SlickRockWeb 🇺🇲🇺🇦 Profile picture
CEO of SlickRockWeb, SEO guy & part time citizen journalist. A numbers cruncher, problem solver, and now @DFRLab trained Digital Sherlock #infoSec #infoOps

May 14, 2020, 12 tweets

Did anyone else get this political spam text yesterday on their cell phone? Surprised me because I am reasonably careful with my cell and almost never get political messages on it #infosec #osint

I of course would never click on a link like this on my phone ...but I am curious as hell now & of course had to investigate. I found other similar links all with a 3-alphanumeric code indicating link-shortening / link-redirection. In this case Rebrandly was used #infosec #osint

The domain "bidenrecord" was recently registered on 05-09-20 and registration was reasonably private ... although it will soon be obvious who was behind this campaign. #infosec #osint

Still careful not to be overly exposed to the link ... I looked at the redirection chain. Now it was very clear who was behind the campaign. There is some interesting detail in that redirection chain and of course minor changes based on your URL shortened code. #infosec #osint

So if you didn't look carefully at the redirect chain above this cell phone texting campaign using the redirect domain "bidenrecord(.)com" ultimately lands u on the Donaldjtrump(.)com campaign website. And it clearly states the "Paid for" boilerplate in the footer #infosec #osint

Besides questions of what database are they using? Was the "persuadable audience" set as indicated in the query data the only one that got this? And what is up with this @HybridAnalysis report? We definitely what to dig into that ...especially the phishy looking paypal domain?

This is going to get annoying if I'm going to get a new one every day. But I never block Twitter trolls ...so I guess that applies to this as well. Why you ask? Because that is putting your head in the sand, admitting defeat and ceding territory. A losing strategy #osint #infosec

So once again this new political spam text is using link-shortening / link-redirection from the company Rebrandly which apparently is a foreign company first started in Italy and then Ireland I believe #infosec #osint

The domain "sleepyjoe(.)link" was recently registered on 05-08-20 and registration was again reasonably private although identical to the bidenrecord(.)com registration. It will again be very obvious who is behind this campaign. #infosec #osint

Looking at the redirection chain its clear who is behind the campaign, the Donald J Trump re-election campaign. There is some interesting detail in the redirection chain & of course minor changes based on your URL shortened code. But the landing & query all match #infosec #osint

The redirect domain "sleepyjoe(.)link" ultimately lands you on the Donaldjtrump(.)com campaign website and a "sleepyjoe" landing page. And it clearly states the "Paid for" boilerplate in the footer #infosec #osint

Glad I am not the only one .... I guess this means I will soon get a "BeijingBiden" text next. So we really have boiled this all down to things like #MoscowMitch #TrotskyTrump and #BeijingBiden ?? Our politics have fallen to a very sad state.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling