| | | Effective PR

Block mail purporting to originate from BankingInsuranceSecurities.com

BIScom Subsection: 
Author: 
Nigel Morris-Cotterill

It has come to our notice that one or more persons are fraudulently delivering e-mail purporting to come from BankingInsuranceSecurities.com. It is impossible for that mail to originate at that domain and you may safely blacklist it at server level. For more information, see below.

The fraud has interesting timing and holders of internet domains should be aware of a possible new threat to reputation. The threat does not, on the face of it, have any immediate cyber-security implications but there may be hidden dangers.

The top level domain bankinginsurancesecurities.com was created by Vortex Centrum Limited in or about 2006. Originally, there was a discrete website with that name. There were no e-mail accounts created for that domain. In 2016, BankingInsuranceSecurities was incorporated into PleaseBeInformed.com. Still, there were no e-mail accounts created for that domain. Recently, we have changed both the registrar and the server company for, amongst other accounts, BankingInsuranceSecurities.com. Still, no e-mail accounts have been created for that domain.

It is therefore impossible for any mail to have been sent from any address at BankingInsuranceSecurities.com.

As with all domains, we do have a "catch-all" service which by default receives and forwards to our systems administrators any mail sent to any purported address at that domain. Today, we received, via that catch-all, a mail marked "mail delivery failed: returning message to sender." That message came from an address at Web.de, an anonymous e-mail service in Germany.

The returned message says that the original message was from "Nelly Huber" - which is not a name anyone here has ever used. The e-mail address is five apparently random characters at the domain. That does not accord with our naming convention for any domain where we have issued addresses.

This is the header of the original message (we have removed the details of the account at our domain)

Received: from [212.227.15.17] ([212.227.15.17]) by mx-ha.web.de (mxweb011
[212.227.15.17]) with ESMTP (Nemesis) id 1MI6YF-1gKNRN2JfD-00F8Au for
; Sun, 28 Oct 2018 16:34:04 +0100
Received: from [212.227.15.17] ([212.227.15.17]) by mx-ha.web.de (mxweb011
[212.227.15.17]) with ESMTP (Nemesis) id 1MI6YF-1gKNRN2JfD-00F8Au for
; Sun, 28 Oct 2018 16:34:04 +0100
Received: from fastmail.fm ([216.227.120.191]) by mx-ha.web.de (mxweb011
[212.227.15.17]) with ESMTP (Nemesis) id 1MX0o9-1g5TRz2JY1-00XLmM for
; Sun, 28 Oct 2018 16:34:02 +0100
Received: by localhost; Sun, 28 Oct 2018 09:28:59 -0600
From: "Nelly Huber" <--------------------->
Reply-To: "Nelly Huber" <-------------------->
To: minpr@web.de
Cc: evi289@web.de, a.s.74@web.de, juergenmueller@web.de, johannesgass@web.de, kamich@web.de
Subject: Hallo
Date: Sun, 28 Oct 2018 19:31:59 +0400
Content-Transfer-Encoding: 7Bit
Content-Type: text/html;

what we think has happened

When domain information is changed, there is a public register of the names of those domains. Historically, that list has been plundered by fraudsters and spammers as a rich source of contact information and valid e-mail addresses. Since the advent of GDPR, many registrars no longer publish any contact information relating to domains. However, the list of new and amended domains, which of themselves contain no personal information, are still available.

What we think has happened is that fraudsters have adopted the long-standing practice of spoofing e-mail addresses (in the USA the .edu domain is especially prone to this) and sending mail from a server under their control. They are choosing recently modified domains because new domains should, other things being equal, expect no mail therefore returns are highly visible. Modified domains, however, often have spam-traps set up and returns of spam are likely to be stopped before they reach a human and the fraud will continue for longer before it is detected.

That will work in many cases. In our case, it failed because there cannot be any legitimate incoming mail for many of our dozens of domains and therefore an exception report is generated for any mail sent to any purported address in that mail.

So, we are sure that our systems have not been subject to any viable attack (we, like everyone else, are continually subjected to attacks of one kind or another) and we can be certain that the mail did not originate on our servers.

The next question is why? Well, here's one scenario: if mails purporting to come from a new or modified domain are sent to knowingly false addresses, they will bounce. While attachments may not be returned, the body of the original message is. It may be that the target of the fraud or malicious attack is not the original addressee but the system which, because it is or may be new, may not yet have full security precautions in place.

In short, it is the service from which the mail is purportedly sent that is the actual target.

It's an interesting double bluff. In the case of what came back to us, the message was sent in html and we do not view HTML mail as a security precaution. We do not, therefore, know exactly what is in the mail.

The primary purpose of this article is to inform that it is safe to blacklist mail from bankinginsurancesecurities.com because we do not originate mail from that domain. But it is also helpful to point out how the fraud originated and potential risks.

hahagotcha