So Katy got a scam text claiming to be Canada Post with an underliverable package. I'm in the process of gathering information to send a report to their registrar's abuse department, but they're doing something clever to cover their tracks that I haven't fully been able to unravel.
For context, here is the link (with spaces added to prevent it from turning into an actual link and being accidentally clicked):
https:// canadapost-postecanadadeliverylivraison .com/canadapost/index.php
When opened from Safari on her phone, it loads a realistic looking phishing site, but when opened from any other browser, it returns an empty (0 bytes) page. I assume this is to hamper attempts to investigate abuse claims (though the domain name is already pretty incriminating).
Since there doesn't appear to be any kind of unique identifier, I assumed this to be some kind of spear phishing attack that was based on her browser's User-Agent string, but when I tell curl to mimic it, I still don't get a result.
Any ideas about how they're doing this?
like this
reshared this
Jonathan Lamothe
in reply to Jonathan Lamothe • •Jonathan Lamothe
in reply to Jonathan Lamothe • •Jonathan Lamothe
in reply to Jonathan Lamothe • •Isaac Ji Kuo
in reply to Jonathan Lamothe • • •Sensitive content
There are ways to determine what sort of browser is actually being used, even if the User-Agent string is set to pretend to be a different browser.
For a while, Disney+ was using this to make sure you weren't trying to watch it on a Linux computer.
I don't know what genius thought that was a good idea, but after some months they must have realized they were punching themselves in the nuts for no reason and stopped blocking Linux usage.
Jonathan Lamothe
in reply to Isaac Ji Kuo • •