While we are not sure if they are targeting everyone, or if Canadians are being specially targeted, but on the heels of the recent Parking Ticket scams they are now sending out Fake Speeding ticket spam. And while we can’t really point at recent political events, it is interesting that this is originating from a large Russian Hosting company which seems to either allow or cannot prevent these types of attacks.
First of all, let’s give an example of these types of attacks/scams:
Subject: RCMP Notice, 5752946CA, firstname.lastname@example.org
Hello Dear, email@example.com You have been detected with a speed violation: Type: negligent driving Registered No: 67947595898 Date of issue: May 11, 2017 Amount due: 57.83 CAD Download Photo and Invoice Proof 866435899925 http://cbsa-asfc.gc.ca/71371CA/76825.gif The fine shall be accredited within the statutory period off up to June 21, 2017. This is an automatically created message, please do not reply.
Actually, when you look at the source of the message, you will see the same pattern used by the parking ticket scammers, and they attempt to obfuscate certain vowels, in order to try getting around various spam filters.. And they also use an interesting method of using Google Search URL capability to re-direct you to their websites.
<A=20 href=3D"https://www.google.com/url?hl=3Dru&q=3Dhttp://geneseevalleyems.or= g&source=3Dgmail&ust=3D1495294112851000&usg=3DAFQjCNH1kkVzaaQ-y3dqXbd2xke= kPZ8RFQ#yzntszdz">http://cbsa-asfc.gc.ca/71371CA/76825.gif</A></DIV>
So, where are these attacks coming from? Interestingly, they have chosen various throwaway domains, using the .us registrar.
Received: from lifebackmichigan.us (HELO lifebackmichigan.us) (22.214.171.124)
And just like the previous parking ticket scams, any requests to that domain, are quickly redirected to another target, and then the 3rd target, on which the actual malicious data is stored.
The actual IP is located on:
inetnum: 126.96.36.199 - 188.8.131.52 netname: REGRU-NETWORK descr: Reg.Ru Hosting org: ORG-nrRL1-RIPE country: RU admin-c: ARP-RIPE tech-c: RGRU-RIPE status: ASSIGNED PA mnt-by: AS2578-MNT mnt-routes: REGRU-MNT mnt-routes: SKYMEDIA-MNT mnt-domains: REGRU-MNT created: 2014-12-16T13:10:31Z last-modified: 2017-05-16T09:19:30Z source: RIPE organisation: ORG-nrRL1-RIPE org-name: "Domain names registrar REG.RU", Ltd org-type: LIR address: Office 326, house 3, Vassily Petushkova st. address: 125476 address: Moscow
Note, this range was recently modified… last-modified: 2017-05-11T10:21:02Z
But historically, this network operator has had a reputation of hosting malicious actors on their networks, with lots of ‘Cheap Canadian Meds’ spammers setting up shop. What is interesting in this attack, they even create their emails to use official government logos meant to fool the unsuspecting victims.
We might suggest that you spread the word, especially to the older and more vulnerable users of the Internet, NOT to believe these tickets, and NOT to click on any links contained in the messages.