A recently registered domain is being used in attempts to defraud companies and organisations out of money using BACS / Bank transfers.
Registrant details are a fictitious company at a real address.
Registrant: Derek Mugley Trading as: Mugley Co Registrant's address: Sheffield Road 443 Chesterfield S41 8LT United Kingdom Relevant dates: Registered on: 14-Jan-2018 Expiry date: 14-Jan-2020 Last updated: 14-Jan-2018
The scam starts with a contact within a company or organisation being sent an e-mail.. supposedly from the director or CEO of the company. In this instance the scammer failed and guessed, incorrectly, at the e-mail format for the organisation. The address in question doesn’t exist and has never existed. The person they chose to imitate doesn’t even use a computer regularly, let alone email.
Sender Preference Framework (SPF), in this instance, highlighted the forgery to the recipient.
Headers of the email are as follows:
Received: from p3plwbeout18-03.prod.phx3.secureserver.net (126.96.36.199) by LO2GBR01FT005.mail.protection.outlook.com (10.152.42.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.428.12 via Frontend Transport; Thu, 18 Jan 2018 11:08:10 +0000 Received: from p3plgemwbe18-02.prod.phx3.secureserver.net ([188.8.131.52]) by :WBEOUT: with SMTP id c82kezjlTYt7tc82keBm7t; Thu, 18 Jan 2018 04:07:38 -0700 X-SID: c82kezjlTYt7t Received: (qmail 2879 invoked by uid 99); 18 Jan 2018 11:07:38 -0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: 184.108.40.206 User-Agent: Workspace Webmail 6.8.19 Message-ID: <email@example.com> From: David REDACTED <David.REDACTED@REDACTED.co.uk> X-Sender: firstname.lastname@example.org Reply-To: David REDACTED <email@example.com> To: <accounts@REDACTED.co.uk> Subject: Morning Date: Thu, 18 Jan 2018 04:07:36 -0700 MIME-Version: 1.0 Return-Path: firstname.lastname@example.org
It looks like the scammer is using a GoDaddy webmail account that belongs to “email@example.com” and has an “identity” setup on the webmail to send / spoof the from address as the supposed impersonated director. The reply to address has been set to the newly registered domain with the email “firstname.lastname@example.org”
The email was submitted to GoDaddy from a Sky Broadband IP address possibly based in Oxfordshire.
The scam would play out as so….
You get an email and the fraudster is counting on the fact that..
-They’ve guessed that the board member’s email address is name.name@company and you think it is legitimate.
-They hope you don’t notice, when you click reply, that the email address you are sending back to is different.
-They hope you don’t notice that the request / question is very unusual.
If you reply to the initial question about payment they will then send another request similar to: I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.
Along with some destination bank details.
They are just attempting to get people to wire X thousands of pounds and by the time (12 hours, 24 hours or more) that the company notices that the payment wasn’t legitimate the scammer is long gone as is the money.