From: The Financial Times [mailto:ft448516@surveymonkey.com]There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help
Dear British businessman,
We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.
As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.
We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.
If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.
Send us an E-mail at eu@ft-survey.com with the following information:
If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;
Thank you so much for your help and contribution.
The Financial Times Survey Team,
eu@ft-survey.com
So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.
Next, ft-survey.com is hosted and receives mail on 204.188.238.143 which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:
%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:204.188.192.0/18
network:Class-Name:network
network:OrgName:AlfainHost
network:OrgID;I:MADIH-ULLAH-RIAZ
network:Address:Clifton Court #16
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:74400
network:Country:PK
network:NetRange:204.188.238.140 - 204.188.238.143
network:CIDR:204.188.238.140/30
network:NetName:AlfainHost-204.188.238.140
network:OrgAbuseHandle:MADIH-ULLAH-RIAZ
network:OrgAbuseName:ABUSE department
network:OrgAbusePhone:923218913810
network:OrgAbuseEmail:madihrb@alfainhost.com
network:OrgNOCHandle:NOC2002-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-846-7642
network:OrgNOCEmail:abuse@sharktech.net
network:OrgTechHandle:TMT-ARIN
network:OrgTechName:Tim Timrawi
network:OrgTechPhone:+1-312-846-7642
network:OrgTechEmail:timt@sharktech.net
network:RegDate:20130723
network:Updated:20131106
It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, 204.188.238.143 appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire 204.188.238.140/30 block.. more of which below.
The email headers are also suspect, and appear to show an originating IP of 94.21.75.226 (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com 66.147.242.87 (Unified Layer, US) which then bounces mail through a mailserver on 67.222.51.224 (also Unified Layer).
Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (67.222.51.224)
by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (66.147.242.87)
by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([127.0.0.1]:41772 helo=box487.bluehost.com)
by box487.bluehost.com with esmtp (Exim 4.80)
(envelope-from <bigspark@box487.bluehost.com>)
id 1VeUnD-0006y7-Se
for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for 94.21.75.226
From: The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]
The domains hosted on 204.188.238.140/30 look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.
Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.
No comments:
Post a Comment