Phishing Scam Warning: Companies House / Late Rooms
BackgroundI get so much spam and attempted infiltrations that I rarely feel the need to share, but this one might affect more people than usual. One of our honeypot servers has been detecting a significant uplift in port scans over the last week or so which may be in concert with some of these phishing attempts.
It's also possible that recent port scan activity had highlighted weak points in online platforms, which are now being exploited in this way.
Regardless of whom is initiating it's something we should be aware of.
DetailsAfter noting an email through on an email address only ever provided to LateRooms.com, it appears that a spammer is attempting to craft phishing emails using the "cpgov.uk" domain - a type-squatting domain meant to sound like ".gov.uk". I think I used the recipient email address in question for one specific booking back in either 2016 or 2017, but I'm not 100% sure of the date.
The emails appear to be sent from suspicious IP's and are crafted to look like UK Companies House-branded notifications. The notifications have an attachment (obviously don't open them!) and contain suspect links within the email body; talking about a "Companies House Complaint".
At the time of writing the cpgov.uk domain clearly shows suspect registration details, and also highlights the fact that Nominets assurance process appears to correctly identify falsified WHOIS data:
Nominet was not able to match the registrant's name and/or address against a 3rd party source on 24-Apr-2018
GoDaddy.com, LLP. [Tag = GODADDY]
Registered on: 24-Apr-2018
Expiry date: 24-Apr-2019
Last updated: 24-Apr-2018
Registered until expiry date.
As you can see, the address shows St. Petersberg in a West London location (actually listed as the "Sunset Strip Theatre" on Dean Street in Soho according to Royal Mail) - and that Nominet was "...not able to match the registrant's name ... address...". Hopefully GoDaddy will back-reference this but the NS servers appear to have been blocked out due to non-compliant activity.
What's most interesting is that the email itself is clearly not genuine (using an email address never exposed to Companies House and referencing a 'complaint' without anything in writing), but that the email address the spam was received on has only ever been used on the LateRooms website.
I'll keep an eye out for more inbound detected by RingoDingo (our upcoming security product) on this email address as there may have been a breach at LateRooms. Having checked Have I Been Pwned it appears that this would be fresh as nothing has been previously registered.
Will update when I have more.
Although I've tried a few routes (including resorting to Twitter) I've not been able to get in touch with the right group at LateRooms to discuss aspects of this.
I've tried two of LateRooms twitter accounts and they just direct me back to the website, despite my asking for the security teams details & PGP key.