ethical.blue Magazine

// Cybersecurity clarified.

Phishing: Reaper Collecting PESEL Numbers

2022-05-08   Dawid Farbaniec
...
Today (2022-05-08) my laboratory has got an SMS with the following text:
PGE: Na dzien 09.05 zaplanowano odlaczenie energii elektrycznej! Prosimy o uregulowanie naleznosci: https://pge-online[.]news/{id_here}



You can tell at first glance that the message is suspicious. However, if one are unsure, ask the following questions.

💥 Were we expecting this message?
Sample answer: No, because the wife received the message, and the invoices are always for the husband's details.

💥 Do we know the sender of the message?
Sample answer: The sender is some random mobile number, not an official company number.

💥 Is the sender trying to create pressure?
Sample answer: The message clearly tells you to click as quickly as possible or they will turn off the electricity.

💥 Is the link provided in the message the real website of the company / institution?
Sample answer: This is some exotic URL. I always use the electronic customer service office that has a different address.

These basic questions are always a plus and can protect us in the event of a phishing or similar attack. In simple words, it is an unexpected message from an unknown sender, the content of which creates pressure and prompts you to click on a dangerous URL (so-called link).

Reaper of Personal Identity Numbers

Under no circumstances should we click on links from unknown sources. A phishing website that we can just close is one of the mildest scenarios. You never know if the link contains exploit kits that can infect your device (e.g. phone or computer). However, in order to present the operation of the PESEL number collecting machine, I decided to run the link in an isolated environment for educational purposes.

The first screen is a page that is to imitate a company website with information about small, overdue receivables.



HTML template created hastily, carelessly.



Fake request for a mobile number.



Fake payment method selection screen.



I have chosen a random bank and got a fake login panel.



The next step is a try to extort my PESEL number.



The last step is sending the entered information to the threat actor.



The mechanism that I guess is collecting PESEL numbers along with telephone numbers. That's a lot already. Such data can be associated with address data that, for example, leaked from some online store. After that, threat actor has the complete personal data.

Do the same?



Quick money with programming skills 💵
💰 write a hacking tool, but sell it to a legitimate Red Team in some company,
💰 write to the agency that creates websites that you will write them a template in correct HTML/CSS,
💰 contact some magazine if they want a nice text/tutorial about cybersecurity,
💰 write a program or computer game and sell copyrights (sources are always more expensive than user license),
💰 etc.

Stay ethical.

Indicators of Compromise (IoCs)

(pol. Wskaźniki kompromitacji)
+48572724424 (572724424, 572 724 424)
https://pge-online[.]news/{id_here}
https://xednsk[.]online/pge/{id_here}/{id_here}/

Summary

Stay safe.

Bibliography

Analysis based on provided SMS message. 📱

ethical.blue Appz

Categories

Archives


Donate to ethical.blue Magazine website maintenance with cryptocurrency or PayPal.

aspnet
Connections: 10

bitcoin diesel