Scam SMS from legitimate Qantas SMS number

Just received a scam message from what appeared to be Qantas (as the same number had legitimate boarding messages from previous flights). The message read:

, you’ve won our mystery box this week – please use the link to schedule the delivery. http://www.b7.ai/s/2xl0lc/4uf BBL.

Using a tool that sniffs these sorts of links to see if they are harmful before actually clicking on them results in a number of re-directions and finally a page that asks you to do a survey first which requires entering your details.

WARNING: If it’s really Qantas, they already know who you are. Why do they need any of your details again for the survey? DONT PARTICIPATE!

Anyway here is the log of where it goes along with the contents of the file it finally downloads.

log showing what it does

--2018-11-07 11:56:53--  http://www.b7.ai/s/2xl0lc/4uf
Resolving www.b7.ai (www.b7.ai)... 109.207.77.88
Connecting to www.b7.ai (www.b7.ai)|109.207.77.88|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://go.batophor.com/ts3089-sms-qantas-au-5 [following]
--2018-11-07 11:56:54--  http://go.batophor.com/ts3089-sms-qantas-au-5
Resolving go.batophor.com (go.batophor.com)... 198.13.62.193
Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://go.batophor.com/ts3089-sms-qantas-revs-au [following]
--2018-11-07 11:56:54--  http://go.batophor.com/ts3089-sms-qantas-revs-au
Connecting to go.batophor.com (go.batophor.com)|198.13.62.193|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC [following]
--2018-11-07 11:56:55--  https://x.newsmouse.club/go/f65a8fd5-383d-47dc-8ed0-59450453dbb5?cpv=&clickid=1541554015.53-153741405-24909&camp=XX684&keyword=ts3089-sms-qantas-revs-au&category=&systarget=ts3089-sms-qantas-revs-au&sid=153741405&cid=&geo=AU&source=HT-EC
Resolving x.newsmouse.club (x.newsmouse.club)... 104.27.166.1, 104.27.167.1, 2606:4700:30::681b:a601, ...
Connecting to x.newsmouse.club (x.newsmouse.club)|104.27.166.1|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au&region=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club [following]
--2018-11-07 11:56:57--  https://talongo.com/go/run-gojs.php?url=https://talongo.com/in-v8-au-bem-go.php&tracker=x.newsmouse.club&keyword=ts3089-sms-qantas-revs-au&region=&carrier=%7Bcarrier%7D&model=%7Bmodel%7D&brand=%7Bbrand%7D&camp=XX684&cc=au&wid=genx01-au&sound=silent&xid=eyJ0aW1lc3RhbXAiOiIxNTQxNTU0MDE3IiwiaGFzaCI6IjdlMzVmY2IzM2NkNDVkMDY1OTMyZGViMTBhOTEzN2NjMjE5ZmU1NmQifQ%3D%3D&bemobdata=c%3Df65a8fd5-383d-47dc-8ed0-59450453dbb5..f%3D14fde457-a775-4548-b5e1-bd449e0afc95..a%3D0..b%3D0..e%3D1541554015.53-153741405-24909..c1%3DXX684..c2%3Dts3089-sms-qantas-revs-au..c4%3Dts3089-sms-qantas-revs-au..c5%3D153741405..c7%3DAU..c8%3DHT-EC..c10%3Dx.newsmouse.club
Resolving talongo.com (talongo.com)... 104.24.119.246, 104.24.118.246, 2606:4700:30::6818:76f6, ...
Connecting to talongo.com (talongo.com)|104.24.119.246|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘4uf’

4uf                     [ <=>                ]   1.13K  --.-KB/s    in 0s     

2018-11-07 11:56:58 (3.94 MB/s) - ‘4uf’ saved [1154]

Contents of the file ‘4uf’:

<head>
<script type='text/javascript'>
function forward(){
window.location.replace('https://talongo.com/in-v8-au-bem-go.php?eps=8mgsTi6ekAuQ70TL7yZEd7dc6BxvuGCISTUX9vp0%2BqX2PSdhDuk4koSXd%2FHX4h9luAH%2BvvaKHmwAE1Je2%2BxWrB4ors1vKP%2F95MZhdgsQDvbSFG66C8%2BQgi27V76YW9qZbrcRJHgb1ywOhR1A2xU%2F5%2FxzYIni7EqFJ7eW0Pbe22TEpCPCIysOhDz8d3u4dUpDIQpCJ%2FSJX%2FmKCQJJ0lbyhgzix%2FpHXzYcRlwx9AaWOmAX1hv1XRYRoce5288Kh9kfjY5THMCexvncqYNGiABXNcrPEPvJtivFrhm956MBGwMQro%2B905SGjRkNfmR42QfnoTVp9SrqHQUm2%2BLnMR9llKivTAVbyVMdi9QLBw18fHrK5IRSRKDsyftDZWCVuCypqxbtTL0lmB3XEquKarGGU28qW%2F36boQu7T2EJg0XEJ9EsG%2FwCqJ2t0GPPljsuv4RFDIqVsiNvrHSZ08m9DWUg4oH4n2%2FTTVcteEXd0BgZkyB3S06Y%2FoIzrEj6CG4%2FhwZkWX7nNoTtZjTSjyqHQx2uSoW6fyzD8g2%2BGWqLJRxRhBVC2qRtPfy8NoCd2LhxwG6%2B2W6PTaPsqJxmWGMsCGfv5%2BowXbez9f%2Bca4f4q6tbNhb2nNvJltUmC%2FFGeaf1JcLPJGT0T12c1dkMYoyAISIxBo%2FFj0NRcqA6o9r0mZEFsPUPTurWW7bYyCtvuuvGzJZN2YEq2fO7IhmMmgITNdz%2FARKd16N3puAGmUXLCWSnb%2BWdESTpcdd6h0eBz6ARPBcH3m9QYYfOZVoyBiXwVQQtOzxCtxVmD1igyChXOR2SU%2B3IybUx0sU6UYdcl7ONYBKgRGUeBJTEPKwuJYSKqrOQM3S%2FVBFgs%2F6CEyRNCDBojM9olfSjn6dYqlNfMYGHSBd');
}
</script>
</head>
<body onload='setTimeout(forward, 0);'>
</body>

Qantas logo

This entry was posted in Security and tagged , , , . Bookmark the permalink.