Phishing Scam Warning: Companies House / Late Rooms

Background

I get so much spam and attempted infiltrations that I rarely feel the need to share, but this one might affect more people than usual. One of our honeypot servers has been detecting a significant uplift in port scans over the last week or so which may be in concert with some of these phishing attempts.

It's also possible that recent port scan activity had highlighted weak points in online platforms, which are now being exploited in this way. 

Regardless of whom is initiating it's something we should be aware of.

Details

After noting an email through on an email address only ever provided to LateRooms.com, it appears that a spammer is attempting to craft phishing emails using the "cpgov.uk" domain - a type-squatting domain meant to sound like ".gov.uk". I think I used the recipient email address in question for one specific booking back in either 2016 or 2017, but I'm not 100% sure of the date.

The emails appear to be sent from suspicious IP's and are crafted to look like UK Companies House-branded notifications. The notifications have an attachment (obviously don't open them!) and contain suspect links within the email body; talking about a "Companies House Complaint".

At the time of writing the cpgov.uk domain clearly shows suspect registration details, and also highlights the fact that Nominets assurance process appears to correctly identify falsified WHOIS data:

Domain name:
    cpgov.uk

Registrant:
    Viktoriya Petrova

Registrant type:
    Unknown

Registrant's address:
    Viktoriya Petrova
    St. Petersburg
    Viktoriya Petrova
    W1D 3SA
    United Kingdom


Data validation:
    Nominet was not able to match the registrant's name and/or address against a 3rd party source on 24-Apr-2018

Registrar:
    GoDaddy.com, LLP. [Tag = GODADDY]
    URL: http://uk.godaddy.com

Relevant dates:
    Registered on: 24-Apr-2018
    Expiry date:  24-Apr-2019
    Last updated:  24-Apr-2018


Registration status:
    Registered until expiry date.

Name servers:
    ns1.suspended-for.spam-and-abuse.com
    ns2.suspended-for.spam-and-abuse.com


As you can see, the address shows St. Petersberg in a West London location (actually listed as the "Sunset Strip Theatre" on Dean Street in Soho according to Royal Mail) - and that Nominet was "...not able to match the registrant's name ... address...". Hopefully GoDaddy will back-reference this but the NS servers appear to have been blocked out due to non-compliant activity.

What's most interesting is that the email itself is clearly not genuine (using an email address never exposed to Companies House and referencing a 'complaint' without anything in writing), but that the email address the spam was received on has only ever been used on the LateRooms website.

I'll keep an eye out for more inbound detected by RingoDingo (our upcoming security product) on this email address as there may have been a breach at LateRooms. Having checked Have I Been Pwned it appears that this would be fresh as nothing has been previously registered.

Will update when I have more.

Updates


Although I've tried a few routes (including resorting to Twitter) I've not been able to get in touch with the right group at LateRooms to discuss aspects of this.

I've tried two of LateRooms twitter accounts and they just direct me back to the website, despite my asking for the security teams details & PGP key.

Comments

Popular posts from this blog

Scam Alert - DMR Financial

Scam Alert: iProfile / Vertifi / Jobzooma

Scam Warning - SpellJobs.com