Chinese scammers
Last week I wrote an article on how email needs to be checked on both inbound and outbound directions. To give an example I received an email from a scammer in China who uses a well known tactic of trying to lure me into registering my domains in China as \”they\” have seen that another company was trying to register it under the .cn top level domain.
This was the inbound email which runs via Proofpoint and was already blocked for being a SPAM message and it added the header to be cautious. .
I manually released the message, so I could see its full content. The irony is that they are referencing to a holding company who would have absolutely no interest in my domain names as we\’re in a completely different market and my name would not be of any use as it does not reflect any trademark either. So the net value is basically zero for a large company based in China. The second part which shows their audacity is that they flag their email as being confidential. It shows quite some \”intelligence\” to send out scamming emails with criminal intent and enforcing this to be \”classified\”.
I wanted to follow this through and see how far my protection against this kind of communication goes, so I responded.
I immediately received an email back from Proofpoint that my response was blocked.
The management interface in Proofpoint showed it as follows:
How good is that.
The details
Whenever an email is handled by an MTA (Mail Transport Agent i.e. mail server), there is a lot of information added to the meta data of the email itself which you may not see in your email client. These things are however required for numerous purposes like email routing (who needs to deliver it), control features (like timing), security markers (DKIM and SPF information, see here on that for more info) and other information that may be used in various ways.
I did not want to release the response from there. The less information you provide scammers, the less they could potentially exploit.
The information in the initial email was quite interesting and shows some red flags.
- There is no chinaregistry.com.cn ICANN (Internet Corporation for Assigned Names and Numbers) certified organisation that is allowed to register domain names. The names of organisations are listed on the ICANN website and can be queried over here.
- Email was sent to the evlconsulting.com.au address, whereas the domain being registered was different.
- There is no personal reference or a reference to the information under which the evlconsulting.com.au domain was registered. This most often means the email address is scraped from any website that may have published it somewhere.
- As currently (at the time of writing this) there is a redirect from evlconsulting.com.au to erwinvanlonden.net, the scraper must have linked the erwinvanlonden.net domain to the email address [email protected].
- The title does not contain any name and simply addresses the email to \”the CEO\”. There aren\’t many CEO\’s who will be directly involved in domain registrations.
All of the above are already red-flags and should make you simply toss emails like this in the trash-can.
Phone number
The phone numbers that are used are also a good way of trying to identify if this email can be attributed to a scammer. A website like spamcalls.net also shows that the phone number being used had been flagged by numerous others as suspicious and untrustworthy.
Threat risk
Even though the email itself does not contain any malware or clickable items, if it is not engaged with some thought, you might fall for the trick, contact the sender who could then socially engineer you in registering a domain you have no use for and is most likely significantly overpriced. There is also a chance that many \”secondary fees\” are added onto the bill like monthly maintenance fees, renewal fees, domain protection fees, etc etc . All of these provide no added value and are simply meant to suck as much money as possible out of your business. Chances are high that the moment you transferred any money, you will never hear from them again.
High Risk Countries
The fact that Proofpoint initially quarantined the email and the response also got blocked to this address and requires manual intervention is already a very positive experience. Without a service like this, these phishing emails could very well result in significant financial damage.
There are many companies in China you can have a normal business relation with. The main reason these countries are flagged as high risk it that not only is there a significant amount of spam and scam originating from them but also the options to follow up on scams via the justice system is simply non-existent.
Most countries in Europe as well as North-America, Australia, New-Zealand etc, do have international agreements on information sharing and cross-border prosecution agreements as well as extradition agreements for digital criminal behaviour. These kinds of agreements simply so not exist with many others, and the additional risk is therefore highlighted by security companies like Proofpoint.
All of the above shows that active email monitoring should not be a luxury item in anyone\’s budget but a real necessity.
Contact us for more information
Kind regards
Erwin van Londen