We received a report recently from a client of a scam which was slightly more interesting, and one which didn’t involve any malicious links.
The scam was to try to get the client engaged in a conversation by alerting them to an email that would be sent as a follow-up, with a view to extort money. What was interesting was how the sender had clearly targeted the scam and put in place some rudimentary but rather clever misdirection to get around some of the things I was talking about in the last article.
Not perfect by any means, but to the untrained eye, pretty convincing.
The Setup
It started with a normal text email. The display name was one of the company directors, but the email address was something entirely different. Very little effort seems to have gone into it so far. The client has managed signatures, so it can’t have come from his company account as the signature is missing, and no attempt appears to have been made to make it appear like it has come from that account.
But who knows, maybe he sent it from his personal email by mistake? You would be forgiven for thinking it was real, especially as it also has none of the links and attachments you would expect from a normal phishing email.
What’s interesting is the setup. The email is indicating that the recipient will be receiving a follow up shortly from a reputable accounting firm, from a specific person. The client replied, then sensing something was wrong let us know. Given that there is no ‘call to action’ my response was that there was no need to be concerned; just replying isn’t enough to compromise you, but that she should expect a follow up as this is clearly setting up an engagement.
The Pitch
Sure enough, before too long a second email was sent from the ‘Matthias Bayliss’ referenced in the setup.
If we look at this using some of the tricks we learnt about in the first article, it’s starting to look more and more legitimate. The email has a signature and comes from what looks like an apparently legitimate-looking domain for that company, allenovery.io. Furthermore, if we go to http://allenovery.io it takes you to the real web page for the company, http://www.allenovery.com
It’s really starting to look like the real thing. Still no obviously suspicious links or attachments, so little here that raises any concern.
But, of course, not everything is as it seems…
The Coverup
I’m going to get a little technical now but bear with me!
A domain consists of two basic parts: the Top Level Domain (TLD) which is the bit at the end like .com , .co.uk , .org, etc; and the rest (the custom bit that is unique). The TLD part is managed by a variety of global registrars. They can indicate a geographic location like .uk, or something more global like .com. Sometimes they indicate an organization rather than a company, like .org which is often used by charities. Some are new trendy TLDs like .guru .food or .ninja and have only relatively recently been introduced.
While a little unusual, .io is a real TLD. But it’s exactly this unusual-ness that starts to give away that something is not quite right. Why would a company like Allen & Overy be sending emails from this unusual domain when they have a perfectly good .com available?
Digging a little deeper we can start to see what’s going on. Domains are registered in control panels which computers query to find out where things are, like the website or email servers for the company. An organization should place great importance on their domains and would usually have them all registered in the same place. They would also tend to stick to using one for public-facing purposes. It would be unusual – or a sign that the IT department might not quite have a grip on things – to be using more than one domain for public-facing communication, though there are many back-end reasons to use different ones.
If we look at the DNS record for the real domain, we have something to compare it to:
- Email hosted at Mimecast, a very well-known and ‘proper’ email service provider
- DMARC records published, which provides some security against spoofing and generally a sign that people know what they are doing
- We can see what name servers are reporting the results
Now if we look at the domain from the email, we get a different story:
I might be a bit snobbish about these things, but a registrar called Namecheap Hosting Inc is unlikely to be the first choice of the IT Department for a large law firm for domain management and email services, especially when they are using Mimecast for their email on the domain on which their public website is hosted. Mimecast is a serious paid-for email service. Why send emails from another service provided by ‘Namecheap Inc’? Also, why set up DMARC security against the domain that is not being used to send email, and not set it up on the domain that is being used?
If you don’t follow me, then don’t worry! The point is only that:
- We can see what the real domain is and how it’s set up from the public records
- The real domain is configured to prevent spoofing, hence why a different domain is used to send the email
- We can see that the domain that sent the email is not set up in the same way
- Not only that, but it’s set up relatively badly in comparison and hosted somewhere completely different
The fact that the spoof domain directs you to the real website is, I think, quite a nice touch. It’s one of the things you might check to see if it was real or not. All that is required to achieve this is to set up a simple forwarding rule on the host.
What Came Next?
At this point, once it was obvious what was happening, the client stopped engaging. What would have almost certainly happened next was, after she replied to “Matthias” he would have sent some bank details for a payment against these spurious consulting charges the Director advised about in the setup email. The client is a construction company of a reasonable size, so the amount would likely have been relatively substantial but within the normal range of what they would be used to dealing with.
Had it been followed through the money would be lost.
As ever, vigilance is your best weapon against fraud. IT controls can go a long way, but there are always ways around it – especially if you know what you are doing and know that your target audience doesn’t.
Having the controls in place is important. Having someone around you can ask if in doubt is important. Checking the veracity of the request before you make a payment is, well, if not priceless then certainly very valuable!
See Also: How To Spot a Fake Email (Part 1)