Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

This afternoon I received this email from "Uk Vehicles" via email address reg@ukmotorists.com. It looked ok and I fear a few may fall for this. So, using our spam scoring guide (available here), I scored it. A quick reminder on the scoring:
0 to 4 out of 10 = OK.
5 out of 10 = Spam
6 to 9 out of 10 = Scam
10 + = Phishing Attack and probable fraud / theft attempt.

Initial View


As you can see, this is a very bland email. Labeled as coming from the Drive and Vehicle Licensing Agency, it is drawing my attention to an overpayment of ?99.78 and I need to click the link to get my refund. The subject line is suspect, the "Uk" really needing to be "UK". So with this little error, and the blandness, we give an initial risk score of 2/10.
Now, the sender domain is ukmotorists.com, a website dedicated to legal services for those that have broken motoring laws. It isnt the DVLA, which the email claims. So, we immediately add 4 to the score.
We now have a risk score of 6/10 which is in a SCAM category.
Looking at the "Get Started" link, the link directing the browser to fifaschools.zzux.com which the forwards to uteanddriver.com.au.
This is highly suspicious so again we add 4 to the score.
We now have a risk score of 10/10, this email is a Phishing attack and we do not really have to go any further but as I am interesting in helping keep everyone safe, we continue...

Opening the Email Fully

Going to the site in a safe manner means bringing up a virtual machine running Linux and then running a web browser that will simply render the page but not run any javascript, flash or other code. Here is what we find:

Looking Deeper at the Site

The site looks good and if we were not aware it is rather convincing. My first observation is there is no HTTPS so the URL bar is not containing the green padlock. The lack of the green padlock adds 10 to the score immediately as this is a financial transaction page. This gives us a risk score of 20/10.
Secondly, the site is asking for card details and the 3 digital security code from the back of the card. This is not needed for refunds, the DVLA can simply reverse the transaction. This adds a further 10 points to the risk score giving us a risk score of 30/10.

Conclusion

Without going any further, we have firmly established that this email is a Phishing and a Fraud email. The email gives a risk score of 30 out of 10 and is clearly a Phishing attempt to get your card details. If you fall for an email like this, the only option is to immediately cancel your bank cards.