In 🔗Part 1, we reviewed the various tools, tricks and techniques used in phishing scams to trick you into giving away personal data that you later regret not keeping to yourself.
Although most phishes arrive by email and conclude by luring you to a realistic-looking clone of a website you would usually trust, such as your bank or a courier delivery service, we also covered numerous other ways that phishing scams can start and finish.
Instead of tempting you with web links, some scammers may urge you to call a phone number instead, or to reply to an email or instant message for information on what to do next.
As an example, we referred you to a recent article entitled IC3 scam-reporting service abused by scammers in which we wrote about cybercriminals who ripped off the brand of the IC3 itself – the FBI’s own Internet Complaint Center website.
These scammers played a much longer, human-on-human game than the commonplace “send email/await click” approach of many phishing attacks.
They used fake accounts to join online forums for scam victims, spending time to build up a measure of trust within those groups.
They would pretend to be fraud victims themselves, all the while talking up the great work of the legitimate IC3 website, before providing details of “helpful IC3 contacts” who could be reached by free messaging services such as Telegram.
Of course, those “helpful contacts” were just other members of the scamming team.
This led the victims to feel that they were not being targeted by scammers, because they unwittingly reached out to the scammers of their own accord, rather than directly receiving unsolicited contact from someone they didn’t know.
In this article, we’re going to look at a variant form of phishing known by the jocular (yet also serious) name of smishing.
We’ll be diving right into the technical details of a smishing scam we received ourselves, on our personal mobile phone.
The letters SMiSh
at the start of the name are there to remind us that the initial contact in these scams is made not by email, or by online forum, or by voice call, but with a simple, humble mobile phone text message, commonly known as an SMS, the abbreviation for the jargon term short message service.
As we pointed out in Part 1, the simplicity of smishing attacks can make them surprisingly effective, even among mobile users who consider SMS so old-fashioned and limited that they never use it to send messages themselves:
Firstly, all mobile phone numbers can receive SMSes, whether the user has the latest messaging or social media apps installed or not.
Secondly, the routine use of SMSes for legitimate notifications [by businesses such as courier companies, tradespeople and doctors’ surgeries] has led us to accept them as expected, and even as useful, in our everyday lives.
Additionally, and we’ll see this in the scam we’re diving into, phone-based scams that ask you to reply by text, to call back to a phone number, or to click a web link, are terribly easy to fall for, precisely because you’re already holding and using your phone.
This scam is also a great reminder of how little time today’s cybercriminals need, because just a few hours are more than enough for a phishing campaign to pay off.
Even if the various online resources set up by the scammers get blocklisted or taken down within their first day of operation, the scam may still have drawn in hundreds or thousands of victims whose online accounts, identities, or payment card details may have been stolen.
As you see below, the malicious domain name used in this smishing campaign was registered through a domain registrar in Hong Kong at 2025-04-25T11:11:16Z, which is 12.11pm in the UK:
But just two-and-a-half hours later, at 2.46pm UK time, we received a fraudulent message claiming to be from Evri, a major British courier company, and linking to the newly-registered fake domain.
This message wasn’t actually an SMS, but came through Apple’s iMessage service, though iPhones use the same Messaging app to show you both sorts of message:
E.V.R.I Delivery Notification:
Due to incomplete address information, we are having problems delivering your parcel. Please click the following link to update your address within 6-12 hours of receiving the message so that the courier can deliver to you as soon as possible:
[․․․]evri.com-jtrse.top[․․․]
(Please reply with a Y, then exit the text message and open it again to activate the link, or copy the link into your Safari browser and open it)
We will expedite the shipment upon confirmation. Thank you for choosing E.V.R.I!
Intriguingly, the message is grammatically correct with no spelling mistakes, as though it may have been generated by a machine learning algorithm.
But it does read rather strangely, with some punctuation oddities, at least to a speaker of British or Commonwealth English, and it lacks the crisp brevity of a typical text message notification.
Nevertheless, it contains two nasty tricks.
The first trick is to ask recipients to reply to the message with an innocent-sounding Y
for “Yes,” which seems harmless enough if you have already decided to respond to the message by clicking through.
We’re guessing that this request was put there because the malicious JavaScript code embedded in the website includes options that ask for MFA codes and bank card PINs, not merely for payment card details.
(This code path was not taken when we triggered the scam, presumably because we entered a made-up credit card number, so we were asked for an expiry date and a security code instead.)
If the scammers receive an early warning in the form of a direct message from a prospective victim, any crooks on duty at cybercrime HQ are alerted that an MFA code with a limited lifetime might be showing up soon.
The second trick is that the domain name com-jtrse.top
, when prefixed with the server name evri
, produces a URL in your address bar that starts with the reassuring text string https://evri.com․․․
, which is a visual match for Evri’s own site, assuming that you visit the site with your mobile browser, which has less room to display full URLs than your laptop.
Indeed, if you decide to be cautious and retype the link on your laptop so you can use a large-screen browser instead, the site detects that you aren’t using a mobile device, and quietly if mysteriously redirects you to Google, leaving you with nothing suspicious to see or to report.
Here, we used the Tor browser, which was routing our traffic via Sweden at the time, which accounts for the Swedish version of Google’s search page appearing:
The browser’s debugger log above shows that the bogus web page used an HTTP POST
request to send browser-specific identification data to a special URL on the criminals’ server called /open/visitors/info/createOrGetUserInfo
.
This returns the special HTTP response code 302 to tell your browser to redirect elsewhere, and the JSON response data {"redirectURL": "https://www.google.com"}
tells the browser where to go instead.
In case you’re wondering, the messages prefixed 请求错误 (request error) and 应用初始化失败 (application initialization failed) appear to be debugging messages left in the website’s JavaScript code and faithfully printed into Firefox’s usually-hidden console log.
But if the web page detects that you are using a mobile browser, the scam proper appears:
Note above how the criminals have remembered to spell the word centre
correctly for British users, but have forgotten to use the British date format of DD/MM/YYYY
, putting the month first instead.
Although scammers don’t always make give-away blunders of this sort, take care to look out for them yourself.
It’s bad enough to be scammed at all, but it’s even more distressing to be scammed and then realize that the warning signs were there all along, and that just a few seconds of extra attention could have kept you safe
Next, you’re asked to fill in your personal data, notably including your delivery address, given that an incomplete address was the reason presented by the criminals to lure you into the scam at the start:
Then comes a pay page asking for a modest payment of just 41 pence (£0.41, about 55 US cents), which may sound like an unimportant amount to risk in a possibly fraudulent transaction.
Of course, the criminals aren’t after 41p.
They’re after your card or bank account details to abuse or to sell on for more serious fraud later on:
To create a believable end-game for the fake payment process, and presumably in the hope of luring you into handing over a second lot of card data as well, the criminals use a common ruse of simply stating that the payment failed:
After a second failed “transaction,” or after a short while on the page shown above, the site quietly redirects you to Evri’s real web page after erasing your browser history, thus neutralizing the [Back]
button.
As a result, even if you later become suspicious, you can’t retrace your steps to see where you were, or to take screenshots to report the site as fraudulent:
These scammers use interactive browser programming tricks to upload the data you enter into each field as you go along, rather than merely when you click the explicit [Continue]
or [Submit]
buttons on each of their fake pages.
This means that even if you realize you’re being scammed half-way through and bail out, they’ll still have a partial capture of your data, for example by getting hold of your card number and expiry date but not your secret CVV code.
Clearly, it’s better to bail out from a scam site even if you have already given away some secrets than to plough on and reveal everything, but this is a good reminder of why not getting lured in at all is the best defense.
The crooks in this case are using the open-source website development tool Vue.js, which means their scam is essentially implemented as a JavaScript “software machine” that generates the content and manages the interactions in the background.
If you are interested in a plain-English explainer that shows just how easy it is to implement a website that keeps track of your browsing in real time, down to every individual keystrokes (even [Backspace]
in case you edit some of the characters in the password you’re entering), you should definitely read our article Phishing protection: Is it ever safe just to take a look?
Additionally, once you’ve completed one cycle through those fraudulent pages, and handed over at least one batch of payment card data, the server records your internet address so that can detect if you visit the site again, even if you clear any identifying cookies from your browser.
If you return later on, for example to take a second look at the site with a view to reporting it, the abovementioned URL /open/visitors/info/createOrGetUserInfo
will detect that you’ve already been hit up once, and will return a 404 Not Found
error to throw you off the scent:
Presumably, this is the criminals’ attempt to invite you to believe that the site has already been taken down, or has stopped operating, thus leaving you feeling that there’s no need to report it as fraudulent.
Of course, even if you do now report it via one of the numerous online fraud reporting services, there’s no longer much in the way of immediate evidence that you can copy and paste into report, such as screenshots or smoking-gun text from the offending pages.
By the way, we reported this smishing site via the Firefox browser’s abuse reporting service directly from the Help > Report deceptive site item in the browser menu.
Firefox, and presumably other browsers, started blocking it with a warning page within about 24 hours:
You can also use Google’s Report Phishing Page (the data goes into the same feed as the Firefox reports) at https://safebrowsing.google.com/safebrowsing/report_phish/.
In Microsoft Edge, use Help and feedback > Report unsafe site from the Edge menu.
For more information about the numerous other forms that phishing scams take, head back to 🔗Part 1 for some excellent advice on how to spot them and avoid them!
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of crocodile by Shelly Collins via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.