A scam in seven stages

[Blue Mountain]

For some reason this is causing a re-direct when we view it in the mod only section so having to nuke the content. I have saved a plain text copy of the contents if you want it. Worked out the problem - restored the original text.

Posted By:Darat

This morning I received an email purporting to be a communication from the Canada Revenue Agency. It turned out to be scam trying to gather credit card information. But it took a rather roundabout way of getting there ...


Stage 1: The email message

Quote:

From: Agence du Revenu du Canada / Canada Revenue Agency <centre@psycho-solutions.qc.ca>
To: blue_mountain@internationalskeptics.com
Date: 2022-05-06 3:01 A.M.

Bonjour blue_mountain@internationalskeptics.com

Nous vous invitons à prendre connaissance du document ci-joint et d’y donner suite s’il y a lieu.

Cliquez le lien suivant : canada.ca/agence-revenu/services/impot/particuliers/Doc/

Code d’accès Document : 031187

Pour tout renseignement additionnel, n’hésitez pas à communiquer avec nous.


AVIS DE CONFIDENTIALITÉ _
Ce message peut contenir de l’information légalement privilégiée ou confidentielle. Si vous n’êtes pas le destinataire ou croyez avoir reçu par erreur ce message, nous vous saurions gré d’en aviser l’émetteur et d’en détruire le contenu sans le communiquer à d’autres personnes ou le reproduire.

Vous ne souhaitez pas recevoir par messagerie électronique de l’information sur les produits et services, les nouveautés, les offres spéciales et les promotions de La Capitale? Retirez votre consentement

A red flag here: the greeting line uses the mail address. Actual correspondence from the CRA would use either “Cher Blue” or “Monsieur, Madame”. The URL is also subtly wrong; for the French version of the CRA the URL is www.canada.ca/fr/ ...

Partial translation:

Quote:

We invite you to read the attached document and follow up if necessary.

Click the following link: canada.ca/revenue-agency/services/tax/individuals/Doc/

Document access code: 031187

For any additional information, do not hesitate to contact us.

Stage 2: The PDF

The URL above actually pointed to https://t.co/ec0UVVXwZQ. It served up a PDF that required a password to open, said password being 031187. The text of the PDF was as follows:

Quote:

Notification d’impôts Remboursement

Après les derniers calculs annuels de l’exercice de votre activité, nous avons déterminé que vous êtes admissible à recevoir un remboursement d’impôt de 486,40 C Veuillez nous soumettre s’il vous plait la demande de remboursement d’impôt pour nous permettre de la traiter dans le plus bref délai (le délai de traitement est de 10 jours ouvrable)

Pour accéder au formulaire de votre remboursement d’impôt

J E C O N S U L T E L E S D É M A R C H E S A S U I V R E

Un remboursement peut être retardé pour diverses raisons. Par exemple la soumission de dossiers non valides ou inscriptions après une certaine limite.

Translation:

Quote:

Tax Notification Refund

After the final annual calculations for your business year, we have determined that you are eligible to receive a C486.40 tax refund. Please submit the tax refund request to us so we can to process it as soon as possible (the processing time is 10 working days.)

To access your tax refund form:

I CONSULT THE STEPS TO FOLLOW

A refund may be delayed for various reasons. For example submitting invalid records or registrations after a certain limit.

This is a huge red flag. The CRA doesn't need anyone to fill out a “tax refund form.” It automatically sends refunds once the return has been processed, via direct deposit if it has information on file, or by mailing a cheque to the address specified on the taxpayer's return.


Stage 3: The redirect

The link at “JE CONSULTE LES DÉMARCHES A SUIVRE” went to https://www.washtogo.ae/wp-content/DE.html.

That, in turn, consisted only of a <meta> tag:

Code:

<meta http-equiv="refresh" content="0;URL=https://pdf.name/canada/MyCra/">

Stage 4: The remarkably simple CAPTCHA

The page above redirected to https://pdf.name/canada/MyCra/confirmation.php, which asked for a CAPTCHA that was remarkably easy to read, and consisted of the text 031187 (the same as the password on the PDF.) The same number appeared regardless of the nummber of times the page was reloaded. At least it verified the input; entering anything other than 031187 returned an error.


Stage 5: The fake login page

It then redirected to the following URL:

Quote:

https://pdf.name/canada/MyCra/v1/A_information.php ?customer_LoginCMD=362 &session=2949842498498448554554

Trying with a differnt browser showed a different customer_LoginCMD but an identical session number. Playing around with those numbers didn’t seem to break anything.

Chromium recognized the page was in French and asked if I wanted it translated. Because I can puzzle out only about 30% of any given French text, I chose English. The page read:

Quote:

Access my Customer Area

Email Address: [__________________________________________________]

Password: * [__________________________________________________]

[_] Remember my email address

[Open Session]

© Canada, 1996-2022 All rights reserved. _
Legal | Terms and Conditions | Privacy

The three links at the bottom (Legal, Terms and Conditions, Privacy) all returned me to the above page. Not very sophisticated.

Needless to say, no matter what I used for an email address (aragorn@minas-tirith.gondor.me) or password (valaquenta) I was let in.


Stage 6: Credit card information

The login redirected to (spaces added for readability):

Quote:

https://pdf.name/canada/MyCra/v1/B_information.php ?enc=eac16c8cffa2436d0eb04e11ede2cc10 &p=0 &dispatch=1d35cc0886aa4ea87f6966f95160fbc9df193 f60 &session=eac16c8cffa2436d0eb04e11ede2cc10

Like the page in stage 5, I got the same page back regardless of any changes to the CGI values:

Quote:

[Logo] Safe & Secure

Refund Information

! You must add an account to receive your refund

All fields are mandatory.

Cards Accepted: [Image:VISA] [Image:MasterCard] [Image:American Excress]

Last name and first name: [Enter your full name]

Bank card number: [Enter your card number]

Expiration date: [Format: 05 / 23]

CVV / CVC: [***]

Phone number: [Enter your phone number]

[Submit]

© Canada, 1996-2022 All rights reserved. _
Legal | Terms and Conditions | Privacy

The page accepted without question any set of random numbers I put in for the credit card number, such as 4504 0000 0000 0000. That indicates the programmers didn’t attempt to validate the check digit, which is the final digit of the card number and is computationally dervied from the other 15. Nor did it catch the fact I entered an expiry date from last year.


Stage 7: The frustrating 3D Secure confirmation page

The credit card information page redirected to https://pdf.name/canada/MyCra/v1/D_information.php, with CGI parameters &name=, &email=, &card number=, &phone=, &bank= (the programming was advanced enough to, sometimes, figure out the name of the issuing bank from the card number.)

It displayed a facsimile of a 3D Secure verification page:

Quote:

3D Secure
Safety Online

Complete this authenticating by entering the confirmation code received on your phone or email.

Complétez cette authentification en entrant le code de confirmation reçu sur votre téléphone ou par e-mail.

Bank Name (if the processing was able to figure it out)

Name on card: [text passed in name=]

Card Number: [text passed in card_number=, all but last 4 X’d out]

Date & time: [from the server clock, GMT]

Phone: [text passed in phone=, all but last 4 *d out]

Verification Code / Code de vérification: [__________]

Of course, no matter the content entered for the Verification Code, the page always returned:
Error: The verification code you entered does not match our records. Please try again.

As a test, I gave a little-used email address I have at ProtonMail to see if the site was sophisticated enough to actually send a validation code, but never received a message.


Analysis: pretty good, but there are holes

The most glaring thing I saw the page that gathers credit card information performed only the most rudimentary checks on the entered information. It did check for empty fields, letters where there should have been numbers, and the length of the credit card number. But it didn't validate the check digit on the credit card, nor did it catch an expired card.

As of the time I created this thread all the links are still working. I encourage as many of you as possible to play with this and give them a boat load of bad information.

[Trebuchet]

You are bolder than I.
I wouldn't have clicked the pdf.

[Blue Mountain]

Originally Posted by Trebuchet

You are bolder than I.
I wouldn't have clicked the pdf.

It's an advantage I have running Linux and possessing a thorough understanding of how the operating system works. If I'm really paranoid I can set up a virtual machine and work inside that. Even if there's any malware in the PDF that could attack a Linux OS, likely the worst it would do is infect the VM. The danger would be short lived because I'd destroy the VM after checking things out.

[Darat]

I'm going to have to nuke your opening post - really sorry but it is causing a redirect in the mod section when we try and view it.

Posted By:Darat

[Skeptical Greg]

I get this sort of thing all the time..

The last one looked like a real Wells Fargo security check.. The only problem is, I don't have a Wells Fargo account of any kind.

Sometimes I click through them and provide a lot of BS information.

[Blue Mountain]

Originally Posted by Skeptical Greg

I get this sort of thing all the time..

The last one looked like a real Wells Fargo security check.. The only problem is, I don't have a Wells Fargo account of any kind.

Sometimes I click through them and provide a lot of BS information.

This particular scam got a lot of BS information from me because I was probing the system to see how it worked.

[marting]

Many years ago I got a phishing email from my broker who's email had been hacked. It had my name, not just email so I was curious. Set up a VM and followed the links. First was to Turkey which then went to a Russian site where they tried to collect credit card info.

Fun times.

I alerted my broker and changed brokerages.

[psionl0]

Originally Posted by Blue Mountain

Stage 1: The email message

Quote:

From: Agence du Revenu du Canada / Canada Revenue Agency <centre@psycho-solutions.qc.ca>

Just that line alone screams DELETE THIS EMAIL!!!!!

No government web site would be hosted on "psycho-solutions".

[Blue Mountain]

Originally Posted by psionl0

Just that line alone screams DELETE THIS EMAIL!!!!!

No government web site would be hosted on "psycho-solutions".

Indeed. The distressing thing is most email clients out there actively hide critical information like this, so all one sees is the sender's name and not the email address.

Mind you, it's trivially easy to show an equally fake "from" email address and hide the address where replies will be sent in a "Reply-To:" header.

Worse is when email clients make it difficult to view all the headers. I use Thunderbird, and all I need to do is press Ctrl-U to the view complete header list.

[Lothian]

Originally Posted by psionl0

Just that line alone screams DELETE THIS EMAIL!!!!!

No government web site would be hosted on "psycho-solutions".

Most Government employees that I know do belong in a psycho solutions environment

[Gord_in_Toronto]

Originally Posted by Lothian

Most Government employees that I know do belong in a psycho solutions environment

The scammers are using a legitimate domain of a real company in Quebec.

[psionl0]

Originally Posted by Blue Mountain

Indeed. The distressing thing is most email clients out there actively hide critical information like this, so all one sees is the sender's name and not the email address.

Mind you, it's trivially easy to show an equally fake "from" email address and hide the address where replies will be sent in a "Reply-To:" header.

Worse is when email clients make it difficult to view all the headers. I use Thunderbird, and all I need to do is press Ctrl-U to the view complete header list.

I get phishing emails all the time and the vast majority don't even try to look authentic. I guess that they get enough hits from suckers to make the extra effort superfluous.

Even if they manage to look authentic, hovering over the link usually gives the game away. And remember, your banker/taxman/etc will not provide a link in the email for you to click. You are supposed to log in to their website in the usual way.

[Blue Mountain]

Originally Posted by psionl0

I get phishing emails all the time and the vast majority don't even try to look authentic. I guess that they get enough hits from suckers to make the extra effort superfluous.

Even if they manage to look authentic, hovering over the link usually gives the game away. And remember, your banker/taxman/etc will not provide a link in the email for you to click. You are supposed to log in to their website in the usual way.

With more and more people reading email on smartphones and tablets, I'm not sure even this option is available. However, on these devices I believe a long press on a link will pop up a dialogue showing the actual URL. But how many people know that's possible, and how many can tell a good URL from an obviously fake one?

Also, banks and government institutions are trying to educate people about how they send emails, and not providing links in them. But often these messages are on their web sites, in areas that many may not visit often.

[bigred]

Email scams always remind me fondly of the ebola monkey man. So sad his site is gone.

I never bother opening emails which I'm not expecting, they are all treated as spam. Similarly I never answer phone calls from an unknown number.

[Blue Mountain]

And they're back! This time it's for a parcel Canada Post wants to deliver. Very much same spiel, including a link to a PDF in the email, except this time it isn't encrypted. The correspondence is in English this time, but it's a bit broken; it looks strongly like it was Google-translated from French to English.

Originally Posted by Scammer's PDF

We will deliver your parcel

Your package N°20*****489 will not be delivered today.





Your package cannot be delivered today due to an exceptional situation beyond our control or because access to the delivery address is impossible.
The information at our disposal did not allow us to ensure delivery.



The information at our disposal did not allow us to ensure delivery.

To organize the second presentation,




Track this parcel

Shipment details

Service type: Expedited Parcels
Reference number: 4006318549534132
© Post Corporation

LOL! The linked-to page is headed Authentification, which is apparently common in Europe and and India, but is practically unheard of in North America. It's supposed to be a CAPTCHA, and uses the same super-easy-to-read sequence 031187 as the previous round. Although it's formatted to look like a Google ReCAPTCHA, it looks like a CAPTCHA from ten or fifteen years ago.

The "Profile Information" page didn't ensure the user checked the "I have read and agree with the Canada Post Terms and Conditions" box.

They still want full credit card information because apparently having the shipper pay all the costs for sending a package through the mail isn't enough for Canada Post; they still need $2.99 for an unspecified reason.

Two additional anomalies: The page that asks for credit card information has the heading Complet Your Profile," and the name and address information asks for a "Zip Code." We don's use ZIP codes in Canada. The page did, however, supply a hint in the correct format A1A 1A1.

[Gord_in_Toronto]

Originally Posted by Blue Mountain

And they're back! This time it's for a parcel Canada Post wants to deliver. Very much same spiel, including a link to a PDF in the email, except this time it isn't encrypted. The correspondence is in English this time, but it's a bit broken; it looks strongly like it was Google-translated from French to English.




LOL! The linked-to page is headed Authentification, which is apparently common in Europe and and India, but is practically unheard of in North America. It's supposed to be a CAPTCHA, and uses the same super-easy-to-read sequence 031187 as the previous round. Although it's formatted to look like a Google ReCAPTCHA, it looks like a CAPTCHA from ten or fifteen years ago.

The "Profile Information" page didn't ensure the user checked the "I have read and agree with the Canada Post Terms and Conditions" box.

They still want full credit card information because apparently having the shipper pay all the costs for sending a package through the mail isn't enough for Canada Post; they still need $2.99 for an unspecified reason.

Two additional anomalies: The page that asks for credit card information has the heading Complet Your Profile," and the name and address information asks for a "Zip Code." We don's use ZIP codes in Canada. The page did, however, supply a hint in the correct format A1A 1A1.

I stared at a similar one (in French) for a time. As it did not have my home address I knew immediately that it was a spoof -- I mean, if they are trying to deliver it, they should know where it is supposed to be going to. The sender address was something like the Canada Post addy but had reversed "canada" and "post".

I never open my email in HTML; always in text first.

[Lukraak_Sisser]

When I was working a job with more downtime I used to keep track of the spam messages I got, it was fun to see them drop whenever a botnet was taken down.

Nowadays most spam I get contains 20+ emoticons in the message header or informs me of the vast amounts of Bitcoin I'm supposed to have. A bit bland really.

[novaphile]

Very interesting.

I don't think I ever see spam emoticons anywhere, so it's likely that my ISP (and employer) are doing a lot of work to stop that stuff from getting to me.

I do get a lot of spam in Spanish that mentions 'ERP Industria' in the title or body.

I suspect that this is because ERP appears somewhere in my LinkedIn profile...