and sent us via another "302 temporary redirect" to a webserver called "redirect.usersupport[.]net." UserSupport then did yet another redirect which took us to the webside "att.usersupport[.]net."
More domains to look up in ZoneCruncher!
https://themechallenge[.]club/click.php?key=abrrkduwznt79g18cx66
go.metreysi[.]info => hosted on LeaseWeb at 23.108.57[.]187 redirect.usersupport[.]net => hosted on 2606:4700:3032::6815:2b25
att.usersupport[.]net => hosted on 2606:4700:3031::ac43:da02
I'm guessing that all of these other "go" sites that are sharing the same IP address will also be involved in illegal "redirection" scams that start off with SMS Blasting.
By the way, do you remember the "key" we had to pass?  In a similar way to our User-Agent, if you visit one of these sites and fail to pass it a "key" it will just redirect you to 127.0.0.1, which means, "visit your own machine." 

Not just AT&T!

One of Zetalytics other tricks is being able to show me other hostnames on the same domain.  (The term for this is called "PassiveDNS")
It looks like "UserSupport[.]net" is also being used to imitate TikTok, CostCo, Walmart, and Google, shipping company UPS, FedEx, and US Postal Service, and Cell phone providers, AT&T, Comcast, Spectrum, T-Mobile, and Verizon!
Because I haven't received those particular SMS messages, I can't navigate to them.  (I have the wrong "key" to get the chain started.) But I'd love to see some more of these if you would be willing to share a screenshot!  List of SMS-spam-abusing .info (and .xyz) domains believed to be associated with these campaigns.  It sort of makes sense that there are exactly 100 of them.
1find[.]info
1fwnx[.]info
1nvc[.]info
2edcc[.]info
2gtex[.]info
2ofgm[.]info
3mgie[.]info
3ohmd[.]info
4gogm[.]info
4onnr[.]info
4onnr[.]info
6ghme[.]info
6nbfu[.]info
6omrf[.]info
6wqbv[.]info
7botm[.]info
7gboe[.]info
7gboe[.]info
7uwhn[.]info
7wxcd[.]info
8bmxw[.]info
9bmdx[.]info
a2sct[.]info
a7tev[.]info
appsc[.]info
appsf[.]info
bjdz2[.]xyz
bmeq9[.]info
bookc[.]info
bookx[.]info
cartm[.]info
cartm[.]info
cartz[.]info
faceg[.]info
faceg[.]info
faceh[.]info
facem[.]info
faceu[.]info
facey[.]info
fuwd2[.]info
gg0l[.]info
gi3t[.]info
gi3t[.]info
gitn4[.]info
goen4[.]info
gotr6[.]info
gr8f[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havej[.]info
havew[.]info
hidej[.]info
hidej[.]info
hidem[.]info
hidep[.]info
hidep[.]info
j1bcs[.]info
j1bcs[.]info
j2bmf[.]info
k2ave[.]info
k4acr[.]info
k4acr[.]info
k8bvz[.]info
kpl5[.]info
kpp8[.]info
kpp8[.]info
kse0[.]info
ktf4[.]info
l1bmz[.]info
l5brv[.]info
lgte3[.]info
m2cxn[.]info
m6cda[.]info
mbdz2[.]xyz
mqbvn[.]info
n4csv[.]info
n9cxr[.]info
nameb[.]info
pexw0[.]xyz
qkkk2[.]xyz
raini[.]info
rainl[.]info
rainz[.]info
s1vrk[.]info
s2avr[.]info
s2avr[.]info
s4asc[.]info
s6axe[.]info
s7axm[.]info
s8avx[.]info
toer9[.]info
toer9[.]info
vbjh9[.]xyz
wodm7[.]info
wordc[.]info
wosn9[.]info