Interac Phishy?
Results 1 to 3 of 3

Thread: Interac Phishy?

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Interac Phishy?

    Those of you that are Canadian will recognize the Interac symbol. And the company, Certapay, was created for online transactions between Interac users and banks that support Interac. A friend of mine received the following (please note: he's not selling laptop --- he's a packrack; he never sells his comps).

    Dear User,

    MARYBETH HEDD has sent you an INTERAC Email Money Transfer.

    Amount: $961.00 (CAD)

    Sender's Message: Payment for laptop.

    Expiry Date: 2005-04-20

    Action Required:
    To deposit your money, click here:
    hxxp://gateway-certapay.com/RP.do/?pID=Sli6g20jkm8%3D

    Trouble with the link? Copy the link and paste it into your web
    browser address bar. Please make sure all the characters after the
    "pID=" are present.

    Need help?
    https://www.certapay.com/ca/oon/en/help
    It may not have been evident at first but the link address is definately questionable.

    Certapay resolves to:

    Registrant:
    Certapay Inc. (CERTAPAY2-DOM)
    55 university avenue, 8th floor
    toronto, ontario m5j 2h7
    CA

    Domain Name: CERTAPAY.COM

    Administrative Contact:
    Officer, Security (THOXYPSYAI) privacymanager@certapay.com
    CertaPay Inc.
    55 University Avenue
    Toronto, Ontario M5J 2H7
    CA
    999 999 9999

    Technical Contact:
    Q9 Networks Inc. (CD4054-ORG) dnsadmin@Q9.COM
    100 Wellington Street West, Suite 900
    Toronto, ON M5K 1J3
    CA
    +1 416 362 7000 fax: +1 416 362 7001

    Record expires on 27-Apr-2010.
    Record created on 27-Apr-2000.
    Database last updated on 17-Apr-2005 17:03:22 EDT.

    Domain servers in listed order:

    NS1-AUTH.Q9.COM 216.220.35.20
    NS2-AUTH.Q9.COM 216.220.36.20
    Gateway-certapay.com resolves to:

    Hostway Whois Server Version 1.0
    Domain Name: gateway-certapay.com

    Registrar: AAAQ.COM

    Whois Server: whois.aaaq.com

    Referral URL: http://www.aaaq.com

    Name Server: a.dns.hostway.net

    Name Server: b.dns.hostway.net

    Status: ACTIVE

    Updated Date 2005-04-11

    Creation Date: 2005-04-11

    Expiration Date: 2006-04-11

    Registrant:



    Aubrey Page tim_rushlow@email.com

    5207 W. Meadowridge Road



    Sherman, TX 75092

    US

    19038922325 Fax:



    Administrative Contact:

    Aubrey Page tim_rushlow@email.com

    5207 W. Meadowridge Road



    Sherman, TX 75092

    US

    19038922325 Fax:



    Technical Contact:

    Administrator DNS administrator@siteprotect.com

    1 N State Street

    12th Floor

    Chicago, IL 60602

    US

    +1.3122362132 Fax: +1.3122361958



    Billing Contact:

    Aubrey Page tim_rushlow@email.com

    5207 W. Meadowridge Road



    Sherman, TX 75092

    US

    19038922325 Fax:
    Now, to make things more interesting the header info is as follows:

    eceived: from cm-62.179.162.119.chello.no ([62.179.162.119]) by friend@friend.com (8.13.1/8.12.10) with SMTP id j3H6xTJf012290 for <friend@friend.com>; Sun, 17 Apr 2005 02:59:30 -0400 (EDT)
    Received: from smtp-maritime.nucleant.marybeth@payments.certapay.com ([62.179.162.119]) by z853-bs7.marybeth@payments.certapay.com with Microsoft SMTPSVC(5.0.4735.8274); Mon, 18 Apr 2005 02:57:10 -0200
    Received: from terbium612.n's.marybeth@payments.certapay.com (eke161.marybeth@payments.certapay.com [62.179.162.119]) by smtp-rollback.penchant.marybeth@payments.certapay.com (Postfix) with SMTP id 688OTR784I5ML for <friend@friend.com>; Sun, 17 Apr 2005 21:58:10 -0700
    Received: from smtp-cripple.graft.marybeth@payments.certapay.com ([62.179.162.119]) by tt5-oo93.marybeth@payments.certapay.com with Microsoft SMTPSVC(5.0.6599.8971); Mon, 18 Apr 2005 05:55:10 +0100
    Received: from hockey.marybeth@payments.certapay.com ([41.192.81.134]) by half.marybeth@payments.certapay.com with MailEnable ESMTP; Mon, 18 Apr 2005 07:54:10 +0300
    Return-Path: <marybeth@payments.certapay.com>
    The 62.179.162.119 shows up as a Netherlands registeration while the 41.x.x.x one shows up as reserved by IANA. I'm guessing it's a form of greedy phishing. The receipent, being greedy, decides to take the money and logs on to what they think is their banks equivelant of this site. In actual fact, it's a spoof.

    I've sent a note to Certapay and will probably also forward it to my bank (RBC is possibly the largest of the 5 that set this system up) to see what they have to say.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Junior Member f1fan's Avatar
    Join Date
    Feb 2005
    Posts
    13
    Hey MsMittens...

    Very interesting... As Internet money transfers become more common and trusted this spoof will become more widespread...

    Actually, this is one of the more ingenious spoofs I have heard about.

    Good Post. I will have to keep this one in mind...

    F1Fan
    \"It amazes me the will of instinct...\" -- Kurt Cobain

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Indeed. I received the following reply from CertaPay:

    Thank-you for taking the time to notify CertaPay regarding the unsolicited email which you recently received. Your alert attention to this questionable contact was correct, and we wish to verify that the correspondence was not legitimate. CertaPay has taken steps to shut-down the source of the distribution and are working closely with law enforcement on this issue.

    It is CertaPay's understanding that the email you received, in particular the "links" contain viruses and Trojans. It is important to permanently delete this email immediately from your system. In addition, do not forward the email to anyone, even for verification purposes.

    We appreciate your concern and thank-you for taking immediate action in bringing this to our attention.
    The area I bolded sorta piqued my interest so I went to the headers of the email that I received:

    Return-path: <info@certapay.com>
    Received: from xx.yy.zz.aa ([xx.yy.zz.aa])
    by xx.yy.zz.aa (Sun Java System Messaging Server 6.1 HotFix 0.05
    (built Oct 21 2004)) with ESMTP id <0IF600DQ5Z29XY50@xx.yy.zz> for
    msmittens@msmittens.com; Tue, 19 Apr 2005 18:46:49 -0400 (EDT)
    Received: from host-238.whitepj.net
    ([216.136.148.238]:53089 "EHLO scsdri01.santaclara.whitepj.net")
    by xx.yy.zz.aa with ESMTP id <S3770202AbVDSWqt>; Tue,
    19 Apr 2005 18:46:49 -0400
    Received: (from irisa@localhost) by scsdri01.santaclara.whitepj.net
    (8.9.3 (PHNE_24419)/8.7.1) id PAA05231; Tue, 19 Apr 2005 15:46:48 -0700 (PDT)
    Date: Tue, 19 Apr 2005 15:46:48 -0700 (PDT)
    From: info@certapay.com
    Subject: Re: [ ~3454 ] Re: Contact Form Submission ~3454
    X-Sender: info@certapay.com
    To: MsMittens <msmittens@msmittens.com>
    Reply-to: info@certapay.com
    Message-id: <200504192246.PAA05231@scsdri01.santaclara.whitepj.net>
    MIME-version: 1.0
    X-Mailer: PHP3
    Content-type: text/plain; charset=us-ascii
    Error-To: info@certapay.com
    X-BCN-FSAV: Version 4.61, updated on 2005-04-19
    X-BCN-User-Validation: Invalid Recipients [0] Valid Recipients [1]
    X-BCN-SysWht: sender [info@certapay.com] No
    X-BCN-SysWht: recipient NO
    X-BCN-UserWhiteList: Recipient didn't list sender on a white list of 24 entries
    X-BCN-RPD: Ref ID=<0001.0A090203.4265876B.0014-A->
    X-BCN-RPD: clUnknown
    X-BCN-SA: Score=-1.0, Threshold=3.0,
    Version=3.0.1 (2004-10-22) 0.3 NO_REAL_NAME
    From: does not include
    a real name -2.9 ALL_TRUSTED Did not pass through any untrusted
    hosts 1.6 BAYES_50
    BODY: Bayesian spam probability is 40 to 60%
    X-BCN-SA-Level:
    X-Authentication-warning: scsdri01.santaclara.whitepj.net: irisa set sender to
    info@certapay.com using -f
    Original-recipient: rfc822;msmittens@msmittens.com
    Perhaps I'm too paranoid. Looking at the whitepj.net site and I get:

    Registrant:

    white pajama

    3130 La Selva St. Suite 105

    San Mateo, California 94403

    UNITED STATES



    Registered through: GoDaddy.com

    Domain Name: WHITEPJ.NET

    Created on: 09-Jun-00

    Expires on: 09-Jun-06

    Last Updated on: 02-Oct-04



    Administrative Contact:

    Paulauskas, Marius mariusp@whitepj.com

    3130 La Selva St. Suite 105

    San Mateo, California 94403

    UNITED STATES

    650-292-8604 Fax -- 650-292-8613

    Technical Contact:

    Hostmaster, Verio hostmaster@verio-hosting.com

    5050 Blue Lake Dr.

    Boca Raton, Florida 33431

    UNITED STATES

    888-663-6648 Fax -- 888-663-6655



    Domain servers in listed order:

    DEV.WHITEPJ.NET

    NS1.WHITEPJ.NET

    NS2.WHITEPJ.NET
    Visiting http://www.whitepajama.com/ , which seems to be the frontpart of the site suggests that they may be the "service bureau" or autoresponse group.

    I dunno. Still makes me overly suspicious. I can only assume that they do not want PR about this (I get the non-FD vibes here).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •