What is in a domain name? Take this one for example. Innocuous enough isn't it. Today I had cause to pull backups from archive, and log search for last month. You see I was stumped. One account had emailed another account. Both had good machine hygiene, and passwords were latin with case, symbols, and numbers. A couple of hundred years to brute. SPF was bang on. DKIM existed... so how on EARTH did Director A email Accountant B requesting a transfer of funds?

Well the answer lays in a number of places - an email client's parsing of an address, scan reading, and the domain name above.

Sure enough the account had not been compromised. This was organised, high focus and high skill - this was not a magician, this was a fine example of slipping between the rain drops. There is no spoon ... there is however what the eye sees, and the mind believes.

Lets say we have Director A at - he has emailed requesting a not unusual request to move funds X to account Y. However they were away when the email arrived, and thought they would check.

The logs, pulled, showed what appeared to be that story unfolding... however I noticed a bunch of lines ending in .pw . Where the hell is that I hear you ask? Well I - don't - know - exists, and it would appear to be reporting to be "Professional Web". Yes. Yes. Of Course you are. With the TLD land grab of recent times then maybe .db can be Dubious Mails.    [ponders] ...I digress.

Closer inspection I see that the email came from ... needless to say that is nicely allowed - as it meets any DKIM, SPF, DMARC for all I know.... no password, no access required.

So lets assume that you are also going to write the email header? Sure - that's not a reach is it - if you have gone to this much trouble, I would be disappointed if they did not. As such - lets check this out as an assumption.... despite having not seen the email headers: <>

... oh doesn't that look easy to gloss over. Hey - money is on the mail client will render that with the right name? Local address book entry? Hell it will likely render with that as well. Lov-er-ly.

Needless to say the domain name has Domain Privacy registered in Panama.

Needless to say the IP that sent the email is relayed out through a Ukrainan owned range delivered from the Netherlands.

Sure NCSC and ActionFraud would love to hear from Universal Donkey Widgets - but the reallity is nothing will come of it. So it is no real surprise is it that it occurs?


Anyway - this one is a little out of the ordinary - so I thought it was worth sharing.

What made this a little bit special were two things... the use of a uk(something).tld domain name as a vehicle, and the fact that they CLEARLY had prior knowledge about staff names, and who to contact. Amidst the tidal waves of junk and low focus low skill automata ... this ... this is precision. This sticks out like a poo in a swimming pool.

I live. I learn. I share.

You Madam / Sir are a very naughty girl / boy - but something about that I admire.

One Response to “

Leave a Reply

Your email address will not be published. Required fields are marked *