A company known to me, let’s call them AcmeIndustry.co.uk, was recently targeted by persistent spear-phishing attacks. Emails we’re being sent to staff which appeared to be from other members of staff. The only tell-tale sign was that the domain name was slightly different, for example [email protected] (with the I replaced with an L, so when presented lower-case looked the same).
This occurred with multiple false domain names, meaning the attackers were spending significant effort in setting up the scam and were persistent in their attempts. When one domain got blocked and reported, another was registered and setup.
Who’s going to fall for that you might ask? Well, it turns out that global networking company Ubiquiti fell for this exact scam 2 years ago to the tune of $46.7 Million Dollars (https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/), even down to the same domain registration method.
While I knew the there was no way I would uncover the criminal’s identity, I decided to pull the thread to see where it led.
Its important to note that none of the steps below are highly technical in nature and use simply and generally freely available tools to access publicly available information.
Sniffing the Trail
The first thing I did was take a look at the WHOIS record for the domain name. As this is a .co.uk domain name, the most accurate results come from Nominet, the .co.uk registry via their WHOIS search: www.nominet.uk/whois/. The following results were display (anonymised):
Domain name: Acmelndustry.co.uk
Registrant: Cimpress Schweiz GmbH
Registrant type: Other UK Entity (e.g. clubs, associations, many universities)
Registrant’s address: Technoparkstrasse 5, Zurich, 8406, Switzerland
Data validation: Nominet was able to match the registrant’s name and address against a 3rd party data source on 03-Jan-2017
Registrar: TUCOWS Inc t/a TUCOWS [Tag = TUCOWS-CA], URL: http://www.tucowsdomains.com
Registered on: 16-Nov-2017
Expiry date: 16-Nov-2018
Last updated: 16-Nov-2017
Registration status: Registered until expiry date.
Name servers: logan.ns.cloudflare.com & maya.ns.cloudflare.com
What this tells me
This information tells me three things:
- The domain is registered via the domain registrar TUCOWS through a reseller (Cimpress Schweiz GmbH which is Vistaprint).
- They are using CloudFlare for DNS.
- The registrant details (address, etc.) are VistaPrint’s, this is because VistaPrint still offer ‘free’ domain names with packages but then charge customers if they wish to take the domain name elsewhere, after they built value in it (nothing like a bit of extortion to keep the coffers full).
In order to send emails, the attackers need email servers and they clearly expect to receive responses as well so I performed a quick MX Lookup and found the following email server listed for this domain:
As we can see from the end of the domain name, they are using a service called HostedEmail.com. A google search for them doesn’t yield much and browsing to the domain name shows no website but when I searched for “VistaPrint HostedEmail.com” I quickly got results showing that VistaPrint do indeed use the service for email or the service is owned by VistaPrint, making me think that our attackers are using VistaPrint not just for the domain name but also for hosting.
A Common Scam
This had the smell of a tried-and-tested scam and a quick google search confirmed this, showing that this is very common, with lawsuits being filed by some large brands against VistaPrint’s parent company (Cimpress Schweiz GmbH) for facilitating this exact type of abuse, for example:
Select Equity Group: http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-1140.html
Sanofi (again): http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-1342.html
It turns out there is a very compelling reason why VistaPrint (Cimpress Schweiz GmbH) are being used repeatedly to register the domain names and provide the email services used for these scams: they are absolute morons.
Ok that might be slightly unfair but they are in fact inviting this sort of behaviour by offering a free trial of their web hosting services, with a free domain name registration and no verification of the potential customer’s identity or payment details. In short, they are providing domain names and hosting services for free with anonymity built right in. Way to go guys.
Who is behind it?
A search through the headers of the received email shows the originating IP address of the server:
A Geo-IP lookup of this yielded a surprising result, showing the originating IP address as being in Seattle:
A reverse-DNS (PTR) lookup yields no results at all but a look up of the information around this block of IP addresses tells me its owned and used by CloudFlare (the company providing the DNS services): http://geoiplookup.net/ip/18.104.22.168
So are CloudFlare behind it all? No, so I suspect either they operate a VPN service (I know this was being added to their product portfolio), potentially an ISP service (they have a datacenter in Seattle: https://www.cloudflarestatus.com/) or something else is going on. I have contacted them to report the use of their DNS service anyway and queried the originating IP to see if they would provide any information about the source but I don’t expect a response.
What Can We Do?
The only thing that can be done is for email providers and security vendors to red-flag any inbound emails that share a similarity with a companies known domain names based on an algorithm.
Sure this could raise some false-positives initially that would need to be ‘white-listed’ but in the face of losses in the millions, its well worth a little admin!
Finally, Vistaprint should take some corporate responsibility as the main facilitator behind a huge number of these scams, I would have thought the legal proceedings against them alone would shut this down but I wonder if the old adage of “there’s no such thing as bad publicity” is staying their hand?