Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Carlos E. R." Newsgroups: comp.mobile.android Subject: Re: SMS spoofing Date: Thu, 18 Jun 2026 14:04:21 +0200 Lines: 106 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Trace: individual.net 743jGUOqYFHeUqhnGJFHygATiI3UxEVn4+XWwhKJsuih/Bobva Cancel-Lock: sha1:bUxQGMG6RoaXgci1ikWXvRzPGrU= sha256:8qWx32AuUdKBgBKiE6FDYtMrFnf+gQF3oAOiQPIEhYE= User-Agent: Mozilla Thunderbird Content-Language: en-GB In-Reply-To: Xref: csiph.com comp.mobile.android:154214 On 2026-06-18 10:36, VanguardLH wrote: > "Carlos E. R." wrote: > >> Yesterday I received an SMS from my home insurance company saying that >> they had registered my claim, go and see it at this link. The URL seems >> the real one, at least visually. >> >> But I had not put any claim, and the site asked for my login/pass. I >> suspected. >> >> Today I entered the insurance site from my records. No claims listed. I >> saw a chat (computer trouble) and I asked. They said it is probably >> phising, delete it. Phone the insurance to ask if I have some pending >> claim if in doubt. >> >> So, the thing is they impersonated the sender. I don't know what is >> wrong in the URL. I have the suspicion that RCS, as it works with >> certificates, could avoid or signal these troubles. >> >> If you a curious, this is the SMS: >> >> «Se ha dado de alta su siniestro 01202600362123, si lo desea realice su >> seguimiento en https://oau.ocaso.es/qmVki-fOZ» >> >> www.ocaso.es is the real, actual URL. > > The URL may look correct to your eyes, but it could by using IDN > (Internationalized Domain Name) encoding, like UTF-8, which allows more > than the ASCII charset in a URL. With the IDN charset, there are lots > of look-alike characters facilitating a homograph attack. IDN URLs are > valid, but too often used by scammers to make a URL look like it's > pointing to a legit domain. I know. > https://en.wikipedia.org/wiki/Internationalized_domain_name > > https://en.wikipedia.org/wiki/Punycode > > Chrome and Edge (a Chromium derivative) will show the punycode version > of an IDN URL to prevent homograph attacks. In Firefox, you have to > edit a punycode setting in about:config: > > network.IDN_show_punycode = true No such setting. > > Sometimes Firefox will show the punycode version of an IDN URL, > sometimes not. > > https://wiki.mozilla.org/IDN_Display_Algorithm > > When I used Firefox, I didn't want a guessing game on the URLs. In set > the punycode option in about:config to always show punycode. I'm in the > uSA, and there is no place I visit that would need to use UTF-8, or > anything other than ASCII, in its URLs even when visiting sites in other > countries. However, you're in Spain, I think, and IDNs are more common > in other countries. > > Or they used the old trick of look-alike ASCII characters, like 1 (one) > and l (el) looking similar, especially when inside a string. > > When you copy & paste the suspicious URL, we see what you see, not that > actual encoding of an IDN URL. > > You mention you got the URL in an SMS text. I don't recall any SMS or > e-mail app showing punycode instead of IDN, except with e-mail you might > be able to look at the raw source. So, the only way you could tell it > was a phishing website using IDNs would be to click on the URL to see > what the address bar shows in the web browser. It showed the same thing. cer@Laicolasse:~/Videos/Star Trek TOS> host oau.ocaso.es oau.ocaso.es has address 195.57.141.20 You have mail in /var/mail/cer cer@Laicolasse:~/Videos/Star Trek TOS> host ocaso.es ocaso.es has address 195.57.141.15 ocaso.es mail is handled by 10 alt4.aspmx.l.google.com. ocaso.es mail is handled by 10 alt3.aspmx.l.google.com. ocaso.es mail is handled by 5 alt2.aspmx.l.google.com. ocaso.es mail is handled by 5 alt1.aspmx.l.google.com. ocaso.es mail is handled by 1 aspmx.l.google.com. cer@Laicolasse:~/Videos/Star Trek TOS> cer@Laicolasse:~/Videos/Star Trek TOS> host 195.57.141.20 20.141.57.195.in-addr.arpa is an alias for 20.0.141.57.195.in-addr.arpa. 20.0.141.57.195.in-addr.arpa domain name pointer 20.red-195-57-141.customer.static.ccgg.telefonica.net. cer@Laicolasse:~/Videos/Star Trek TOS> host 195.57.141.15 15.141.57.195.in-addr.arpa is an alias for 15.0.141.57.195.in-addr.arpa. 15.0.141.57.195.in-addr.arpa domain name pointer 15.red-195-57-141.customer.static.ccgg.telefonica.net. cer@Laicolasse:~/Videos/Star Trek TOS> The IP is almost valid, like an internal attack -- Cheers, Carlos E.R. ES🇪🇸, EU🇪🇺;