Phishing Analysis 001 - Smishing Incident

Incident Summary

On 12th January 2025 at approximately 9:14 UTC, the affected user received a suspicious Short Message Service (SMS) text advertising and inviting them to join a remote work position at a local e-commerce company. The message included a hyperlink that appeared to use a URL shortening service to obfuscate the real web address. While the specific link seemed broken, the assigned SOC analyst confirmed that the text message was part of an SMSing attack campaign.

Investigation Summary

On 12 January 2025 at 9:14 UTC (Figure Blue001-1), an unknown mobile number added the target's mobile number to a messaging group, sent a text message to all group members, and thereafter removed the target’s mobile number from the messaging group. The target user did not attempt to access the malicious link and instead forwarded a screenshot of the message to the SOC team.

The investigation began on 13 January 2025 by reviewing the text message for suspicious text and web links. The text message stated that the target was selected to be a remote worker for a well-known local e-commerce platform, Jumia, offering the potential to earn between KES 2,000 and 20,000 (~ $ $15 to 155 USD) daily. The SOC analyst confirmed with the target that they did not apply to any Jumia or online job board related to e-commerce platforms.

The assigned SOC analyst searched for the potential attacker’s mobile number on platforms such as Truecaller, but the search yielded no notable results. (Due to local data protection regulations, this incident report obfuscates the attacker’s mobile number.)

The web link (Figure Blue001-2) in the message uses a URL shortening service to hide the full URL. The final URL does not function correctly as the link and the attacker account no longer exist.

Upon further analysis of the text message URL, several threat intelligence platforms have flagged the IP address (Figure Blue001-3) and domain (Figure Blue001-4) associated with the whole ‘unshortened’ URL as malicious and associated with phishing attacks.

Based on the action of adding the target’s mobile number to the messaging group, sending a message highlighting the potential of earning money, and hiding a malicious web link, this text message is likely part of an ongoing SMSishing attack.

Original Text Message URL: https[:]//is[.]gd/gfYXsb?Pdw=xg5dSYOW6Q

Redirected Final URL: https[:]//app[.]imx[.]chat/new-ws-api/counter/work/shunt/account/1878307228070887425

Figure Blue001-1 SMShing attack text message with malicious link.

Figure Blue001-2 Detonated shortened URL provides full malicious URL and IP address.

Figure Blue001-4 Domain flagged as malicious on threat intelligence platforms

Figure Blue001-3 IP address flagged on threat intelligence platforms

Key Findings

12 January 2025, 9:14 UTC: An attacker adds the target mobile number to a messaging group, sends a message, and immediately removes the target’s number to prevent replying.
Phone Number Verification: Searching the attacker’s mobile number (011xxxxx49) yielded no notable results associated with phishing attackers or suspicious online accounts.
Phishing Text Message: The Message introduction is generic. The target was selected to join a remote workforce and earn money.
Malicious URL: Attacker includes a malicious URL link (https[:]//app[.]imx[.]chat/new-ws-api/counter/work/shunt/account/1878307228070887425) within the message, hiding it using the http[:]//is[.]dg URL shortening service (Figure Blue001-2).
IP Address Verification: The IP address (104[.]18[.]34[.]12) is associated with Cloudflare and malicious activity. However, this indicator is insufficient, as Cloudflare maintains a large IP address pool (Figure Blue001-3).
Domain Verification: The domain of the full URL (https[:]//app[.]imx[.]chat/) is associated with known malicious phishing attacks (Figure Blue001-4).

Reactive Measures

Report the attacker’s mobile number to the service provider or local authorities.
Review known data breach platforms for the target’s mobile phone number.
Delete the message if not already done.
Perform a full device scan and review to identify suspicious downloaded files, mobile apps, running processes, or battery drainage, and safely remove those files or applications.

Recommendations (Proactive Measures)

Block the domain app[.]imx[.]chat at the EDR, email gateway, web proxy, and firewall level.
Ensure all users set up Multi-Factor Authentication (MFA) across all accounts - email, social media, and any other online account with sensitive data.
Ensure cybersecurity awareness training is conducted regularly.

Google Sites

Report abuse