Now this is what I call moving forward or at least being very bold: a targeted scam attack on Websense. Do not misunderstand my point though, as this is not to congratulate squatters – however, it definitely is a progression from simpler times when all one had to do to initiate a phishing attack was to register a domain name which was closely related to one which was used for commerce or similar. The example below elaborates on how far people are willing to go to get a response.
The domain used for this targeted scam is dornfordeve.com and has nothing to do with Websense as it is not owned by the company. However, when the company received a letter from a supposed legal firm with a Cease and Desist action on the use of the domain name, it got a few people "scratching their heads". It is unusual to receive letters or emails such as these, and the subject line is sure to grab one's attention or invoke a little curiosity.
Below is the phishing message example intended for the Legal department.
The content of the message sounds quite stern; however, a little digging on the domain using a simple wget gave us the source code of "index.html" (below).
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>dornfordeve.com</title>
</head>
<frameset rows="100%,*" border="0">
<frame src="https://www.mailcontrol.com/login/login_form.mhtml" frameborder="0" />
<frame frameborder="0" noresize />
</frameset>
<!– pageok –>
<!– 05 –>
<!– –>
</html>
Instead of the cybercriminal simply buying a corresponding or closely-related domain name, they have an embedded frame to Websense's Hosted Email Security page. An unsuspecting user entering the URL into the address bar of a browser is automatically and transparently presented with Websense's Hosted Email Security logon page (mailcontrol.com).
Further investigation into the domain name using robtex also shows similarly listed domains up for sale.
Although there is nothing malicious about this, the intent is pretty obvious as this is not a domain owned by us. Whoever was behind this clearly knew what they wanted, and in some circumstances would probably achieve their aim (although sadly for them, not today).
Piecing things together suggests this hypothesis:
- Cybercriminal decides on most eligible targets
- Cybercriminal buys domain name either directly or via proxy
- Cybercriminal plants a frame on bought domain that points to the target's Website
- Cybercriminal masquerades as law firm and contact the legal department of targeted company
Desired outcomes for group:
- Company panics and offers to buy domain at extortionate price
- Company bites or tugs on the bait to start a dialogue, with the group eventually being offered a settlement
Best bit of advice:
If a domain does not belong to you, check first on the legitimacy of senders, report this as an incident (a company's Information Security team would have a means of reporting incidents), and monitor further communication (if any).
Leave a reply
