Given all the ransom ware going around pretending to be an invoice from your Bank or your Service provider, you would think that a company the size of Sprint would make sure that the ‘invoices’ they send you would follow Best Practices, so no one could ‘forge’ similar messages in order to do account phishing, or deliver ransom ware.
Just had a report where an invoice from Sprint went into the Spam folder so decided to take a deeper look. And frankly, was pretty surprised. First of all, they use a 3rd party to send out invoices, and while not that uncommon, surprised even more, as that company should be an expert on safe email delivery.
The email connection came from IP Address 126.96.36.199, and “whois” for that IP address reveals it to be owned by ‘ZetaGlobal’, a company which just received these IP(s) on Nov. 15, 2017, something that would sound suspicious on it’s own. These were assigned from a company called “Quality Technology Services Santa Clara” (based out of Kansas).
And the hostname associated with that IP Address is ‘mh.nextel.m0.net’. At first blush, a domain ‘m0.net’ might even raise an eyebrow, and again since it isn’t related to Sprint, would make you think this is likely to be a forged email. Anyone can get a cheap domain, and add a host entry in, eg.. sprint.i-am-a-hacker.com, and we often see that type of attempt in ransom ware and phishing. So, why isn’t it a ‘sprint.com’ sub domain or host?
So, what happens if you go to http://m0.net, well you end up at the http://www.zetaimpact.com/ site, and of course nothing there about Sprint.
So who is the message from..
MAIL FROM address: [firstname.lastname@example.org]
Okay, I got an email from ‘sprintcustserv.com’, and that is enough to raise an eyebrow given all the fake domains that get registered pretending to be a big company. If you have a couple of dollars, I am sure you can register one that is close..
No match for “SPRINTONLINEBILLING.COM”.
But, even better, when I go to http://sprintcustserv.com, I end up at that Zeta Impact company again, and not Sprint operated site.. hmmmm..
Now, the reason that the email got marked as Spam, is that the IP was on several well known ‘DNSBL’ (Reputation Lists) . You ‘might’ expect that someone trying to send something as important as invoices would routinely monitor those lists, there are many low cost services that will do that for you and report if your IP address is on a blacklist (eg HetrixTools, or MXToolbox) especially if it is new IP Space. (It was on at least 3 we know of when the email was sent) but it could also have been caught by the various ‘spam filters’ who look for invoices from big name companies, that don’t actually come from their domains and/or IP Space.
If you are a Bank or a Large company, it is important that you CLEARLY identify your emails. If using a 3rd party, you still want to make sure that the PTR reflects your company domain, and that all information is clearly identifiable.
Otherwise the ‘bad boys’ are going to forge emails that look like yours, and your customers will fall for it.
Also, remember .. never click on an invoice if it isn’t something you are expecting, and if the sender doesn’t clearly identify themselves.