Although I do most of my work remotely, I’ll occasionally make a trip into my company’s office location to run cable, make changes to our networking equipment, or just generally check up on things. On these intermittent trips, I’ll sometimes see faxes that have accumulated in our print/scan/fax machine.
Most of these faxes had been sent to us out of error, but on my most recent trip – I saw something strange, something that was not an error. I had actually seen something like it only a month before, but it had dropped off of my radar. This fax was addressed (in the salutation) to someone that had passed well before my time at this company had even begun, over a year ago. What I was looking at could only be described as phishing via fax – do we come full circle at this point, and just call it “fishing”?
For being a phish/scam, it was very well-written. Minimal grammatical errors, the area code for both the phone number and the fax number lined up with where this company was claiming to be from, Ontario, and there was even a website to match – but we’ll get to that in a second. The obvious red flags are the premise: an eleven million dollar settlement waiting to be claimed by the recipient, and the generic return email not using the company’s domain. Clearly something is going on here. But I was curious! I had never seen something like this being done via faxes, so I decided to see what was going on with their website. But I made sure to do so in a VM and behind a VPN, in case there was any tomfoolery (read: “malicious scripts”) waiting for me.
They did a good job with SEO, because their website was the first result when searching for “Atkinson Koffer”. Also on the first page of Google, however, is the following article:
Not a great look. Combing through the article, I couldn’t find any actual mention of Atkinson Koffer, which was strange. It must have been somewhere in the metadata.
Back to the website. It looks a little archaic, but not anything super alarming. This website even had a profile under “Our Team” for the supposed lawyer that had authored the fax we received.
Curiously, the domain of the website was also “akinsonkofferllp.com”, which didn’t match the “atkinsonkofferllp.com” (with a ‘T’) seen on the fax. But it was no coincidence, as all of their address and phone number information lined up.
What’s going on here? I tried giving the phone numbers a call, but they both rang out. The social links led nowhere, and only refreshed the page. Alright, let’s see this “office”.
We’re on Keele St. alright, but there’s no 7200. 7250 is a large shopping mall, but we’re simply left here in the middle of an intersection. Let’s see what ICANN has to say about this domain, and where their nameservers point.
Great, “Owlhost”. Haven’t heard of them, but maybe another DigitalOcean or cloud hosting site. Let’s see…
Yep, not a great sign. I got the “VPS/VDS” (Virtual Private Server/Virtual Dedicated Server) part down, but that’s about it. That’s pretty much all we need to know. Stacked on top of all of the other red flags, this supposed Canadian law firm using a Russian VPS website for their hosting was pretty clearly not benign. Scrolling down a bit on the ICANN lookup, we can see that they are using Enom as their registrar – in my very own home state of Washington!
I gave Enom a call to let them know about my findings, but the man I spoke with seemed mildly convinced of this website’s legitimacy (dishearteningly) after visiting it while we spoke, and told me that I would have to submit an abuse report through email.
But before I reached out to them to get this shut down, I truly wanted a slam dunk. How about that image on their website? Surely they didn’t actually get dressed up in suits to take a picture for this front of a website… it had to come from somewhere. A quick Google Image search returns the keywords “north bay lawyers”, and a match.
That’s them alright! Finally, I got all of my thoughts together, wrote out an extremely long abuse report for the staff at Enom, and was delighted to see an email in my inbox notifying me of its shut down that very same day. Serious props to Enom and their staff, I don’t think I’ve had that good of communication from any company. I didn’t have to go digging to find that abuse number in the first place, nor did I have to speak to a single robot when I called it.
All in all, this was a fun experience. These sorts of schemes are like hydra, and I certainly don’t expect to have made any substantial impact with this shutdown. But if somewhere in Moscow someone has to open Photoshop and start on a new law firm logo, register a new domain, or develop a new fax format, I’m happy. Ah yes, the fax. I wanted to take a look at the one we had received a month prior to this one, I knew I had it somewhere…
An entirely different company!?
to be continued…