The IT Nerd

Last night I got a text message that got my attention. I snagged a screenshot of it for your viewing pleasure:

At first glance it looks like an Interac e-Transfer. And it comes from a Ontario area code to make it look legit. Except that when you look closer, specifically under the words “Deposit your INTERAC e-Transfer” you see a domain called frontsolut-1.com. That’s important because Interac has never used that domain. Besides, I am pretty sure that Interac doesn’t use GoDaddy to register their domains. Because when I ran the domain in question through the Whois database on GoDaddy, I found this:

Domain Name: FRONTSOLUT-1.COM
Registry Domain ID: 2247282825_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2018-04-03T01:30:36Z
Creation Date: 2018-04-03T01:30:36Z
Registrar Registration Expiration Date: 2019-04-03T01:30:36Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: REDACTED 
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: 
Registrant Name: Dean Ataman
Registrant Organization: 
Registrant Street: REDACTED
Registrant City: Belle River
Registrant State/Province: Ontario
Registrant Postal Code: REDACTED
Registrant Country: CA
Registrant Phone: REDACTED
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: REDACTED
Registry Admin ID: 
Admin Name: Dean Ataman
Admin Organization: 
Admin Street: REDACTED
Admin City: Belle River
Admin State/Province: Ontario
Admin Postal Code:REDACTED
Admin Country: CA
Admin Phone: REDACTED
Admin Phone Ext:
Admin Fax: 
Admin Fax Ext:
Admin Email: REDACTED
Registry Tech ID: 
Tech Name: Dean Ataman
Tech Organization: 
Tech Street: REDACTED
Tech City: Belle River
Tech State/Province: Ontario
Tech Postal Code: REDACTED
Tech Country: CA
Tech Phone: REDACTED
Tech Phone Ext:
Tech Fax: 
Tech Fax Ext:
Tech Email: REDACTED
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-04-03T12:00:00Z <<< 

Seeing as Interac is not located in Belle River Ontario, this is clearly fake. Thus validating that this is a scam. Even though I redacted some potentially personal information, that info is likely fake as well. Having said that, if Interac or law enforcement are interested in what I found, feel free to contact me and I’ll hook you up.

I decided to dig in a bit deeper to find out what this scammer was up to. So I copied the link to my test iPhone and clicked on it. I got this:

Oooooo. It looks like I am going to get some money. Well, actually no. If you look at the URL in the browser, it’s the same frontsolut-1.com address that I mentioned above. Clearly what this scam is counting on is that you won’t notice that. In the interest of science, I chose my financial institution and got this:

Now that’s a very good copy of the Canadian Imperial Bank Of Commerce website. To illustrate that, here’s the real Canadian Imperial Bank Of Commerce website:

It’s pretty close except that the domain frontsolut-1.com is still present. Again, the scammers are hoping that you won’t notice.

At this point it’s pretty clear what this is all about. This is an attempt to get your username and password to your online banking account so that the scammers can drain it dry. I have to admit that this is pretty crafty as if you’re not paying attention to things like the domain that is in use, you might fall for it. Thus my advice is to pay attention to any Interac e-Transfer that you get. Look for weird looking URLs and anything that doesn’t seem “normal.” If you receive a notification for an Interac e-Transfer that you weren’t expecting, contact the sender through a different communication channel to verify. If the notification comes from someone you don’t know, or you suspect it may be fraudulent, do not respond or click any links. Forward the email or take screenshots and forward those to phishing@interac.ca.

In the meantime, I am reaching out to Interac with all the info that I complied on this scam so that they can hopefully put an end to it. Or at least put it on their radar.

UPDATE: A new variant of this scam has appeared. I posted a few Tweets on it last week:

I’m going to assume that this is a scam. pic.twitter.com/XIJghcQMvm

— The IT Nerd (@The_IT_Nerd) January 25, 2019

Yep. Total scam. It’s a banking scam that steals your online banking credentials. The big hint is the fact that all the URLs are on a server that is at 142.93.205.79 regardless of what bank you pick.

cc: @interac pic.twitter.com/D4KoOZE1y9

— The IT Nerd (@The_IT_Nerd) January 25, 2019

I pinged Interac on this and got this response:

Thanks for flagging! I'll share with our Fraud Prevention Team.

— INTERAC (@INTERAC) January 27, 2019

So if you get a text message like this, it’s a scam. Just delete the message and carry on with your life.

This entry was posted on April 3, 2018 at 8:42 am and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.