A few days ago I got a message from a friend asking if I could investigate a message he had gotten by SMS about possibly having won 10 000 SEK at Swedish supermarket chain ICA. I said “sure, why not” and spent a few hours digging around. As it turns out, the message in question was nothing more than a spam campaign trying to get people to fill out a survey and thereby give out their email addresses and sign up for different “offers”, but there were some parts about it that triggered my curiosity so I thought I’d do a brief write-up. Please note that this was done during a pretty busy weekend, so you’ll have to forgive my somewhat high level analysis.

Statement by ICA

It should be noted that ICA has an official statement on their website about not being involved in any such campaign. The statement also says that ICA never passes customer information on to 3rd parties.

Getting started

Before I got going, I went on Twitter and asked around for recipients of similar text messages. I got a few relevant responses, and also a couple that were for what seems to be a different campaign with some similar traits. I also did a Twitter search and found a few cases where people said that they had received these SMS. I eventually ended up with 6 samples, which is not a lot but still much better than just a single one. 5 of the 6 samples had links to the same domain (www.finalen.org) while the 6th had a link to a different one (matfinal.com). This domain does not exist anymore, but the URI turned out to work for www.finalen.org too, so this is definitely the same campaign. This also shows that the spammers are switching domains quite rapidly, possibly to minimize the effect of a particular domain being highlighted as spam.

The message

The message arrives as an SMS and claims that the recipient has qualified for a final and thereby has the chance to win 10 000 SEK (about 1100 Euro) at ICA, a Swedish supermarket chain. The message also contains an HTTP link with a URI that is unique for each recipient. The messages appear to come from multiple pre-paid Tele2 numbers, which is yet another sign that this is not a legit campaign.

“Congratulations, you are in the final. Big chance to win 10 000 SEK at ICA. Confirm your place by clicking here”

As you can see, the unique part of the URI has been blurred out, and we will get to why shortly.

The domains

When looking up whois information for the domains used by this campaign, I found that finalen.org is registered by a company called Domains By Proxy LLC, and that matfinal.com does not exist. Just as the name suggests, Domains By Proxy is a company that specializes in acting as a proxy for domain registrations, thereby keeping the actual registrant secret. I can fully understand why such a service would be needed, but not for someone hosting a legit survey. There is definitely something shady going on here.

After doing some googling, I found that matfinal.com was previously also registered by Domains By Proxy but has now been deleted, something that just further underlines the tactics used by these spammers. Registering domains for a short time and then removing them is a classic example of shady behavior.

The URL

The URL in the SMS looks like this:

http://www.finalen.org/q/MzAx{15 character unique string here}

When the recipient clicks the link in the SMS, he or she is taken to a page that reads the URI, and then redirects the recipient via a location header to another URI that looks like this:

http://www.finalen.org/quiz/q?survey_code=MzAx&aff_code=MTIzNDU3&dom_id=14&last_name=recipient’s last name&first_name=recipient’s first name&phone=recipient’s mobile phone number&address=recipient’s address&zipcode=recipient’s zip code&city=recipient’s city&gender=recipient’s gender&pn=recipient’s personal number

What is interesting about this is that the recipient’s information, including personal number (Swedish equivalent of social security number) and gender, is included in the URI. This means that this is not someone sending spam to random numbers, but a campaign that has a database of people that contains some quite sensitive information. This also means that this particular campaign will have an air of legitimacy about it, as a user that follows the link and finds that his or her information, including personal number and gender, is already filled out is more likely to assume that this is in fact a legit survey.

It should be noted that personal numbers are considered public information in Sweden and that there are a number of payed services that you can use to get someone’s information. I am however not sure if there is any service that can link a person’s personal number with their mobile phone number. More about this later.

Update:

It has come to my attention that services like ratsit actually provides both phone number and personal number to subscribers of the service, although not publicly. Such a service could potentially be where the user information comes from, although there are still some questions about how that would be possible for at least one of the samples (see the “Samples and oddities” section below).

Looking closer at the URL, we can see a couple of interesting things:

The first 4 characters after http://www.finalen.org/q/ seems to be some sort of campaign code. These characters are the same for all the samples, and are also the value getting passed to the survey_code parameter in the redirect URL. Nothing else from the original URL seems to be passed to a parameter in the redirect URL.

The 15 unique characters after the campaign code seems to be a unique identifier that resolves a URI to a particular user.

At the moment I have no idea what the parameters called “aff_code” and “dom_id” does, although “dom_id” could be what identifies the domain used when the updated information is passed back to the database.

Samples and oddities

As I mentioned earlier, the occurrence of sensitive information like personal numbers was something that made this campaign stand out. This got even more interesting when I noticed that one of the samples had some odd characteristics.

The sample in question was the one that did not have www.finalen.org as the domain in the SMS, but instead the deleted domain matfinal.com. Since the URIs looked the same between the domains, I simply changed the domain to www.finalen.org and got a hit. While this made this sample different from the start, it got even more differentiated from the others when I found that the personal number that got passed to the URL was not that of the female born in 1994 registered for the phone number that the SMS was sent too, but for a man born in 1967 with the same last name. Though I have not been able to verify this with them, I’m assuming that the man is the girl’s father.

Considering that this information has to come from somewhere, one theory is that the girl’s father started a subscription of some sort for his daughter, but registered her phone number as it was her who would be the primary user of the service. This kind of thing is usually done for services that has an age limit, so it could possibly be for a mobile subscription or possibly even for the ICA Bank. As I wrote earlier, the phone number seems to be registered for the girl, although the subscription could have changed owners after the spammers obtained the user information.

Cracking the unique URI strings

Another thing that struck me as odd was some similarities between the unique parts of the URIs. Here are the URIs after the www.finalen.org/q/MzAx part with their corresponding personal numbers:

XzA3Mj{REDACTED}

1967{REDACTED}

XzA3MD{REDACTED}

1974{REDACTED}

XzA3MD{REDACTED}

1976{REDACTED}

XzA3MD{REDACTED}

1978{REDACTED}

XzA3Mz{REDACTED}

1972{REDACTED}

XzA3MD{REDACTED}

1978{REDACTED}

As is fairly obvious, the personal numbers starting with 197* all except for one (starting with 1972) have XzA3MD as the first characters of their unique URI string. This initially led me to believe that the unique string was in fact some sort of encoding or replacement cipher, and it turns out that I was not completely wrong although it had nothing to do with the personal numbers.

As it turns out, the unique URI is the recipients phone number encoded with eval() and base64_decode() in PHP, and can be decoded by some simple PHP code or by using an online tool such as this.

So for example:

MzAxXzA3Mz{REDACTED} becomes 301_0733{REDACTED} once decoded.

Where the first part is the campaign identifier and the underscore just acts as a separator between the values. The reason why so many of my samples had the same first characters in the URI was because the phone numbers started with the same digits. Duh.

The database

If I had any doubt whatsoever that these spammers were operating based on the content of a database, it was all gone once I encountered this:

This was the result of simply changing lower case letters to upper case and vice versa in the unique URI string. This is a sure sign that the spammers are not very technical, and someone with a little less ethics than myself could probably dump their entire database with a little SQLi trickery.

The website

An interesting thing about the website is that it requires a mobile user-agent for the redirect to work, just going to one of the links from the text messages on a regular computer does not work as the page will not load. I tried a number of mobile user-agents and got the same result, so this does not seem to be browser or mobile platform specific in any way. This could potentially be because the spammers does not want the recipient to be able to see the entire URI, although that is admittedly not a very strong reason.

There does not seem to be any exploits or malware being served, something that was not really surprising although I kind of hoped for it just to spice things up. As previously mentioned, the technical level of the spammers also seems to be pretty low as I got a number of PHP database errors just by modifying values in the URL GET parameters.

The survey

The website the recipient is redirected to when clicking the link in the SMS has a number of form fields, many of which are already filled out by grabbing values from URL parameters. One field that is not pre-filled out is email address, which suggests that wherever the spammers got the user information, email was not included information. Email address, and the ability to connect an email address to a phone number and persona number, is likely to be one of the biggest objectives of this campaign. When I entered an email address and started filling out the survey, I almost immediately received an unsolicited spam email which appeared to have no connection to this (although of course it had) to my dummy email address.



The landing page, clicking “Delta nu” (participate) makes the page scroll down to…

…the pre-filled out form fields.

The survey itself mainly asks questions about eating habits and economy. The next question seems to be based on what your answer to the previous question was, and every third or so page is basically an attempt for the user to sign up for some service or mailing list, something that probably happens regardless of what you choose.

Conclusion

Considering ICA’s official statement coupled with the short-lived domains, anonymous domain registrations, and other classic spammer tactics, there is no doubt that this is not a legit campaign. While it is seemingly no more than a scam to trick recipients into giving up their email addresses and signing up for services, the presence of personal information is disturbing. The main question is where this information comes from. Some theories of mine are:

The information has nothing to do with ICA at all and comes from some other source that does not have a problem sharing (likely for money) customer data with 3rd parties. This source could potentially be a service that has an age limit, as the discrepancy between phone number holder and personal number in one of the samples suggests.

The information comes from a database breach, possibly even ICA’s own customer database, and has been sold on the black market. The theory of a service with age limit is relevant also in this case.

The information has been gathered and compiled, manually or semi-manually, by the spammers themselves.

Spam sucks regardless of delivery vector.

(Update) The information could come from a service such as as ratsit, but that would not explain the mismatch between phone number and personal number as described in the “Samples and oddities” section. Ratsit also has this, somewhat ironic, message on their website:

Finally, if anyone has any more information or samples regarding this, please drop me a line at addelindh at gmail dot com or give me a shout on Twitter.