{
	"id": "5e2c080d-a0f6-4081-8289-cebe109bb452",
	"created_at": "2026-05-05T02:45:09.740026Z",
	"updated_at": "2026-05-05T02:46:36.908804Z",
	"deleted_at": null,
	"sha1_hash": "dc6c87cd4d3de2cbead90a2152ef8101f5b1fc65",
	"title": "Investigating a Fake KDDI Smishing Campaign that abuses Duck DNS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3381876,
	"plain_text": "Investigating a Fake KDDI Smishing Campaign that abuses Duck\r\nDNS\r\nBy Lena\r\nPublished: 2023-06-23 · Archived: 2026-05-05 02:40:49 UTC\r\n6 min read\r\nFeb 19, 2023\r\nPress enter or click to view image in full size\r\nRecently in Japan, there has been an increase in Smishing attacks that abuse Duck DNS. In this blog post, I will be\r\ninvestigating one of these Duck DNS smishing attacks. The one analyzed here impersonates a mobile payment\r\nsystem.\r\nTable of contents\r\nThe SMS message\r\nAndroid User-Agent\r\niPhone User-Agent\r\nDuck DNS behaviour\r\nConclusion\r\nThe SMS message\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 1 of 17\n\nThe message says,\r\n【利用停止予告】KDDI未払い料金お支払いのお願い。http://lhuyykzzlv[.]duckdns.org\r\nWhich translates to,\r\n[Suspension Notice] Please pay the unpaid KDDI fees. http://lhuyykzzlv[.]duckdns.org\r\nUpon access, it leads to a blank page. Inspecting the element will show that it leads to another DuckDNS page.\r\nPress enter or click to view image in full size\r\nThis page has an IP of 45.12.138[.]87.\r\nPress enter or click to view image in full size\r\nAccording to VirusTotal’s Passive DNS Replication, it has many other Duck DNS domains associated with it.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 2 of 17\n\nIt then led me to another Duck DNS page. Inspecting the page showed that the next redirect will differ based on\r\nthe User Agent. For an iPhone user agent, it will redirect to another Duck DNS page. For an Android user agent, it\r\nwill redirect to 181.html .\r\nPress enter or click to view image in full size\r\nThis page also has an IP of 45.12.138[.]87.\r\nPress enter or click to view image in full size\r\nAndroid User-Agent\r\nUnder the “Network Conditions” tab in inspect element, I set the User-Agent to,\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 3 of 17\n\nMozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/109.0.0.0 Mobile Safari/537.36\r\nPress enter or click to view image in full size\r\nFor an Android User-Agent, it will first lead to /181.html\r\nThe stream for the 181.html GET request shows that it will redirect to another Duck DNS page.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 4 of 17\n\nPress enter or click to view image in full size\r\nThe final Duck DNS page has an IP of 199.167.138[.]24.\r\nThe IP 199.167.138[.]24 also has many Duck DNS domains associated with it.\r\nPress enter or click to view image in full size\r\nThis final Duck DNS page shows a fake AU page with the following prompt,\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 5 of 17\n\nマルウェアが検出されました。「KDDIセキュリティ無料版アプリ」を必ずダウンロードして\r\nインストールしてください。そうしないと通話サービスを停止される場合がございますので\r\nご注意ください。\r\nWhich translates to,\r\nMalware was detected on your device. Please be sure to download and install the “KDDI Security Free\r\nEdition App”. Please note that if you do not, the call service may be suspended.\r\nPress enter or click to view image in full size\r\nClicking on 次へ (next) will lead to a download page. Scrolling through the page will show the install\r\ninstructions.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 6 of 17\n\nPress enter or click to view image in full size\r\nClicking on “Download” will download a file called KDDI.apk\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 7 of 17\n\nGet Lena’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis KDDI.apk is flagged as malicious by multiple vendors on VirusTotal.\r\nPress enter or click to view image in full size\r\nThis file contacts multiple URLs, domains and IP addresses.\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 8 of 17\n\nPress enter or click to view image in full size\r\nJoeSandbox detected KDDI.apk as malicious, and many suspicious behaviours can be seen.\r\nPress enter or click to view image in full size\r\nKDDI.apk makes various permission requests such as android.permission.SEND_SMS ,\r\nandroid.permission.CALL_PHONE , android.permission.WRITE_SMS .\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 9 of 17\n\nThe full analysis on JoeSandbox can be found here,\r\niPhone User-Agent\r\nUnder the “Network Conditions” tab in inspect element, I set the User-Agent to,\r\nMozilla/5.0 (iPhone; CPU iPhone OS 13_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like\r\nGecko) CriOS/109.0.0.0 Mobile/15E148 Safari/604.1\r\nPress enter or click to view image in full size\r\nIt leads to index.html , however, “404 Not Found” was displayed.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 10 of 17\n\nInspecting the headers showed the following,\r\nPress enter or click to view image in full size\r\nThis page has an IP of 86.38.4[.]25, and has many other Duck DNS domains associated with it. A lot of them are\r\nflagged as malicious on VirusTotal.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 11 of 17\n\nSince I could not access the site’s contents, I went to the Sensors tab and set the location to Tokyo , with the\r\nLocale set to ja-JP .\r\nReloading the page leads to a fake AU page that asks for the user’s mail address, phone number, and name.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 12 of 17\n\nI entered some fake credentials and had to select a payment method. There seemed to be multiple payment\r\noptions, but everything except 電子マネー (Electronic money) was crossed out.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 13 of 17\n\nSubmitting the credentials leads to a page that says the payment must be made using Vプリカ , which is a\r\nprepaid card.\r\nPress enter or click to view image in full size\r\nIt then prompts the user to enter the Vプリカ (prepaid card) numbers.\r\nPress enter or click to view image in full size\r\nVプリカ is a Visa prepaid card that can be used online. More details on Vプリカ can be found below,\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 14 of 17\n\nDuck DNS behaviour\r\nThe redirect link changes very frequently. The first link is lhuyykzzlv.duckdns[.]org in this case, but it redirects to\r\na different Duck DNS link every few mins-hours.\r\nPress enter or click to view image in full size\r\nThe second link’s redirect will also change every few mins-hours.\r\nPress enter or click to view image in full size\r\nThe first and second Duck DNS domain has an IP of 45.12.138[.]87, and has many Duck DNS domains associated\r\nwith them.\r\nPress enter or click to view image in full size\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 15 of 17\n\nAs Duck DNS is a free dynamic DNS, it is often abused for malicious purposes like in this case.\r\nPress enter or click to view image in full size\r\nConclusion\r\nIn this investigation, it was found that the behaviour of the smishing attack differs based on the User-Agent, and\r\nabuses Duck DNS. Multiple redirects are made before it reaches the fake AU page. Accesses from certain\r\nlocations will prevent the fake AU page from loading.\r\nAndroid User-Agent: Redirects the user to a fake AU page, and downloads a malicious file called\r\nKDDI.apk\r\niPhone User-Agent: Redirects the user to a fake AU page, and asks for the user’s details, and Vプリカ\r\n(prepaid card) numbers.\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 16 of 17\n\nThe behaviour of this smishing attack is similar to the one analyzed in my other blog, where it abused Duck DNS\r\nand changed behavior based on the User-Agent.\r\nSo if you receive an SMS message that uses Duck DNS, please be careful!\r\nSource: https://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nhttps://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8"
	],
	"report_names": [
		"investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8"
	],
	"threat_actors": [],
	"ts_created_at": 1777949109,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc6c87cd4d3de2cbead90a2152ef8101f5b1fc65.pdf",
		"text": "https://archive.orkl.eu/dc6c87cd4d3de2cbead90a2152ef8101f5b1fc65.txt",
		"img": "https://archive.orkl.eu/dc6c87cd4d3de2cbead90a2152ef8101f5b1fc65.jpg"
	}
}