Despite me going back to normal style blogging, I can’t help still being interested in attempted internet scams.
A customer at work has asked me for help as they spotted a phishing scam that used their domain name, and upon closer inspection I spotted something I had not seen before. Perhaps this scammers undoing!
I have changed the domain name to safeguard my customer.
The emails read like this;
Subject: Settle up this payment
Date: Mon, 21 May 2018 13:14:53 +0200
From: Kevin Playwright <kevin@playwright.me.uk>
Reply-To: Kevin Playwright <kevin@playwright.me.uk-c.co>
To: accounts@playwright.me.uk
I need you to process a faster payment for a new beneficiary, payee details attached.
I will send the documents once i’ll be at my desk.
Leave a reply once completed or in case you get any problem while setting it up.
Regards,
Kevin Playwright.
Sent from my iPhone
The email is flawed in a few ways, firstly there is no-one called Kevin in this organisation, and secondly, there is certainly no-one called Kevin who carries the surname which happens to be the same name as the organisation Kevin is supposed to be part of.
The next point which my customer didnt notice, was the reply-to address. As regular readers of my scam blogs will know, this is one of the first things I check as this often leads straight back to the crook!
Usually, if the reply-to address isn’t the same as the send address (IE email account fully hacked) then it will be completely different – but in this case it was a hybrid!
Let’s take a closer look at those email addresses.
kevin@playwright.me.uk <- Sending address
kevin@playwright.me.uk-c.co <- Reply-to address
Notice the bit at the end of the reply to address?
If we reverse that to make a domain name, the extension is .co and the bit before that, before the next dot is uk-c – which means that this email address is fake, but has been created to fool you into thinking you are replying to the original sender.
Their domain is: http://uk-c.co
If you visit it, you spot that its a mail server;
They can apply this scam to any UK email address;
test@domain.co.uk-c.co
It would be so easy to miss.
Be careful peeps, if something doesn’t feel right STOP and pick up the phone. Call the person who emailed you, call your IT mate, comment on one of my blogs – just dont brush it off as nothing.
Stay safe peeps.
PS I’ve reported them to ICANN hopefully they have their domain taken off them.