Scammers. Societies bottom-feeders.

Scamming is sadly a daily risk whilst navigating cyberspace. I wrote almost exactly 3 years ago in different post about a similar postal scam, masquerading as the Post Office asking for a small missed delivery fee (URL). Well this week it happened again to a family member who started to fall for it, fortunately they stopped but there is increased risk that some personal data may have leaked to the given threat actor (TA).

I see this type of scamming as literally the scavengers of the internet, feeding off the bottom, trying to defraud money from victims in society otherwise going about their daily lives. It is parasitic behaviour and collectively we must all attempt to supress and impose cost on would be scammers. Unchallenged and emboldened these criminals will likely develop into malware, ransomware actors.

Below is the message:

There are a few giveaway's here straight away that tell us this is a high risk message:

- 1: The sender is from an entirely random e-mail address, however in the initial message this doesn't show up as clearly until the potential victim clicks the message to expand it.

- 2: This was sent via iMessage, this messaging type has a few risks associated with it as opposed to simple SMS text as it invokes software calls on a phones OS. For an explanation of this threat vector, which has been used for sophisticated NSO group spyware 'Pegasus' see (URL 1, URL 2). If you operate in an elevated risk situation or using a work device you should disable iMessage entirely. iMessage was probably used in this instance as it is a very low cost distribution mechanism that appears as time sensitive SMS messages do.

- 3: Mixed details, the company is masquerading as parcel company 'Evri', however it then goes on to say 'Post Office', which is it? Plus if you look closely there are punctuation errors.

- 4: No SSL, the URL begins with: 'http://', why are they not using an SSL certificate, if you're submitting details online or even just browsing the web it should be to a reputable site with a valid SSL certificate

Unfortunately my family member clicked the link and interacted with the scam site, before realising and letting me know. You can see how it happens especially early in the morning.

Risk assessment / PICERL

This potential scam attack occurred in the home and there is a real risk in domestic settings if home users and work from home networks are not secured and isolated. Thankfully I have at least multiple separate networks at home so that data is entirely compartmentalised (Work | Home | TV | Security | Guest | Full-Access) so there can be no spill over events in the event of ransomware of Malware arriving in a domestic network. 

Considering where you might be on the PICERL diagram (Containment) is generally great practice even if it doesn't apply with this threat type (probably!). Is the threat contained, what else might be necessary?

DNS protection:

I previously wrote about the benefits (URL) of using a security focused DNS provider such as NextDNS, Cisco Umbrella or Cloudflare which will often pickup newly registered domains (NRD's) and malware, phishing domains more quickly than ISP DNS provision. I strongly support this simple measure and in fact this would have blocked the given 'domain' in this fraud attempt had my family member been using it. They opt not to, because the Adverts (which track them round the internet) are useful!? I tested it with a VPN on in a sandbox browser:

I verified my Splunk logs and performed a simple lookup which tells me:

• The URL maps to server: 43.157.103.124
• Hosted in Germany (indicative) 
• Blocked accordingly as a Newly Registered Domain type

Doing the right thing:

There is an expression: 'The standard we walk past, is the standard we accept', what this means to me is that accepting low level scamming as just part of life is not acceptable. I will not walk idly past whilst people are defrauded as a cyber security professional. So there are several quick measure that we can take taking less than 10 minutes:

10 minute actions:

• Reported the site to NCSC: Phishing: Spot and report scam emails, texts, websites and... - NCSC.GOV.UK
• Reported the URL as phishing to McAfee / Trellix: Check Single URL (mcafee.com)
• Reported the URL as phishing to Cisco / Talos: Web Reputation Support || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
• Check the listing on Maxmind, we know it is listed in Germany, who hosts the site?
• Check the DNS registrar: 'gname' based in Singapore
• Reported as malicious to the registrar.

Scammer summary:

In just under 10 minutes I have established:

• The scam domain is registered to a DNS registrar in Singapore. However their site looks less than legitimate and I note they do not even have an SSL certificate on their site? Low confidence they will action a block on the domain.
• Hosted in Germany, on Tencent cloud server.
  
• Tencent is a Chinese media company, and I did attempt to file a fraud report with them, however their site is poor and is set to only handle copyright infringement. Over my lunchbreak I did call their help number from an anonymous number and attempt to register it, the handler directed me to a Chinese language website, they clearly have no intent to prevent fraud.
• Does this amount to state sponsored acceptance of cyber crime? Lacks any effort to law enforce the prevention of it? 

PICERL, Lessons Learned:

In this case we were adequately compartmentalised and it is a domestic individual, but what could have been done better, what if this was a corporate entity? What would we professionally recommend:

• Cyber Awareness training. CND provide programmes to train employees to recognise and test simulated phishing attacks.
• Reducing Threat surfaces. Work with a client to understand their connectivity requirements and what recommendations can be put in place to reduce and disable threat vectors.
• Logs / SIEM tools. CND is Splunk Professional Services partner, we have several fully trained professionals. We could setup alerting for the SOC to notify based on Risk Based Alerting that a phishing domain / NRD has been attempted to be accessed by a corporate device.
• Firewalls / Proxy filtering. A commercial grade firewall such as a Palo Alto or Cisco may be configured to prevent access to NRD domain entirely and prevent any possible egress of data to such categorized sites.
• Compartmentalisation. Good network design and isolating device types, departments or use cases and consulting with our clients can lead to improved security practices. CND has decades of Cyber Network experience.
• Data leakage / OSINT. Reducing the digital footprint that individuals leak in a professional capacity or real phone numbers etc would reduce the reconnaissance data  available to threat actors. CND has significant OSINT capability and we can consult on ways to monitor and reduce the cyber profile.