If you receive a text like this:
I’ve modified the phone number in the screenshot and following post and also “defanged” the URL by placing brackets around it.
When analyzing a suspicious link you may think going to a site like urlscan.io would be the best approach. This works in some cases, however, be aware that some bad guys will actively evade calls from these types of sites (URL analysis sites). They will do this based on user-agent or the source IP address making the call.
In our case if you try to look up the malicious URL at urlscan.io you will see the site doesn’t even load:
Virustotal shows nothing malicious
Joe Sandbox was able to find the malicious redirect. Report here.
A standard curl to the site will 302 redirect you to a chase login stealer:
curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A356 Safari/604.1" https://zrruqhmedbbghufdta.page.link/Go1D?17735551234