Following the trail of "Česka Pošta" scam

cover picture

The other day I received a message saying that my package couldn’t be delivered and I needed to click the link to update the details. The twist: it was in Czech!

Screenshot of the message

Usually, I can smell a scam from miles away, but this time I had to pause for a brief moment. I recently sent a very important package via postal service that had to be delivered by a certain deadline, so even a slight possibility that this message might be real and the package wasn’t delivered got me alarmed.

And that’s how the scammers get you. They will send messages to tens of thousands of users whose phone numbers and emails they managed to harvest online, and while most people will ignore such messages as irrelevant, there will be a small subset of people for whom they will hit home. And within that group, there’ll be someone who’ll panic and do precisely what the scammer wants.

How to spot a scam

When you receive a message from someone you don’t know, you want to look closely at 3 things:

  • where it comes from
  • where it wants you to go
  • the language of the message

Let’s begin by examining the number that the message came from:

Screenshot of the message sender

The first thing you’ll notice is that it comes from a regular phone number. Confirmation messages usually come from short numbers, often 4-digit ones. Short numbers are regulated and assigned to telecom companies for specific purposes (such as automated messaging), so it’s a lot more difficult to misuse them. Regular long-format phone numbers can be used by virtually anyone. It’s not enough though to label this as a scam, but enough to make us suspicious.

Next, take a note of a dial code. The dial code for the Czech Republic is 420, but this message comes from 33. A quick Google search reveals that it is for France:

Screenshot of the dial code search

Why would a Czech postal service notify me from a French phone number? Another red flag.

Now let’s look at the link it wants us to click:

Screenshot of the message with the link

There are a few elements worth noting here. First, the website is on a .vip domain. Most websites related to local businesses or government organizations in every country will be on a country code top-level domain, which means that a website in the Czech Republic will be on a .cz domain, in Slovakia on .sk , Poland .pl , etc. It’s a lot less common to see such websites on general domains like .com or .net, but .vip? Just no.

The name of the website also looks off. It’s not fully in Czech, nor in English, and “cez” in it doesn’t really mean anything. It looks like someone wanted to go with “cz” or “cze” (valid 2- and 3-digit country codes for the Czech Republic) for more credibility, but either made a typo or that domain name wasn’t available.

Finally, the message itself.

While grammatically it looks perfectly normal, there’s one big piece missing: personalization. There’s no information there to indicate that it was addressed to me personally (no first or last name), or what’s the package in question (no tracking number).

But if you were to click on the link (which you absolutely shouldn’t do), you’d discover that the tracking number is magically prefilled for you and ready to proceed:

Screenshot of the scam website

Imagine approaching a customer service window, and without giving any information to the worker about yourself or your package they’re ready to re-route it. What you see above is an online version of that.

At this point, you can remove such a message with 100% certainty that it’s a scam and move on with your day. But that message triggered me personally and being equipped with some technical knowledge about web scams, I kept digging.

PS: while editing this article, I also realized that I got this message during a state holiday when the postal service is closed :)

Getting technical

To get a better idea of who’s behind this scam, I did a registrar lookup for the domain. And while most of the data is privacy protected, we can gather that it’s registered in Guang Dong, China:

Screenshot of the whois

The Czech post office is using a French phone number to send people a Chinese-owned website! The plot thickens.

Now it’s time to look at the web traffic. I noticed that every time I open the main page or proceed to the next one, a post request is triggered to log something on the server:

Screenshot of the POST request

As part of this request, a cryptic payload is sent:

Screenshot of the payload

A quick trial and error reveals that it’s a base64-encoded string of a URL-encoded string with the following content:

{"__from__":"链接进入","__status__":"当前正在首页"}

Feeding it through Google Translate we get a clear picture of what’s happening - “from: link to enter, status: currently on the home page”:

Screenshot of Google Translate

This scam uses real-time tracking, presumably to be able to react fast once the victim gives them what they want. So let’s find out what that is.

On the second screen, they ask to provide the address where the package needs to be delivered. There’s absolutely zero validation on that form, and once I filled it out with garbage data, I got to see what they’re actually after:

Screenshot of the scam website asking for CC details

Who would’ve figured? They want the credit card details! Unlike the previous form, this one uses proper integration with a payment gateway and it didn’t accept random data. 

There was nothing else I could do there, so I decided to poke around the JS code of the website to figure out what technologies it was built with. I had noticed earlier that they use a hash router, so it was likely that all routes of the website were listed somewhere. They indeed were, and among them, one route stood out: /admin! I had to try it, and was greeted with this:

Screenshot of the scam website admin UI

I tried a few common username/password combinations but with no luck. What really surprised me though, is how well organized that scam is: from a credible-looking replica of the Česka Pošta website to real-time tracking, to a full-fledged admin interface that’s presumably needed to use the collected credit card details before the victim realizes what happens and reports the scam to their bank. And, above all, a picture of a kitten on the login form.

The last thing I wanted to check out was the data they stored in the browser. While nothing of interest was stored in cookies, localStorage had quite a lot of stuff:

Screenshot of localStorage content

There was that fake tracking number again, more characters in Chinese, and a lot of values with __darcula prefixes. It’s clearly an indication that they use some service called Darcula that I never heard of.

This is where my research comes to an abrupt end because while I was googling to find out more about Darcula I stumbled upon two brilliant articles on the same scam done by Israeli security researcher Oshri Kalfon. In his quest, he manages to get inside the admin portal and into their private telegram group, so definitely give it a read.

Taking action

Having received bulletproof confirmation that it was a scam and taken a glimpse into how it works, it was time to report it. 

Most modern browsers provide an easy way to report phishing websites by filling out a simple form. With phone numbers, the process is different for each country. The message I received was from a French phone number, and finding instructions for France was a bit of a challenge. In the end, I found a cyber crime number that I needed to forward the text message to.

Hopefully, this scam will be shut down promptly.