Subject: Your package has arrived!
From: UPS Shipments
Date: Wed, 7 Sep 2011 21:42:50 +0900 (KST)
To:
Dear client
Your package has arrived.
The tracking # is : 16B9159622A040A2 and can be used at :
http://www.ups.com/tracking/tracking.html
The shipping invoice can be downloaded from :
http://www.ups.com/tracking/invoices/download.aspx?invoice_id=16B9159622A040A2
Thank you,
United Parcel Service
*** This is an automatically generated email, please do not reply ***
It looked reasonable, but I was not expecting any parcel. Note that the time zone in the date is KST (Korea Standard Time). Per se not suspicious when considering our globalised communication system.
Perhaps, if I had been expecting parcels, I would have clicked on the second link to see what item the email was about. It would have been easier than looking up my outstanding invoices to compare the numbers. But, if I had done so (although at the time I didn’t know it yet), I would have actually downloaded (and possibly launched) an application. Who knows what it would have done...
As I was not expecting any parcel, I saved the email to my desktop as an HTML file. I then opened it in a text editor and discovered that the two links it contained pointed to URLs different from those shown. The first one pointed to
http://wwwapps-ups.com/track.php?page=16b9159622a040a2
and the second one to
http://track.wwwapps-ups.com/invoice040A2.JPG.exe
This ‘faking’ of URLs was highly suspicious, even if the actual domain name included the string “ups”. Besides, why should my invoice be and EXEcutable file rather than a PDF?
I was not in any danger, because I read my mail on a Mac and the security settings of my email client are at maximum, but many might have been penetrated without even realising it.
I searched the Whois database by typing
and came up with the following entry:
WHOIS information for wwwapps-ups.com :
[Querying whois.verisign-grs.com]
[Redirected to grs-whois.hichina.com]
[Querying grs-whois.hichina.com]
[grs-whois.hichina.com]
Domain Name ..................... wwwapps-ups.com
Name Server ..................... dns27.hichina.com
dns28.hichina.com
Registrant ID ................... hc048483736-cn
Registrant Name ................. wan shen
Registrant Organization ......... wan shen
Registrant Address .............. shanghaishihong kouquchangshalu125hao
Registrant City ................. hongkouqu
Registrant Province/State ....... HA
Registrant Postal Code .......... 200102
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.02152312352 -
Registrant Fax .................. +86.02152312352 -
Registrant Email ................ sdfdsgfdf@126.com
Administrative ID ............... hc048483736-cn
Administrative Name ............. wan shen
Administrative Organization ..... wan shen
Administrative Address .......... shanghaishihong kouquchangshalu125hao
Administrative City ............. hongkouqu
Administrative Province/State ... HA
Administrative Postal Code ...... 200102
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.02152312352 -
Administrative Fax .............. +86.02152312352 -
Administrative Email ............ sdfdsgfdf@126.com
Billing ID ...................... hc048483736-cn
Billing Name .................... wan shen
Billing Organization ............ wan shen
Billing Address ................. shanghaishihong kouquchangshalu125hao
Billing City .................... hongkouqu
Billing Province/State .......... HA
Billing Postal Code ............. 200102
Billing Country Code ............ CN
Billing Phone Number ............ +86.02152312352 -
Billing Fax ..................... +86.02152312352 -
Billing Email ................... sdfdsgfdf@126.com
Technical ID .................... hc048483736-cn
Technical Name .................. wan shen
Technical Organization .......... wan shen
Technical Address ............... shanghaishihong kouquchangshalu125hao
Technical City .................. hongkouqu
Technical Province/State ........ HA
Technical Postal Code ........... 200102
Technical Country Code .......... CN
Technical Phone Number .......... +86.02152312352 -
Technical Fax ................... +86.02152312352 -
Technical Email ................. sdfdsgfdf@126.com
Expiration Date ................. 2012-09-07 08:17:10
HiChina Zhicheng Technology Ltd. is an ISP based in Beijing, and I have no reason to suspect that they are involved in the scam. But this Wan Shen based in Hong Kong doesn’t look to have anything to do with UPS.
Now, if you search for "wan shen" shanghaishihong, you find out two things:
1. They also own the domain name micr0supdates.com.
2. micr0supdates.com is listed in a database of malware URLs
(http://www.malwareurl.com/listing.php?domain=micr0updates.com).
(http://www.malwareurl.com/listing.php?domain=micr0updates.com).
As a last interesting point, notice that the expiration date of wwwapps-ups.com is 2012-09-07, exactly one year after the date of the scam email. It seems that this Wan Shen registered the domain name and put it immediately to work...
No comments:
Post a Comment