Interac Phishy?

[MrLinus]

Those of you that are Canadian will recognize the Interac symbol. And the company, Certapay, was created for online transactions between Interac users and banks that support Interac. A friend of mine received the following (please note: he's not selling laptop --- he's a packrack; he never sells his comps).

Dear User,

MARYBETH HEDD has sent you an INTERAC Email Money Transfer.

Amount: $961.00 (CAD)

Sender's Message: Payment for laptop.

Expiry Date: 2005-04-20

Action Required:
To deposit your money, click here:
hxxp://gateway-certapay.com/RP.do/?pID=Sli6g20jkm8%3D

Trouble with the link? Copy the link and paste it into your web
browser address bar. Please make sure all the characters after the
"pID=" are present.

Need help?
https://www.certapay.com/ca/oon/en/help

It may not have been evident at first but the link address is definately questionable.

Certapay resolves to:

Registrant:
Certapay Inc. (CERTAPAY2-DOM)
55 university avenue, 8th floor
toronto, ontario m5j 2h7
CA

Domain Name: CERTAPAY.COM

Administrative Contact:
Officer, Security (THOXYPSYAI) [email protected]
CertaPay Inc.
55 University Avenue
Toronto, Ontario M5J 2H7
CA
999 999 9999

Technical Contact:
Q9 Networks Inc. (CD4054-ORG) [email protected]
100 Wellington Street West, Suite 900
Toronto, ON M5K 1J3
CA
+1 416 362 7000 fax: +1 416 362 7001

Record expires on 27-Apr-2010.
Record created on 27-Apr-2000.
Database last updated on 17-Apr-2005 17:03:22 EDT.

Domain servers in listed order:

NS1-AUTH.Q9.COM 216.220.35.20
NS2-AUTH.Q9.COM 216.220.36.20

Gateway-certapay.com resolves to:

Hostway Whois Server Version 1.0
Domain Name: gateway-certapay.com

Registrar: AAAQ.COM

Whois Server: whois.aaaq.com

Referral URL: http://www.aaaq.com

Name Server: a.dns.hostway.net

Name Server: b.dns.hostway.net

Status: ACTIVE

Updated Date 2005-04-11

Creation Date: 2005-04-11

Expiration Date: 2006-04-11

Registrant:



Aubrey Page [email protected]

5207 W. Meadowridge Road



Sherman, TX 75092

US

19038922325 Fax:



Administrative Contact:

Aubrey Page [email protected]

5207 W. Meadowridge Road



Sherman, TX 75092

US

19038922325 Fax:



Technical Contact:

Administrator DNS [email protected]

1 N State Street

12th Floor

Chicago, IL 60602

US

+1.3122362132 Fax: +1.3122361958



Billing Contact:

Aubrey Page [email protected]

5207 W. Meadowridge Road



Sherman, TX 75092

US

19038922325 Fax:

Now, to make things more interesting the header info is as follows:

eceived: from cm-62.179.162.119.chello.no ([62.179.162.119]) by [email protected] (8.13.1/8.12.10) with SMTP id j3H6xTJf012290 for <[email protected]>; Sun, 17 Apr 2005 02:59:30 -0400 (EDT)
Received: from [email protected] ([62.179.162.119]) by [email protected] with Microsoft SMTPSVC(5.0.4735.8274); Mon, 18 Apr 2005 02:57:10 -0200
Received: from terbium612.n'[email protected] ([email protected] [62.179.162.119]) by [email protected] (Postfix) with SMTP id 688OTR784I5ML for <[email protected]>; Sun, 17 Apr 2005 21:58:10 -0700
Received: from [email protected] ([62.179.162.119]) by [email protected] with Microsoft SMTPSVC(5.0.6599.8971); Mon, 18 Apr 2005 05:55:10 +0100
Received: from [email protected] ([41.192.81.134]) by [email protected] with MailEnable ESMTP; Mon, 18 Apr 2005 07:54:10 +0300
Return-Path: <[email protected]>

The 62.179.162.119 shows up as a Netherlands registeration while the 41.x.x.x one shows up as reserved by IANA. I'm guessing it's a form of greedy phishing. The receipent, being greedy, decides to take the money and logs on to what they think is their banks equivelant of this site. In actual fact, it's a spoof.

I've sent a note to Certapay and will probably also forward it to my bank (RBC is possibly the largest of the 5 that set this system up) to see what they have to say.

[f1fan]

Hey MsMittens...

Very interesting... As Internet money transfers become more common and trusted this spoof will become more widespread...

Actually, this is one of the more ingenious spoofs I have heard about.

Good Post. I will have to keep this one in mind...

F1Fan

[MrLinus]

Indeed. I received the following reply from CertaPay:

Thank-you for taking the time to notify CertaPay regarding the unsolicited email which you recently received. Your alert attention to this questionable contact was correct, and we wish to verify that the correspondence was not legitimate. CertaPay has taken steps to shut-down the source of the distribution and are working closely with law enforcement on this issue.

It is CertaPay's understanding that the email you received, in particular the "links" contain viruses and Trojans. It is important to permanently delete this email immediately from your system. In addition, do not forward the email to anyone, even for verification purposes.

We appreciate your concern and thank-you for taking immediate action in bringing this to our attention.

The area I bolded sorta piqued my interest so I went to the headers of the email that I received:

Return-path: <[email protected]>
Received: from xx.yy.zz.aa ([xx.yy.zz.aa])
by xx.yy.zz.aa (Sun Java System Messaging Server 6.1 HotFix 0.05
(built Oct 21 2004)) with ESMTP id <[email protected]> for
[email protected]; Tue, 19 Apr 2005 18:46:49 -0400 (EDT)
Received: from host-238.whitepj.net
([216.136.148.238]:53089 "EHLO scsdri01.santaclara.whitepj.net")
by xx.yy.zz.aa with ESMTP id <S3770202AbVDSWqt>; Tue,
19 Apr 2005 18:46:49 -0400
Received: (from irisa@localhost) by scsdri01.santaclara.whitepj.net
(8.9.3 (PHNE_24419)/8.7.1) id PAA05231; Tue, 19 Apr 2005 15:46:48 -0700 (PDT)
Date: Tue, 19 Apr 2005 15:46:48 -0700 (PDT)
From: [email protected]
Subject: Re: [ ~3454 ] Re: Contact Form Submission ~3454
X-Sender: [email protected]
To: MsMittens <[email protected]>
Reply-to: [email protected]
Message-id: <[email protected]>
MIME-version: 1.0
X-Mailer: PHP3
Content-type: text/plain; charset=us-ascii
Error-To: [email protected]
X-BCN-FSAV: Version 4.61, updated on 2005-04-19
X-BCN-User-Validation: Invalid Recipients [0] Valid Recipients [1]
X-BCN-SysWht: sender [[email protected]] No
X-BCN-SysWht: recipient NO
X-BCN-UserWhiteList: Recipient didn't list sender on a white list of 24 entries
X-BCN-RPD: Ref ID=<0001.0A090203.4265876B.0014-A->
X-BCN-RPD: clUnknown
X-BCN-SA: Score=-1.0, Threshold=3.0,
Version=3.0.1 (2004-10-22) 0.3 NO_REAL_NAME
From: does not include
a real name -2.9 ALL_TRUSTED Did not pass through any untrusted
hosts 1.6 BAYES_50
BODY: Bayesian spam probability is 40 to 60%
X-BCN-SA-Level:
X-Authentication-warning: scsdri01.santaclara.whitepj.net: irisa set sender to
[email protected] using -f
Original-recipient: rfc822;[email protected]

Perhaps I'm too paranoid. Looking at the whitepj.net site and I get:

Registrant:

white pajama

3130 La Selva St. Suite 105

San Mateo, California 94403

UNITED STATES



Registered through: GoDaddy.com

Domain Name: WHITEPJ.NET

Created on: 09-Jun-00

Expires on: 09-Jun-06

Last Updated on: 02-Oct-04



Administrative Contact:

Paulauskas, Marius [email protected]

3130 La Selva St. Suite 105

San Mateo, California 94403

UNITED STATES

650-292-8604 Fax -- 650-292-8613

Technical Contact:

Hostmaster, Verio [email protected]

5050 Blue Lake Dr.

Boca Raton, Florida 33431

UNITED STATES

888-663-6648 Fax -- 888-663-6655



Domain servers in listed order:

DEV.WHITEPJ.NET

NS1.WHITEPJ.NET

NS2.WHITEPJ.NET

Visiting http://www.whitepajama.com/ , which seems to be the frontpart of the site suggests that they may be the "service bureau" or autoresponse group.

I dunno. Still makes me overly suspicious. I can only assume that they do not want PR about this (I get the non-FD vibes here).