One of the coolest parts about working at White Ops is that we routinely monitor the internet for threats as part of our company mission. The White Ops Satori Threat Intelligence & Research team often investigates “weird things” that come up, often issuing threat advisories directly to individuals and companies to help make the internet safer. It’s even written into our company values: Be Good. The below activity was observed during the course of such monitoring efforts and we hope by sharing our findings we can make the internet just a little bit safer.
Observed Scheme Targeting Individuals via SMS
In October 2020, the Satori team received several text messages (all to the same phone number) claiming that the recipient had won a MacBook Pro. The messages were all from different numbers with links that had different .info domains and were recently registered, according to Domain Registration records.
As of November 2020, the links were no longer reachable. These domains appeared to be auto-generated. We have continued to monitor the IP address (8[.]210[.]239[.]157) for new, relevant activity. Since November, they have consistently added and removed domains on a regular basis.
MacBook Pro winner text #1
Source: White Ops Threat Intelligence, November 2020
MacBook Pro winner text #2
Source: White Ops Threat Intelligence, November 2020
MacBook Pro winner text #3
Source: White Ops Threat Intelligence, November 2020
Domain and/or IP Information
All three domains from the text messages were registered with Namecheap in October 2020 and hosted on the same IP address: 8[.]210[.]239[.]157 located in Singapore. Over 100 additional domains, 132 total, were registered in October 2020 on this IP address; all were five letters in length .info domains. The full list can be found in Appendix A. As of March 2021, there were 188 domains in total. The IP address was still active at the time of publication of this report.
The IP address in question, 8[.]210[.]239[.]157, is associated with ISP Asia Pacific Network Information Centre, located in Australia – South Brisbane, and is assigned to organization ALIBABA[.]COM SINGAPORE E-COMMERCE PRIVATE LIMITED, located in Singapore – Singapore.
Recommendations
The bad guys will often attempt to take advantage of brand names people trust -- in this case, Amazon. Thankfully, most major brands have ways for people to report these types of scams. If you’ve received messages via email or SMS that claim to be from Amazon, you can report them here. As always, it’s best to not click on links that you don't recognize, especially when they’re seemingly too good to be true. While a free MacBook Pro sounds pretty wonderful, it’s always best to be wary, vigilant, and skeptical.