Fake Plymouth University Procurement Emails - Spam Warning !!
This is an interesting form of spam (if you ever find spam interesting) as it is amazing what sort of mentality some people operate under. This is a group or individual that have witnessed how universities operate when ordering equipment within the UK and decided to try and take advantage of the eagerness a small company would have to supply a university.
They send an email pertaining to be from the University of Plymouth along the lines of the following:
--------------------------------------------------------------------------------------------------------------------------------------------
From: Procurement Department <[email protected]>
Sent: Wednesday, June 12, 2019 3:32 PM
To: Support
Subject: Procurement Enquiry
Sales,
Kindly advise if your company can supply us any of the below hardware (We only need one brand out of the four)
1. Microsoft Surface Laptop 2 (15-inch)
Processor: Intel Core i7
Memory: 16GB
Storage: 1TB SSD
2. Apple MacBook Pro (15-inch)
Processor: 2.6GHz 6-core-Intel Core i7 processor, Turbo Boost up to 4.3GHz
Memory: 16GB 2400MHz DDR4 memory
Storage: 1TB SSD storage
3. HP ZBook 15 G5 Mobile Workstation
Processor: Intel Core i7-8850H vPro
Memory: 32 GB DDR4-2666 SDRAM
Storage: 1TB PCIe NVMe SSD
4. Dell XPS 15 2-in-1
Processor: 8th Generation Intel® Core i7-8705G
Memory: 16GB DDR4-2400MHz Integrated
Storage: 1TB PCIe Solid State Drive
Payment terms: Net 30 days from date of invoice
Please indicate the lead time, ETA and maximum quantity you can supply at a time.
We look forward to receiving your formal quote as soon as possible.
Best Regards,
Michael Rutherford
Purchasing Officer
University of Plymouth
Drake Circus,Plymouth
Devon PL4 8AA
Fax: +44 1752549554
--------------------------------------------------------------------------------------------------------------------------------------------
Now obviously the University of Plymouth is at Plymouth.ac.uk and this is just a poor attempt at impersonation.
The image for their signature is held here: http://www.deltservices.co.uk/wp-content/uploads/2018/07/Plymouth-University-Logo-330px-wide.jpg which is a WordPress installation that may or may not be tied to the purpotrator of this but another WordPress site does seem to be hacked every day of the week at the moment.
Deltservices.co.uk has the following whois:
Domain name:
deltservices.co.uk
Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 03-Jun-2014
Registrar:
123-Reg Limited t/a 123-reg [Tag = 123-REG]
URL: http://www.123-reg.co.uk
Relevant dates:
Registered on: 27-Sep-2012
Expiry date: 27-Sep-2020
Last updated: 20-Sep-2018
Registration status:
Registered until expiry date.
Name servers:
ns-117.awsdns-14.com
ns-1432.awsdns-51.org
ns-1826.awsdns-36.co.uk 205.251.199.34
ns-702.awsdns-23.net
WHOIS lookup made at 10:50:52 14-Jun-2019
--------------------------------------------------------------------------------------------------------------------------------------------
But whether AWSdns-36.co.uk has anything to do with them hosting on Amazon AWS is unknown.
The domain itself has the following:
--------------------------------------------------------------------------------------------------------------------------------------------
Domain name:
awsdns-36.co.uk
Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data source on 10-Dec-2012
Registrar:
Markmonitor Inc. t/a MarkMonitor Inc. [Tag = MARKMONITOR]
URL: http://www.markmonitor.com
Relevant dates:
Registered on: 21-Oct-2010
Expiry date: 21-Oct-2024
Last updated: 07-May-2019
Registration status:
Registered until expiry date.
Name servers:
g-ns-1511.awsdns-36.co.uk 205.251.197.231 2600:9000:5305:e700::1
g-ns-1832.awsdns-36.co.uk 205.251.199.40 2600:9000:5307:2800::1
g-ns-356.awsdns-36.co.uk 205.251.193.100 2600:9000:5301:6400::1
g-ns-932.awsdns-36.co.uk 205.251.195.164 2600:9000:5303:a400::1
--------------------------------------------------------------------------------------------------------------------------------------------
According to https://securitytrails.com/list/apex_domain/ns-1826.awsdns-36.co.uk it is an Amazon customer
The emails appear to originate from GMail:
<CAKY3UYL=fovro0=0Fvac5Yi7wKEseRXuuf2J=nB82TW1kpNJ-w@mail.gmail.com> |
13/06/2019 13:55:57 |
13/06/2019 13:55:56 |
[email protected] |
[email protected] |
Re: Procurement Enquiry |
INBOUND |
Blocked [Header Checking] |
|
--------------------------------------------------------------------------------------------------------------------------------------------
From: Procurement Department <[email protected]>
Sent: Thursday, June 13, 2019 1:56 PM
To: Support
Subject: Re: Procurement Enquiry
Thanks for your swift response.
We wish to purchase the below
Microsoft Surface Laptop 2 (15-inch)
Processor: Intel Core i7
Memory: 16GB
Storage: 1TB SSD
Quantity: 20 units.
Payment terms: Net 30 days from date of invoice
We look forward to receiving formal quote.
Best Regards,
Michael Rutherford
Purchasing Officer
University of Plymouth
Drake Circus,Plymouth
Devon PL4 8AA
Fax: +44 1752549554
--------------------------------------------------------------------------------------------------------------------------------------------
We will see how far we can and try to discover their identity...