Shaw offering Free Broadband for a Year? Or a Phisher?
Comments Off | Hot: |  |  | | | |
Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…
Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.
This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.
First off, I will advise of the RED FLAGS in this phishing attempt
#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.
#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag
#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.
#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.
#5 – Typical email headers (on email from Shaw) missing
So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.
The return-path was interesting. One was:
apache@utel16.besthosting.com.ua
, the other one was:
nobody@omega.omc.net
This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.
None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS
enabled but verify set to no.
The header in one of the emails is very interesting:
Date: Thu, 08 Nov 2007 20:49:28 +0200
From: “Shaw Communications Inc.” service@shaw.ca
Subject: Win a year of free broadband
To: XXXXXXX@shaw.ca
Reply-to: service@shaw.ca
Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua
MIME-version: 1.0
Content-type: text/html
X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146
Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…
The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.
The for address 82.208.212.146 is interesting as it resolves to:
whois -h whois.geektools.com 82.208.212.146 …
GeekTools Whois Proxy v5.0.4 Ready.
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ’82.208.212.0 – 82.208.212.255′
inetnum: 82.208.212.0 – 82.208.212.255
netname: ITSOLUTIONSNET
descr: ITSolutions, Obrenoviceva 124 4/10
descr: 18000 Nis
descr: Serbia and Montenegro
country: CS
admin-c: IS1188-RIPE
tech-c: AZ919-RIPE
status: ASSIGNED PA
mnt-by: PTTSRBIJANET-MNT
source: RIPE # Filtered
person: Ivan Stankovic
address: ITSolutions
address: YU
e-mail: i.stankovic@my-its.net
phone: +38118512796
fax-no: +38118512797
nic-hdl: IS1188-RIPE
source: RIPE # Filtered
person: Aleksandar Zakic
address: ITSolutions NET
address: CS
e-mail: a.zakic@my-its.net
phone: +381-63-222-361
fax-no: +381-18-512-797
nic-hdl: AZ919-RIPE
source: RIPE # Filtered
% Information related to ’82.208.192.0/19AS13091′
route: 82.208.192.0/19
descr: JP PTT Srbija
descr: PTT Srbija Net
origin: AS13091
mnt-by: PTTSRBIJANET-MNT
source: RIPE # Filtered
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Reviewing the other IP address of the X-PHP-Header gives us this info:
whois -h whois.geektools.com 213.186.117.120 …
GeekTools Whois Proxy v5.0.4 Ready.
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ’213.186.117.0 – 213.186.117.143′
inetnum: 213.186.117.0 – 213.186.117.143
netname: UTEL-DC5
descr: Utel DataCenter networks. Colocation
country: UA
admin-c: UNOC-RIPE
tech-c: UNOC-RIPE
status: ASSIGNED PA
mnt-by: AS6877-MNT
remarks: INFRA-AW
source: RIPE # Filtered
role: Utel NOC
address: 101, Volodymyrska str.
address: 01033, Kyiv, Ukraine
phone: +380 44 2359001
fax-no: +380 44 2304560
e-mail: noc@utel.net.ua
admin-c: OLE-RIPE
tech-c: BES100-RIPE
tech-c: OLE-RIPE
tech-c: JIM-RIPE
tech-c: ALT-RIPE
tech-c: UHM-RIPE
nic-hdl: UNOC-RIPE
mnt-by: AS6877-MNT
source: RIPE # Filtered
% Information related to ’213.186.112.0/20AS16124′
route: 213.186.112.0/20
descr: Utel DataCenter, Ukraine
origin: AS16124
mnt-by: AS6877-MNT
source: RIPE # Filtered
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.
[page_break]Looking at another similar email we see:
Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)
From: “Shaw Communications Inc.”
Subject: Win a year of free broadband
To: XXXXXXXXX@shaw.ca
Reply-to: service@shaw.ca
Message-id:
MIME-version: 1.0
Content-type: text/html
X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)
claimed to be omega.omc.net
But we can see the authentication warning from this server. No detail unfortunately.
Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.
The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:
Content-Transfer-Encoding: 8bit
src=”http://www.shaw.ca/NR/rdonlyres/A6D66548-142E-47F8-AF4A-3CEE597378BC/0/logo.gif” align=baseline
border=0>
.win a year of free broadband
To access this survey, and register for relevant offers
from Shaw Communication Inc. please take a minute to register by using the link below.
After downloading and installing the file below, you will
be taken to Shaw Communication Inc. survey.
https://secure.shaw.ca/apps/secure/vhub/Survey.exe
2007 Shaw Communications. All Rights Reserved.
209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:
11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com
whois -h whois.geektools.com 209.85.15.18 …
GeekTools Whois Proxy v5.0.4 Ready.
Final results obtained from whois.arin.net.
Results:
OrgName: Everyones Internet
OrgID: EVRY
Address: 390 Benmar
Address: Suite 200
City: Houston
StateProv: TX
PostalCode: 77060
Country: US
ReferralServer: rwhois://rwhois.ev1servers.net:4321/
NetRange: 209.85.0.0 – 209.85.127.255
CIDR: 209.85.0.0/17
NetName: EVRY-BLK-15
NetHandle: NET-209-85-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1SERVERS.NET
NameServer: NS2.EV1SERVERS.NET
Comment:
RegDate: 2005-12-14
Updated: 2006-11-28
RAbuseHandle: ABUSE477-ARIN
RAbuseName: Abuse Department
RAbusePhone: +1-713-579-2850
RAbuseEmail: abuse@ev1servers.net
RNOCHandle: NOC1445-ARIN
RNOCName: Noc
RNOCPhone: +1-713-579-2850
RNOCEmail: noc@ev1servers.net
OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse@theplanet.com
OrgNOCHandle: NOC1445-ARIN
OrgNOCName: Noc
OrgNOCPhone: +1-713-579-2850
OrgNOCEmail: noc@ev1servers.net
OrgTechHandle: VST3-ARIN
OrgTechName: Stinson, Valarie
OrgTechPhone: +1-713-579-2850
OrgTechEmail: admin2@ev1servers.net
# ARIN WHOIS database, last updated 2007-11-08 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.
If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.
Security
broadband internet service, claim, copy, data, download, EAC, ebay, email, error, file, fix, free broadband, geektools, google, gui, install, ivan, law states, malware, method, methods, OS, pertinent details, phish, phisher, phishing, proxy, red flags, ripe whois, scam, site, solution, sophisticated method, spam, ssl, system, telephone service company, update, whois data, whois query
