The IT Nerd

So what is a shipping scam? It is one where you get an email from say Canada Post that says that you need to pay a trivial amount of money to get a package delivered. Here’s an example of such a scam. But what the threat actor is actually after is your credit card or banking details.

Usually I see a lot of these shipping scams that aren’t well executed. But this one is. Let me start with the email that you will get, which is supposedly from Intelcom which is a courier company here in Canada:

Now before I get to the nuts and bolts of this scam, this email is in both English and French. And the quality of both is pretty good. That’s an indication that the threat actor behind this actually put some time and effort into executing this scam. Here’s another area where this also true:

It actually uses an Intelcom email address instead of something like a Hotmail or Gmail address. Because they are spoofing the domain so that they can make the scam more likely to succeed simply by pretending that the email came from a legitimate source. And I can tell you how the threat actor did this.

This is MXToolbox which I use to troubleshoot email deliverability issues. And in the case of Intelcom, they don’t have a DMARC policy enabled.

Here’s a closer look at that:

You can see that other than DMARC being enabled, there’s no DMARC policy whatsoever. In a way, they might have well not even bothered to have a DMARC policy as it’s not doing anything useful. If you have a DMARC policy enabled, then spoofing wouldn’t be possible because the receiving email server would simply reject the email or at worse, put it in the junk mail folder or quarantine it. Either way, it wouldn’t reach the inbox. And scams can’t succeed if they never reach the inbox. But in this case, Intelcom has pretty much guaranteed that it will be associated with scams because they haven’t enabled a DMARC policy. If I were Intelcom, I’d be dropping everything that I was doing and fix this as this is pretty bad on their part.

Sidebar: If you want to go down the rabbit hole of DMARC, click here to see my journey in terms of implementing DMARC for my domains.

Even though Intelcom has made it a whole lot harder to spot that this is a scam, there is still one thing that makes it clear that this is a scam:

If I hover my mouse over the words “Receive my delivery”, I can see that this is not going to a server controlled by Intelcom. As in the domain is intelcom.ca or something similar. Thus this is clearly a scam and this email should be deleted the second it hits your inbox.

So what is this scam after? Not that you should do this, but if you click on “Receive my delivery”, it went to a site that was entirely written in Arabic after being redirected from another site. Weird. I am guessing that this site was going somewhere else, but that changed by the time I got to it. Either way, this illustrates that you need to be on your toes to keep yourself safe.

I’ll be reaching out to Intelcom to tell them about this scam. Because as I mentioned earlier, they are wide open to being used in scams because they have no DMARC policy. Thus it is in their interest to address this so that this is no longer the case.

This entry was posted on July 16, 2024 at 10:55 am and is filed under Commentary with tags DMARC. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.