Open Nav
Sign Up

Under the hood of a Smishing campaign

Under the hood of a smishing campaign

Dan Shallom

May 7, 2022

Earlier today our OP Innovate research team received yet another Smishing attempt asking them to provide credit card details. 

The SMS looks like a legitimate message from the Israeli post offices and even contains a correctly formatted tracking number:

החבילה שלך: RU0041902037Z‌ מוכן לאיסוף, אנא לחץ על הקישור והשלם את התשלום: https://2u.pw/MT5To

The message requests credit card details in order to pay customs fees associated with a package and enable its delivery – this plays on the victim’s sense of urgency.

The Tiny URL service is legitimate and has been seen in previous phishing campaigns targeting Israelis.

When a victim clicks on the Tiny URL link they are redirected to the following website: https://cobbjones.ca/postal/log/app/

By navigating to the top level of the website, we arrive at the commercial and seemingly legitimate website of a Canadian law firm. The site must have been hacked in order to gain access to the sub folders – we approached the owner and informed them about the unfortunate hijacking of their web resources.

Hacked website

In terms of security, the site suffers from additional misconfigurations. These provide access to server logs and from there we could see the amount of traffic this site received, and of course the clear text credit card details that the victims inserted.

Here are some further insights:

This is how it looks like from an attacker perspective:

  1. The user form:
  2. The visitors logs
  3. The detailed visitors logs – post processing

Here are some of our insights into the attack:

  1. 06-May-2022 10:43:15 first hit – this is most probably the attacker testing their tools
  2. 07-May-2022 10:40:22 last hit; – this is most probably the tiny URL provider responded
  3. The number of SMS sent / received is unknown
  4. 4103 victims who received the SMS opened it, clicked the link and got to the phishing website
  5. 257 victims of them moved forward and provided credit card data:
    1. 164 were legitimate details
      1. 119 Visa card
      2. 45 Mastercard 
  6. As can seen from the chart below, the campaign was most successful during its first 5 hours:

We took the following action with this information:

  1. Reported the attack to the Israeli CERT 
  2. Reported the attack to the Israeli credit cards companies so that they can approach the victims 
  3. Approached the Tiny URL provider who killed the campaign 
  4. Approached the hacked website owner with some recommendations for patching and recovery
  5. Posted this blog and spread the word – if you happen to clicked and provided your card details contact your credit card provider immediately

Have a safe weekend! 

OP Innovate

Resources highlights

Actively Exploited SonicWall SMA1000 Vulnerabilities (CVE-2026-15409 and CVE-2026-15410)

SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries…

Read more >

sonicwall_cve-2026-15409_cve-2026-15410_op

Critical Gitea Docker Authentication Bypass Under Active Probing: CVE-2026-20896

A critical authentication bypass vulnerability, tracked as CVE-2026-20896, has been disclosed in the official Gitea Docker image. Gitea is a self-hosted software development platform used…

Read more >

gitea_docker_cve-2026-20896

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business

Cisco Unified CM Vulnerability CVE-2026-20230 Targeted After Public PoC Disclosure 

Cisco has disclosed and patched CVE-2026-20230, a critical SSRF vulnerability affecting Cisco Unified Communications Manager and Unified CM SME when the WebDialer service is enabled.…

Read more >

CVE-2026-20230

Microsoft Confirms Unpatched RoguePlanet Defender Zero-Day (CVE-2026-50656)

Microsoft has confirmed a new Microsoft Defender zero-day vulnerability tracked as CVE-2026-50656 and publicly referred to as RoguePlanet. The flaw affects the Microsoft Malware Protection…

Read more >

RoguePlanet_cve-2026-50656
Under Cyber Attack?

Fill out the form and we will contact you immediately.