** The original post was published in Hebrew on August 21′ – https://il.webintmaster.com/2021/08/21/מחקר-קמפיין-פישינג-דואר-ישראל/ **
SMS scams have been around for a long time. Most of the time attackers will – to the best of their ability – imitate a known website\company, that is likely to contact you and request credit card information ahead of providing you with the service you’re expecting. This type of scam is called Phishing and is based on a method known as Social Engineering.
We recently came across a text message that had been sent to a large number of people in Israel, the content seems completely innocent – “Your package is waiting for delivery, we need to confirm the payment so we can process your request:https://bit.ly/3gipLJX”.
The message came from ISRAELPOST which at first glance adds a degree of credibility to the message. The attached link was added using a service called Bit.ly which shortens long links, and also allows you to track click data. It is usually best not to click on links that we do not know where they lead. To expand links that were shortened by Bit.ly we can copy the link to the search bar and add a + at the end of the URL ( we will get the original address and the date on which the abbreviation was created). In our case – https://www.postisrael.co.il/. Notice the great resemblance to the real website of the Israeli postal service – https://israelpost.co.il/. Take note that the link was created on August 20th.
The fake website asks for credit card information and is designed in a very similar way to the real ISRAELPOST site.
At this point, we decided to quickly investigate the scam and find the people behind it. We started off by checking the Israel Internet Association (ISOC-IL) WHOIS database. When registering a domain name (website address), the site owner needs to fill out personal details as well as other technical details. For international searches, we can use many services to find these details, but for Israeli domains (IL) we need to use this site https://www.isoc.org.il/whois.
According to the WHOIS data, the domain was registered on the 19th of August by Sigal NADIR, using this email address and phone number: firstname.lastname@example.org, 97259000006 (partially censored).
Next, we searched the email address using epieos.com. Every active GMAIL address has a unique ID, that can be used to find more details about its owner. We can occasionally find Google maps reviews or public photos of the owner. We searched the Google ID and found that the email address is active (correct to the writing of this report) and listed under the name Alas Tayyam. Additionally, We found that the email address is used for a number of other accounts such as – Twitter & Samsung (which indicates the use of an android device), and a website called freelancer.
At this point, looking at our new information we see that we have a new (second) name. It’s not an Israeli name, but more importantly, it isn’t publicly connected to the Email address we searched, and therefore less likely to be fake.
Now that we researched the email address, we will explore our other lead – the phone number. We looked through open directories online with no success, and finally found the number using the TrueCaller app (which supplies names & other information connected to the phone number). According to the app, the owner of the phone number is – ياسمين علاء (Yasmine Alaa – in English), and the number is connected to the Jawal network (Used by Palestinians in the west bank territories and Gaza).
Furthermore, we looked through databases on IntelligenceX and found the Facebook profile connected to the phone number. According to the record, the number is connected to this profile: https://www.facebook.com/profile.php?id=100005******9 – under the name Yasmine (the full name is censored for privacy), who lives in Rafah (a Palestinian city in the southern Gaza Strip). The name Alaa also appears in the record itself. Together this authenticates the name we found on TrueCaller – Yasmine Alaa. In addition, the WhatsApp image linked to the phone number also appears on the Facebook profile. It should be clarified that Yasmine may be a victim herself, and her number was used without her knowledge.
The next step in our research is to research the fraudulent website itself. We will identify hidden elements that can help us better understand the people behind it, and possibly find connected websites.
To do this we used a tool called SecurityTrails which provides details on various listings of the site on the web, and the places where it is stored. According to the tool the site was created on 08-19-2021 and the IP address is – 126.96.36.199. There are times when an IP address will not tell us much because it is used for many websites. In this case, the IP address is used for 3 more websites, which are most likely all part of the scam:
- Israelsecurityupdate.co.il – created on 08.06.2021.
- Israel-land-peace.online – created on 08.07.2021.
- Israelpostpackage.online – created on 08.15.2021. Currently active and also serves as an imitation (fraud) of the Israeli post website.
The WHOIS listings for Israelsecurityupdate.co.il is identical to the one for postisrael.co.il. The other two websites didn’t have information. When attempting to access Israelsecurityupdate.co.il, we are directed to an index of the site. When we come across a website that shows the words “index of” it means that we came across a folder that contains files located on the same server where the website is hosted. This folder can be an archive of the site, a folder of images displayed on the site, and it sometimes could be a folder that contains sensitive information and databases belonging to the server’s owner.
Within this archive, we found many files that make up the suspected phishing website. These files indicate that the crooks had completely downloaded the code files (frontend) from the Israel Post website and made an adjustment so that information entered by a user will go to them.
We can see a number of code files with Arabic names, which is another strong indicator for the source of the scammers. Additionally, we can see that certain code files have been upgraded and edited over the years, meaning that this scam has been going on for a while and appearing in different forms and variations.
We continued the investigation by looking into files from the Israelsecurityupdate.co.il (the site is no longer active) index and found an HTML file that was most likely downloaded by the scammers from the real website when creating the fake one. Unfortunately for the crook, the file contains personal information he filled out before exported the file, and to our delight, the file contains the same email we found in the WHOIS search. It also contains another Palestinian phone number.
We searched the phone number using the TrueCaller app and found that the number belongs to Alaa Tim (above we found that the first email address we searched was under the name Alas Tayyem). The name Alas is most likely an alias for Alaa, and the word ‘Tayyem’ can also be written ‘Tim’ (on Facebook many members of the Tayyem family are called Tim).
On Yasmine’s Facebook page we can see many comments from Tim/Tayyem family members, which shows a connection between her and this family. According to her Facebook page, she is married to a man named Alaa, who lives in London. They have two kids, a boy, and a girl. In one of the pictures of the daughter, it is stated that her name is J*** Alaa Tim. In Arabic names, many times the second name is used as the father’s name (in this case we know the name Alaa) and we see here that her last name is Tim!
This tells us that Alaa’s real last name is Tim, and most likely is the same Alaa Tim who left his phone number in the website’s HTML file and the owner of the email@example.com email address. In addition, the third website (Israelpostpackage.online), which is also used as a fake Israel post site, is registered using a British domain service. We know that according to Facebook, Alaa lives in London.
We could have searched for an IP address, but they used a VPN when registering the domain, so our findings would be useless. We also found that all four fraudulent websites are stored in Rachamim Aviel Twito trading as A.B INTERNET SOLUTIONS, an Israeli storage service ( the scammers are most likely using this service to hide and also give themselves more credibility in Israel). The services website is https://www.hqserv.co.il/.
After we gathered all this information, we can say with a high level of certainty that the person behind this scam is Alaa Tim, who probably splits his time living in both Gaza and London. His wife’s level of involvement is unclear at the moment. Obviously, there is more work to do to find more people involved and how far this scam goes.