Mar 23, 2009
Intro: this is a brief account, excerpted from the original which was much longer and had more detailed forensic information. I decided not to publish it since it might be under investigation but several traces of it are still publicly available if you know where to look.
I have to admit, I am often amused by the level of deviousness that goes into scamming, fraud, etc. Email phishing is particularly interesting because it is a specialized form of social engineering fraud which is filtered through technology and preys on the naïve and their understanding of technology.
So when I got a phishing email this evening, I was somewhat excited. Not only had it bypassed all my spam filtering (it looked well done), but it actually had me wondering for 5 seconds if the Canadian government did, in fact, want to give me a tax refund of $406.
The backstory is that I moved to the UK recently from Canada and I still have a Canadian domain registered which I regularly use. So receiving an email from the Canadian Revenue Agency in itself isn’t so strange. It is strange that they’d want to give me money they didn’t owe me, but anyway…here’s the original email:
Other than the absurdly crappy Courier rendition of a “government”missive, it looks legit right? Of course, somebody’s trying to give me money that I hadn’t asked for, demanded, or expected in any other way – I’m suspicious. So I check out the source code of the email. Every single bit of it looks fine except for the “click here” link which points to http://cra-gc.org which is different from all the other URLs in the email (and they are, in fact, legit: the actual CRA website is at http://www.cra-arc.gc.ca). It’s down now, but if you were to have gone directly to http://cra-gc.org, you’d have found a form which was styled in an uncannily to look like the actual CRA site – to the point where every single visible link and object in that fraudulent form is actually legitimate. This is what it looked like:
Not too shabby. Except for a few little items in the source code for the form submission (the code that tells the browser where to send the information you’ve filled out):
- the form action submits to
- there’s a hidden input tag:
<input TYPE="hidden" NAME="recipient" VALUE="firstname.lastname@example.org">
I’m pretty sure the government of Canada doesn’t submit tax form information to personal Gmail accounts. At least, not intentionally.
The domain cra-gc.org
whois data claims that it’s registered to someone in Michigan. cga-gc.org seems to be hosted by Softlayer.com which has datacentres in Dallas, Seattle and Washington, DC. A
traceroute reveals that the domain is probably hosted in Seattle.
And who, exactly is 64-8.com registered to? The
whois information on the domain indicates that it’s registered to somebody in Buckinghamshire in the UK (which is a neighbouring county to where I now live). But it’s hosted by WiredHub.net and would appear to be at a data centre in New York City. The registrar, Tucows.com, is located in Toronto. The
whois for the administrative contact returned more or less the same information but from a different registrar and host. I Googled his name and interestingly there’s a bloke by the same name in prison as a convicted serial rapist (!) but I doubt he’s setting up phishing scams from prison. His company (the guy in Bucks, not the one in prison) has another website only has 0800 phone numbers listed on it while the whois for 64-8.com has phone numbers which are direct lines. Perhaps he’s being set up as a patsy, or intentionally framed for dissatisfaction of services rendered.
- the phishing domain is registered in Canada and hosted in Seattle.
- the phishing destination is registered in the UK and hosted in New York.
- they’re targeting a Canadian audience in what appears to be some kind of identity theft scam to phish for Social Insurance Numbers.
- it’s most likely that the scammer simply Googled “UK websites for accountants” and found a company with which to frame the domain registration.
Frankly, I wouldn’t know who to call first. Well, I went to bed and got up this morning and now the domain has been flagged and taken down. Safari finds nothing at the URL, but Firefox:
I suppose I could have reported it as a Web Forgery through Firefox’s anti-phishing feature. It was late. Also, now the whois record for cra-gc.org is reported as “NOT FOUND”.
The Canada Revenue Agency website has the following links, the last of which show examples that look like the exact site that I was directed to: