Note: I originally wrote this as an internal training piece for the company I work for. I have edited it to be generic enough for public consumption. I have replaced our customer’s domain with 123.com and our own with example.com and host names replaced with foo.
Being able to purchase a short domain name is becoming an increasingly more difficult, and expensive task – and like all such things scammers are frothing at the mouth to take advantage.
A customer our company just so happens to own a three letter domain name that is coming close to expiration, which one scammer sees as a potential for a big pay-day.
The following e-mail, and more like it, has been sent to our support inboxes.
Received: from foo01.example.com ([redacted])
(InterMail vM.7.08.02.01 201-2186-121-102-20070209) with ESMTP
for ; Fri, 19 Aug 2011 19:14:18 -0400
Received: from nm23.bullet.mail.ne1.yahoo.com ([188.8.131.52])
by foo2.example.com with IMP
id NPEG1h00z1rnHHN01PEJfn; Fri, 19 Aug 2011 19:14:18 -0400
X-Authority-Analysis: v=1.1 cv=jFRcAHwZP9LxsP0vFfDNWz2lfJhVAH0GkbE8L4wXwHM=
c=0 sm=1 p=lAqZvjvDoR2kNtzWuqDzCA==:17 a=f8_S3n9t2uQA:10 a=rT6idoquTZQA:10
Received: from [184.108.40.206] by nm23.bullet.mail.ne1.yahoo.com with NNFMP; 19 Aug 2011 23:14:16 -0000
Received: from [220.127.116.11] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 19 Aug 2011 23:14:16 -0000
Received: from [127.0.0.1] by omp1006.mail.ne1.yahoo.com with NNFMP; 19 Aug 2011 23:14:16 -0000
Received: (qmail 68381 invoked by uid 60001); 19 Aug 2011 23:14:16 -0000
Received: from [18.104.22.168] by web120212.mail.ne1.yahoo.com via HTTP; Fri, 19 Aug 2011 16:14:16 PDT
Date: Fri, 19 Aug 2011 16:14:16 -0700 (PDT)
From: Domain Admin
Reply-To: Domain Admin
Subject: Email Issue
Thank you for great services and support,
Domain name: 123.com ( Using Example Service – Current name servers of my domain is: ns1.example.com and ns2.example.com )
I’ve tried many time to enable email forwarding SomeUser@123.com to email@example.com [ Without saving local copy if possible , do not want save local copy if possible!! ]When tried to enable email forwarding service in control panel, in mail forwarding setting page, entered firstname.lastname@example.org as forwarder email , then submitted page. New page will not load here and finally got the page cannot to display error, tried from Firefox , Internet Explorer, and also cleared caches , but still having same issue. Please check and fix it from your end and send us confirmation so we can test forwarder
Let me know when its ready for test.
At first this appears to be a customer having trouble activating the message forwarding option in Webmail. Upon reading the message a few times however – a few things tend to stand out – the description of the message forwarding for example, it just doesn’t describe our system correctly and it’s overly vague. And what is with that email@example.com e-mail address – a bit odd to me. Then there is the emphases on forwarding and deleting the messages.
This is where things start to fall apart – the scammer used the publicly available whois information on this domain when attempting to contact us. SomeUser@123.com is no longer an active e-mail account on our platform. Some User is also not an authorized user on the customer’s contact list. Last but not least – the source IP address on the account belongs to an ISP in Iran.
At this point the technical support representative assigned to monitor the inbox today replied that the customer would need to call into technical support for any assistance on this issue.
And call they did.
Again using the publicly available whois information they attempted to get the Customer Service Rep to pull up their account in order to activate the e-mail forwarding. Fate just happened to work in our favor, since purchasing the domain name the customer has relocated their business so the information the scammer has is slightly out of date.
You may be asking why the scammer is trying to forward the customer’s e-mail – and here is why. To transfer a domain name between registrars you must obtain an EPP Key which will only be released to the owner of the domain based on the whois information. If the scammer is able to social engineer his way into having the EPP Key forwarded (and then deleted out of the inbox) he has the ability to hijack the customer’s domain before they are any the wiser.
The lesson in all of this? ALWAYS make sure you know who you’re talking to. If you get a call from somebody claiming to be a customer always authenticate the account. If something doesn’t feel right – it probably isn’t, ask the caller if you can call them back at the service phone number listed on the account. A social engineer will talk, and try to talk his way around the challenges you put up.
(updated 08-20-11 23:48 – corrected 123.com usage)