Scammers in Action: Domain Names and Family Resettlement to Australia

"You Have Been Selected for Family Resettlement to Australia," began the email that included the seal of the Embassy of Australia. "You are among the list of nominated for 2014 resettlement visa to Australia." The signature line claimed that the message had been sent by Hon Thomas Smith and came from "Australia Immigration Section <australiaimmigrationsection@gmail.com>."

This was a scam, of course.

"What do I need to do?" I responded, curious what might come next. Hon Thomas Smith responded within a few hours, this time from australia@immigrationsection.com.au.pn.

Request for Personal Information

The message attempted to mimic the letterhead of the Australian Department of Immigration and Citizenship and welcomed me “to Australia visa office.” It explained that:

"every year certain number of people are selected through our electronic ballot system for resettlement by Australia Government as part of support to Countries regarded as war zone area."

The miscreant requested that I submit a scanned copy of my travel passport, a recent photo and my phone number. In addition, I was to email a scanned white paper sheet with my fingerprints on it.

The email message included a PDF attachment that claimed to be Visa Form File/10121L-2014, which requested details such as date of birth, mother’s name and address. The PDF file didn’t have an exploit, as far as I can tell, and was merely designed as a place where the scammer’s target could conveniently provide personal information.

2form

The scammer was pursuing this information probably with the goal of performing identity theft. Also, future interactions with the scammer would probably include a request for money to process the bogus application.

Free Sub-Domain Registration

The domain from which the scammer sent the application, immigrationsection.com.au.pn, is considered malicious by some security companies, according to VirusTotal. It redirects webs visitors to www-dot-popnic-dot-com, which some sources consider malicious.

3join

Popnic-dot-com seems to be a front for Unionic-dot-com, which provides free domain registration, email forwarding, web hosting, URL forwarding, etc. under unusual TLDs such as .tc, .mn, .ms and others. More specifically, it offers registration under second-level domains that resemble TLDs assigned to major countries such as .uk.pn, .us.pn, .ca.pn, .au.pn, and others. No wonder it’s attractive to scammers, who want to get a domain that at a first glance seems legitimate.

With the increasing variety of TLDs available, scammers will have an easier job selecting domain names that catch the victims’ attention or evoke trust. Regardless of the domain used by the sender of the email message, if the offer sounds too good to be true and involves supplying sensitive information, it’s probably a scam.

Updated February 2, 2015
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more