The other day, my phone buzzed with a message that scared me. It was from “DGT” (the Spanish Traffic Authority), and it looked like it was part of a legitimate conversation thread where I’d received PINs from them before.

The message read: “DGT: Ultimo aviso antes del aumento de su multa pendiente. Verifique su expediente:” (Last warning before your pending fine increases. Check your file:).

My first reaction was a flicker of panic. Do I have a fine I forgot about? This is exactly the reaction scammers hope for. They create a sense of urgency to make you act before you think. But then, I took a closer look.

The first and most obvious red flag was the URL. For safety, I’ve “masked” it by replacing the real host:

https://dgt.com.es*******.***/es/

Scammers are clever. They put dgt.com.es at the beginning to trick you. However, the true domain is the part just before the top-level domain (.*** in this case). The real domain here is es*******.***. The official DGT website is dgt.es. This was clearly a fake.

Curiosity got the best of me. I wanted to see what they were up to. I first opened the link on my phone (in a safe browser!), and it loaded a surprisingly convincing replica of the DGT website.

Then, I tried to open it on my computer to investigate further, and… 404 Not Found. The page didn’t exist. How could it work on my phone but not my computer?

It turns out the scammers were filtering visitors. They were checking the User-Agent (an identifier your browser sends to a website to say “I’m Chrome on a Windows PC” or “I’m Safari on an iPhone.”). The phishing site was programmed to only show the scam to mobile User-Agents, likely to make it harder for security researchers to analyze it.

How to Get Past the Block: Impersonating a Phone

Luckily, you can easily change your User-Agent using your browser’s developer tools. This tricks the website into thinking you’re browsing from a different device.

Here’s how to do it in a Chromium-based browser (like Chrome, Edge, or Brave):

  1. Open Developer Tools: Right-click on the page and select “Inspect,” or press F12.
  2. Toggle Device Toolbar: In the developer tools panel, click the icon that looks like a phone and a tablet.
  3. Choose a Device: From the dropdown menu at the top, pick any phone, like “iPhone 12 Pro.”
  4. Refresh the Page: With the device toolbar active, press F5 or Ctrl+R to reload.

Voila! The 404 error was gone, and the fake DGT site loaded perfectly on my computer.

Uncovering the Data Heist: The WebSocket

Now that I was “in,” I opened the Network tab in the developer tools to watch how the site was sending data. Usually, when you fill out a form, you see a POST request sending your information to a server.

But I didn’t see that. Instead, I saw a WebSocket connection being established.

Think of it like this: a normal web request is like sending a letter. A WebSocket is like opening a continuous phone line. Once the connection is made, the attacker can send and receive data in real-time. Any information I typed into the form was being whisked away instantly over this WebSocket, encoded in Base64 to make it a little less obvious.

Turning the Tables: A Taste of Their Own Medicine

Seeing this setup, I had an idea. If they built a live pipeline to steal data, what if I sent them a flood of… well, garbage? 😈

I decided to write a Go script to automate a counter-attack. The plan was simple:

  1. Have the script connect to their WebSocket server, pretending to be thousands of different mobile users.
  2. Instead of sending stolen data, send a random, funny phrase every 10 milliseconds.
  3. Encode the phrases in Base64, just like their malicious site was doing.

The goal was to flood their database with nonsense, hopefully making it much harder to find any real data from actual victims. I prepared a list of jokes to send them.

I kicked it off and let it run for several minutes, imagining their database filling up with thousands of Base64-encoded jokes. While I can’t know for sure, I hope it made their day a little more difficult.

Key Takeaways

This was a fun cat-and-mouse game, but it highlights some serious lessons:

  • Always Verify the URL: No matter how real a site looks, the URL is the ultimate source of truth. Learn to read the main domain.
  • Trust Your Gut: If a message feels off or creates sudden panic, take a deep breath and scrutinize it.
  • Report Phishing: This is the most important step. While my counter-attack was cathartic, the best thing to do is report the phishing attempt to the authorities and block the number. This is the most effective way to get these sites taken down and protect others.

Stay safe out there!