Parking/Speeding Ticket? Scam Emails Targeting Canadians

Posted on May 19, 2017 by MagicMail

While we are not sure if they are targeting everyone, or if Canadians are being specially targeted, but on the heels of the recent Parking Ticket scams they are now sending out Fake Speeding ticket spam. And while we can’t really point at recent political events, it is interesting that this is originating from a large Russian Hosting company which seems to either allow or cannot prevent these types of attacks.

First of all, let’s give an example of these types of attacks/scams:

Subject: RCMP Notice, 5752946CA, jim@example.com


Hello Dear, jim@example.com

You have been detected with a speed violation:

Type: negligent driving

Registered No: 67947595898

Date of issue: May 11, 2017

Amount due: 57.83 CAD

Download Photo and Invoice Proof 866435899925

http://cbsa-asfc.gc.ca/71371CA/76825.gif

The fine shall be accredited within the statutory period
off up to June 21, 2017.

This is an automatically created message, please do not reply.

Actually, when you look at the source of the message, you will see the same pattern used by the parking ticket scammers, and they attempt to obfuscate certain vowels, in order to try getting around various spam filters.. And they also use an interesting method of using Google Search URL capability to re-direct you to their websites.

<A=20
href=3D"https://www.google.com/url?hl=3Dru&q=3Dhttp://geneseevalleyems.or=
g&source=3Dgmail&ust=3D1495294112851000&usg=3DAFQjCNH1kkVzaaQ-y3dqXbd2xke=
kPZ8RFQ#yzntszdz">http://cbsa-asfc.gc.ca/71371CA/76825.gif</A></DIV>

So, where are these attacks coming from?  Interestingly, they have chosen various throwaway domains, using the .us registrar.

Received: from lifebackmichigan.us (HELO lifebackmichigan.us) (194.87.221.225)

And just like the previous parking ticket scams, any requests to that domain, are quickly redirected to another target, and then the 3rd target, on which the actual malicious data is stored.

The actual IP is located on:

inetnum: 194.87.192.0 - 194.87.231.255
netname: REGRU-NETWORK
descr: Reg.Ru Hosting
org: ORG-nrRL1-RIPE
country: RU
admin-c: ARP-RIPE
tech-c: RGRU-RIPE
status: ASSIGNED PA
mnt-by: AS2578-MNT
mnt-routes: REGRU-MNT
mnt-routes: SKYMEDIA-MNT
mnt-domains: REGRU-MNT
created: 2014-12-16T13:10:31Z
last-modified: 2017-05-16T09:19:30Z
source: RIPE

organisation: ORG-nrRL1-RIPE
org-name: "Domain names registrar REG.RU", Ltd
org-type: LIR
address: Office 326, house 3, Vassily Petushkova st.
address: 125476
address: Moscow

Note, this range was recently modified… last-modified: 2017-05-11T10:21:02Z

But historically, this network operator has had a reputation of hosting malicious actors on their networks, with lots of ‘Cheap Canadian Meds’ spammers setting up shop.  What is interesting in this attack, they even create their emails to use official government logos meant to fool the unsuspecting victims.

We might suggest that you spread the word, especially to the older and more vulnerable users of the Internet, NOT to believe these tickets, and NOT to click on any links contained in the messages.

 

This entry was posted in Informative, Uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply