Fake DVLA Emails: Tracing a Trojan Scam

Continuing our recent series on email phishing trickery including fake invoices and Apple ID theft, this week we discovered a new scam involving a fake communication claiming to be from the Driver & Vehicle Licensing Agency (DVLA).

You haven’t sent them your vehicle details: but never fear, enter them below and avoid a hefty ‘1000 GBP’ fine. Never mind that your garage should have organised a V5 document for you, just click the link and type in your details. This couldn’t be a scam? Right?

We set Lineal’s security trainee Lewis on the fake DVLA emails case – who found that the email links to a private (non Gov.uk) web-page with a extensive bit of PHP code running in the background. A classic Trojan, this webpage invited you to download your casefile – and likely something dangerous along with it.

trojan

Despite poor grammar, the format matched a GOV.UK page quite closely and the ‘official’ nature of the styling might easily have tricked unsuspecting motorists.

Avoiding the page itself, Lewis completed an HTTPS lookup on the domain hosting the fake web page – but found two servers running the same scam. The email itself appeared to be routed via the USA, in an effort to mask the attacker(s) identity.

Tracing both IPs seperately led back to the same address in Germany, registered under two different names which could either be part of an organisation (or more likely) both assumed identities stolen from others fallen victim to the scam.

German privacy law prevents Google StreetView from being completed across most of the country, so an aerial view of an unknown industrial building on the outskirts of Lippstadt was a close as we could get to sourcing the suspicious email itself.

Clearly a sophisticated operation, fake DVLA emails like this highlight the growing technical ability of online scammers and the need for solid IT security precautions.

 

For IT Security advice and support, contact Lineal today: 01271 375999