Uncovering a Message Thread Between Hackers Targeting Israeli Citizens

It is a known fact that civilians often fall prey to SMS phishing scams. Hackers try to take advantage of unsuspecting people, especially during the busy holiday season when message volumes grow significantly.

My investigation got underway when someone posted a fake text message from an anonymous sender on a Facebook cybersecurity group. I knew I had the proper training to uncover malicious actors, so I decided to follow this lead and see where it took me.

The Facebook post revealed a screenshot of the phishing attack, which directed the recipient to a payment request for a supposed DHL shipment from Israel. I decided to investigate further, in hopes of shutting this campaign down before recipients who were less security savvy than the one who posted this warning would fall for it.

The Investigation

After taking a moment to check the link to the Hacker’s website, I exposed a directory listing that led me to a Webshell file. A Webshell file is a malicious script that allows the user to perform remote code execution, read files, etc. Hackers often use them as an entry point to compromise web servers and launch additional attacks.

By using the Webshell, I was able to reveal the source code of the campaign and figure out where the sensitive information was about to be sent. I also found that the attacker was storing IDs, full names, and credit card information in a telegram bot.

By using bot token, I could read what people had sent to the Telegram bot.

But this was not all I found. After digging a little deeper I discovered that JSON data contained a message thread between the actors responsible for this phishing attack (pictured above). Each message contained the First name, Last name, Username, Language and Epoch time of a specific user. The word “kanka,” which appears throughout the communication chain, actually refers to “best friend” in Turkish.

After looking at the final messages in the thread, I was able to discern that the attackers were not done and that they may be planning more phishing attacks in both Dubai and Israel.

Offensive security specialists can learn a lot from internal communication between malicious actors. Some examples include phone numbers that appear owned, and credit card details — such as the ones pictured below which were found in this specific chain.

The Findings

Attackers usually run multiple phishing campaigns simultaneously. Unaware that offensive teams can read their communication, they message each other revealing useful information to offensive security specialists.

In order to continue tracking the attackers’ communication automatically, I wrote a mini-script using Python that continuously checks for updates from the Telegram Bot. It retrieves updates by making a GET request to the API endpoint and stores the response in a JSON format. Here it is:

import time
import json
import requests 
telegram_domain="https://api.telegram.org/"
telegram_bot="botXXXXXXXXXXXXXXXXXX"
count=0
outfilename="XXXXX.txt"
while 1==1:
    r = requests.get(telegram_domain + telegram_bot + "/getUpdates")
    logs = json.loads(r.text)

    for line in logs["result"]: 
        line = str(line)
    
        f = open(outfilename,  "r")

        if line not in f.read():
            z = open(outfilename, "a")
            print(line)

            try: 
                 z.write(line+"\n")
            except :
                print(line) 
            z.close()

    f.close()
time.sleep(60*60)

A couple of days after the message was posted to Facebook, I noticed that the attackers sent a list of Australian phone numbers and a phishing kit from DHL Australia. I was surprised to see that this kit included a new telegram bot and email address.

It wasn’t long before the attackers sent a new HTML file which looked like it was a phishing campaign targeting Norwegian citizens and email addresses.

Conclusion

To combat SMS and email phishing, I collected as much information as possible about the attack. I then forwarded this information to relevant organizations, including law enforcement agencies to help them combat future attacks of this kind.

By collecting and sharing information about phishing attempts, offensive security specialists and organizations can work together to reduce attacks and minimize their impact.

Preventative Measures

As a general rule, be vigilant and always double-check the authenticity of text messages before taking any action.

Start by exercising caution if the source of the SMS is suspicious. Keep in mind that messages are not always from the entities they claim to be from. If you are unsure of the source, do not to click on any links in the message. Rather, open the application or official website of the organization and search the information — such as the shipping number, access code etc. that you were given upon purchase — if there are any outstanding payments it will show up there! This way, you can be sure that you’re interacting with a real entity and not being scammed.

Also keep in mind that if the message you received is valid and not a phishing attempt, it will likely appear as a notification or pop-up on your screen when you enter the official website or application. This is another way to assess the credibility of the SMS you received.

Disclaimer

All the events and investigations described in this piece date back to 2021. The suggestions, methodology, and tactics presented here, however, are up-to-date.

Mor David joined CYE as a Cyber Security Expert and Red Teamer. With more than 4 years of experience, Mor specializes in internal and external assessments, writing code and is an experienced Bug Bounty Hunter.