Following the trail of "Česka Pošta" scam
The other day I received a message saying that my package couldn’t be delivered and I needed to click the link to update the details. The twist: it was in Czech!
Usually, I can smell a scam from miles away, but this time I had to pause for a brief moment. I recently sent a very important package via postal service that had to be delivered by a certain deadline, so even a slight possibility that this message might be real and the package wasn’t delivered got me alarmed.
And that’s how the scammers get you. They will send messages to tens of thousands of users whose phone numbers and emails they managed to harvest online, and while most people will ignore such messages as irrelevant, there will be a small subset of people for whom they will hit home. And within that group, there’ll be someone who’ll panic and do precisely what the scammer wants.
When you receive a message from someone you don’t know, you want to look closely at 3 things:
- where it comes from
- where it wants you to go
- the language of the message
Let’s begin by examining the number that the message came from:
The first thing you’ll notice is that it comes from a regular phone number. Confirmation messages usually come from short numbers, often 4-digit ones. Short numbers are regulated and assigned to telecom companies for specific purposes (such as automated messaging), so it’s a lot more difficult to misuse them. Regular long-format phone numbers can be used by virtually anyone. It’s not enough though to label this as a scam, but enough to make us suspicious.
Next, take a note of a dial code. The dial code for the Czech Republic is 420, but this message comes from 33. A quick Google search reveals that it is for France:
Why would a Czech postal service notify me from a French phone number? Another red flag.
Now let’s look at the link it wants us to click:
There are a few elements worth noting here. First, the website is on a
.vip domain. Most websites related to local businesses or government organizations in every country will be on a country code top-level domain, which means that a website in the Czech Republic will be on a
.cz domain, in Slovakia on
.sk , Poland
.pl , etc. It’s a lot less common to see such websites on general domains like
.vip? Just no.
The name of the website also looks off. It’s not fully in Czech, nor in English, and “cez” in it doesn’t really mean anything. It looks like someone wanted to go with “cz” or “cze” (valid 2- and 3-digit country codes for the Czech Republic) for more credibility, but either made a typo or that domain name wasn’t available.
Finally, the message itself.
While grammatically it looks perfectly normal, there’s one big piece missing: personalization. There’s no information there to indicate that it was addressed to me personally (no first or last name), or what’s the package in question (no tracking number).
But if you were to click on the link (which you absolutely shouldn’t do), you’d discover that the tracking number is magically prefilled for you and ready to proceed:
Imagine approaching a customer service window, and without giving any information to the worker about yourself or your package they’re ready to re-route it. What you see above is an online version of that.
At this point, you can remove such a message with 100% certainty that it’s a scam and move on with your day. But that message triggered me personally and being equipped with some technical knowledge about web scams, I kept digging.
PS: while editing this article, I also realized that I got this message during a state holiday when the postal service is closed :)
To get a better idea of who’s behind this scam, I did a registrar lookup for the domain. And while most of the data is privacy protected, we can gather that it’s registered in Guang Dong, China:
The Czech post office is using a French phone number to send people a Chinese-owned website! The plot thickens.
Now it’s time to look at the web traffic. I noticed that every time I open the main page or proceed to the next one, a post request is triggered to log something on the server:
As part of this request, a cryptic payload is sent:
A quick trial and error reveals that it’s a base64-encoded string of a URL-encoded string with the following content:
Feeding it through Google Translate we get a clear picture of what’s happening - “from: link to enter, status: currently on the home page”:
This scam uses real-time tracking, presumably to be able to react fast once the victim gives them what they want. So let’s find out what that is.
On the second screen, they ask to provide the address where the package needs to be delivered. There’s absolutely zero validation on that form, and once I filled it out with garbage data, I got to see what they’re actually after:
Who would’ve figured? They want the credit card details! Unlike the previous form, this one uses proper integration with a payment gateway and it didn’t accept random data.
There was nothing else I could do there, so I decided to poke around the JS code of the website to figure out what technologies it was built with. I had noticed earlier that they use a hash router, so it was likely that all routes of the website were listed somewhere. They indeed were, and among them, one route stood out:
/admin! I had to try it, and was greeted with this:
I tried a few common username/password combinations but with no luck. What really surprised me though, is how well organized that scam is: from a credible-looking replica of the Česka Pošta website to real-time tracking, to a full-fledged admin interface that’s presumably needed to use the collected credit card details before the victim realizes what happens and reports the scam to their bank. And, above all, a picture of a kitten on the login form.
The last thing I wanted to check out was the data they stored in the browser. While nothing of interest was stored in cookies, localStorage had quite a lot of stuff:
There was that fake tracking number again, more characters in Chinese, and a lot of values with
__darcula prefixes. It’s clearly an indication that they use some service called Darcula that I never heard of.
This is where my research comes to an abrupt end because while I was googling to find out more about Darcula I stumbled upon two brilliant articles on the same scam done by Israeli security researcher Oshri Kalfon. In his quest, he manages to get inside the admin portal and into their private telegram group, so definitely give it a read.
Having received bulletproof confirmation that it was a scam and taken a glimpse into how it works, it was time to report it.
Most modern browsers provide an easy way to report phishing websites by filling out a simple form. With phone numbers, the process is different for each country. The message I received was from a French phone number, and finding instructions for France was a bit of a challenge. In the end, I found a cyber crime number that I needed to forward the text message to.
Hopefully, this scam will be shut down promptly.