I received an SMS message (text message for those Americans amongst you) this morning at 07:04 from my wireless service provider, proclaiming to have given me a free 1GB of data per month. All I had to do was to click the link to enable it.

Firstly I was suspicious at the time the message was sent. My carrier has never sent me an SMS message that early. Secondly, the number did not match anything I associate with them - but that is a bit tenuous as they sometimes use weird internal numbers. The URL in the message (partly blocked out) did seem reasonable but also not exactly what I thought it should be.

So instead of clicking the link I did this:

waldo@waldopcl ~ $ whois XXXXXwireless.net
   Domain Name: XXXXXWIRELESS.NET
   Registrar: ERANET INTERNATIONAL LIMITED
   Sponsoring Registrar IANA ID: 1868
   Whois Server: whois.eranet.com
   Referral URL: http://www.eranet.com
   Name Server: NS1.QHOSTER.NET
   Name Server: NS2.QHOSTER.NET
   Name Server: NS3.QHOSTER.NET
   Name Server: NS4.QHOSTER.NET
   Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Updated Date: 09-jan-2017
   Creation Date: 10-oct-2016
   Expiration Date: 10-oct-2017
   ...
   Domain name: XXXXXwireless.net
   Registry Domain ID: 2064875459_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.eranet.com
   Registrar URL: http://www.tnet.hk/
   Update Date: 2017-01-08T16:00:00Z
   Creation Date: 2016-10-10T04:54:02Z
   Registrar Registration Expiration Date: 2017-10-09T16:00:00Z
   Registrar: ERANET INTERNATIONAL LIMITED
   Registrar IANA ID: 1868
   Registrar Abuse Contact Email: support@eranet.com
   Registrar Abuse Contact Phone: +852.35685366
   Reseller:     
   Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Registry Registrant ID: 
   Registrant Name: st pierre Marco
   Registrant Organization: Marco st pierre
   Registrant Street: 1500 rue de leglise
   Registrant City: ste catherine
   Registrant Province/state: quebec
   Registrant Postal Code: h1k1c1
   Registrant Country: CA
   Registrant Phone: +450.4958575
   Registrant Phone EXT: 
   Registrant Fax: +450.4958575
   Registrant Fax EXT: 
   Registrant Email: marcostpierre87@gmail.com
   ...

Clearly super suspicious. So I next did this:

waldo@waldopcl ~ $ curl "http://XXXXXwireless.net"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://manhattanservice.it/web/totes/signin">here</a>.</p>
</body></html>

See the redirect? Since JavaScript cannot execute if you just request a dump from a web site, and there was no real identifying data this was OK to do. It clearly shows the URL manhattanservice.it - which has no relation to me or my ISP. Scammer stopped.

UPDATE 2017-02-10
I just received an email from an interested reader who I presume had also been targeted with this bit of social engineering. He actually went a bit further and followed the malicious link which resulted in the following sequence of forms (posted with his permission):