Phishing is the most common way bad guys steal your passwords and hook viruses to your machine. This is routinely done via email, but this practice is becoming more popular in SMS messages in a practice Forbes has called Smishing. Today, I received one such message and thought I’d go deeper and get to the heart of this malicious phenomenon.

It starts rather innocuously: A message arrives that says “Hi! Look, someone takes your photos here…” and a link is provided. The link is obscured by a link shortener and the message uses a kind of broken English style common to SPAM email of yore. No one would fall for this right? Wrong, this particular beast was clicked 187,630 times as I write. The most common target of this particular link is Canada with over 97% of clicks recorded. The source? Based on the phone number, Russia, but I wouldn’t trust that location because this could be spoofed.

With the link, I wanted to start by expanding it. clc.to is part of the to.click management system. Given most shorteners are either expandable via a special postfix or an analytics structure – created a link and found out that appending “/stat” would offer more details.

My nasty SPAM link pointed to a site nrwnq.badmilfs.mobi, a domain that has no developed web page up, just text that reads “Site is under construction, please visit later”. Probably compromised, I thought. Yes, but with clear intention. This site features a TLS certificate provided by Let’s Encrypt. This is the very thing critics of “HTTPS Everywhere” have been warning us about. Take that even further, and you’ll see the site was built very recently with some interesting software.

Where does the link go exactly? Near as I can tell, it’s a redirection engine that could take you to any number of sites. The first site I hit appeared to be some kind of dating engine. My guess is that this will vary depending on your client, where you’re from, and what device you use to click the link.

Below are the full, sordid details from an initial text message to analytics.  Be careful out there, and for God’s sake, don’t click the link.

If you’re security conscious, you should subscribe to my newsletter.