Sponsored by..

Thursday, 7 November 2013

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

This fake Financial Times spam is a bit of a mystery:

From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help

Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.

We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.

If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.

Send us an E-mail at eu@ft-survey.com with the following information:

If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;

Thank you so much for your help and contribution.

The Financial Times Survey Team,
There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.

So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.

Next, ft-survey.com is hosted and receives mail on which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:

%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-
network:Address:Clifton Court #16
network:NetRange: -
network:OrgAbuseName:ABUSE department
network:OrgNOCName:Network Operations Center
network:OrgTechName:Tim Timrawi

It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire block.. more of which below.

The email headers are also suspect, and appear to show an originating IP of (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com (Unified Layer, US) which then bounces mail through a mailserver on (also Unified Layer).

Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (
  by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (
  by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([]:41772 helo=box487.bluehost.com)
    by box487.bluehost.com with esmtp (Exim 4.80)
    (envelope-from <bigspark@box487.bluehost.com>)
    id 1VeUnD-0006y7-Se
    for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for
From:  The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]

The domains hosted on look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.

Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.

No comments: