From Russia with Fraud

By | March 15, 2020

Regularity receiving text message that some bank security systems have detected unusual activity. These SMS messages are similar to phishing, except that they are spamming via cell phones. Below the text is URL link which looks like bank WWW domain name, however looking carefully you can see that it is only submain prefix to another main domain, which has not any common with bank. The messages asking me to login and confirm identity to avoid account suspension. All messages came from country code 7 and area code 495 (Russia, Moscow):

   

$ whois 33d-4-asd.com
Domain Name: 33D-4-ASD.COM
Registry Domain ID: 2498658866_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.eu
Registrar URL: http://www.openprovider.com
Updated Date: 2020-03-15T19:36:09Z
Creation Date: 2020-03-01T18:54:05Z
Registry Expiry Date: 2021-03-01T18:54:05Z
Registrar: Hosting Concepts B.V. d/b/a Openprovider
Registrar IANA ID: 1647
Registrar Abuse Contact Email: abuse@registrar.eu
Registrar Abuse Contact Phone: +31.104482297
Domain Status: clientHold https://icann.org/epp#clientHold
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransfer$
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
DNSSEC: unsigned
   
$ whois prf-fd4-34.com
Domain Name: PRF-FD4-34.COM
Registry Domain ID: 2489018491_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.eu
Registrar URL: http://www.openprovider.com
Updated Date: 2020-02-20T00:53:18Z
Creation Date: 2020-02-05T21:13:59Z
Registry Expiry Date: 2021-02-05T21:13:59Z
Registrar: Hosting Concepts B.V. d/b/a Openprovider
Registrar IANA ID: 1647
Registrar Abuse Contact Email: abuse@registrar.eu
Registrar Abuse Contact Phone: +31.104482297
Domain Status: clientHold https://icann.org/epp#clientHold
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransfer$
Name Server: INA1.REGISTRAR.EU
Name Server: INA2.REGISTRAR.EU
Name Server: INA3.REGISTRAR.EU

Do not click on link in such messages: rbc.com and scotiabank.ca just subdomain prefix to the domain name 33d-4-asd.com and prf-fd4-34.com, which was created to capture your bank credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *