Home / Blogs

Follow a Phishing Case in Real Time: postfinances.com / Swiss Post

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Werner Staub

It is just another phishing case. Why should I care? I happened to receive my own copy of the phishing email message. Most Internet users will just smile bitterly before deleting it.

I checked it to see why it had gone through the spam filters. It had no URL in the text but a reply-to address. So it needed a valid domain name, and had one: postfinances.com.

PostFinance (without trailing "s") is the payment system of the Swiss Post. It has millions of users.

The domain postfinances.com had been registered a day before my receipt of the phishing email, through a Canadian registrar:

Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-dec-2012
Creation Date: 27-dec-2012
Expiration Date: 27-dec-2013

The domain holder (falsely) shown on the Whois is Vistaprint, an international online services company. There is an MX record pointing to:


The Phishing message itself is not convincing. The copy I received is written in bad machine-translated German. I suppose French and Italian versions have been sent too. It is the classic false alert about "account information update" targeting users of an electronic payment system. It asks the recipient to answer with account information and telephone number, promising that the support team will then contact the account holder by telephone.

Can we simply dismiss this as a clumsy attempt at phishing?

It is not that clumsy. The Swiss Post giro accounts are extremely popular. Almost everyone in Switzerland has a postal account. So any user with an email address ending in .ch is likely to have a postal account and to have electronic access to it. In this respect, the phishing perpetrators are smart.

Now the domain name. The real thing is http://www.postfinance.ch. The plural of the word "finance" is frequently used, especially in the sense of personal finance. Addresses ending in .com are frequent for large Swiss companies. So postfinances.com sounds very credible. In this respect, the phishing perpetrators are almost elegant.

Now the style of the email, the bad German, the almost humoristic notice on the bottom of the message:

"This message was sent using IMP, the Internet Messaging Program."

That notice was left in English. Even that had a role: it filtered out the educated victims, leaving only the vulnerable people.

Is this something to laugh about?

There are enough vulnerable people. At any given time, there are millions of people in the process of learning about the Internet. Not all of them will have a good command of the language in which they received the Phishing message. Some of them may respond to the scammers, giving up their account information and telephone number. The perpetrators can then work by VOIP telephony, complete with fake caller ID, making the victim believe that there is urgency, that there is a problem, that the victim should connect to a web site whose address they dictate over the telephone. If the perpetrators do not speak German they can pretend that they work for an outsourced call center, a special security investigation company...you name it.

Here is where the ICANN problem starts.

I saw the Phishing email on December 28, one day after the domain registration of postfinances.com. I sent a Whois Data Problem complaint to http://wdprs.internic.net/.

(Note: compare the elegant domain name used by the bad guys — postfinances.com — to the cryptic domain name used by the good guys for problem reporting.)

The Whois problem reporting system is not only inadequate, it is a mere fig leaf. There is no real abuse reporting tool, there is no credible fast response infrastructure — even though ICANN's budget is higher than that of Interpol.

I added a note to Whois Data Problem report, saying that this was a manifest case of phishing and that the domain should be suspended immediately. I copied the phishing email into the comment box, as further proof. The ICANN system sent me confirmation — without my explanatory comments. I am not sure if the registrar of the postfinances.com domain received my comments through the ICANN system.

When I came back to the office on January 2, 2013, the domain was unchanged. The next day I sent a problem report to the http://www.melani.admin.ch/index.html?lang=en — the Swiss government security response team. I even tried to call the person in charge of domain names at the Swiss Post. It is understandable that he is on vacation as this time of the year — just as it is understandable the phishing perpetrators selected this time of the year for their scam.

At the time of writing, the domain name is still unchanged, and the email sent to it still goes to mx.postfinances.com.cust.b.hostedemail.com.

How many people have suffered damage? How many more people will suffer damage if the domain remains active, along with the email forwarding? Difficult to say, but for some time the likelihood of harm grows with each day. Does it make sense for fraud inspectors to keep the abusive domain name alive to track the perpetrators? I doubt it.

The sad thing is that humble, hardworking people are particularly threatened by this sort of scam. Imagine a migrant worker, struggling in the local language, with no time to learn about Internet governance (or about the lack of it).

But it is worse.

Well-deserved consumer confidence in electronic commerce and payments is a necessity. Jobs and economic growth depend on it. Negligence in the combat of scams does enormous harm. The social cost of lost confidence is a million times more than the money stolen by the scammers.

Now let us take a closer look and compare it with ICANN news.

Two new gTLD applications stand out that could (or should) help with the anti-phishing challenge. One of them is ".bank" — I mean the community-based one applied for by the banks. The other is ".banque" (in French), applied for by French banks.

These are TLDs that can facilitate special processing by MTAs, email client software, spam filters, web browsers and search engines on the basis of published usage policies. They can allow machine-based compliance verification of policies. Those policies can formally be associated with TLDs whose role is easy to understand for all people. In other words, these TLDs have the power to establish the same link between technology and the human mind, just as standardized coins or paper currency do with systematic security features.

ATMs, banknote checking/counting machines and vending machines help us deal with the standardized currency. We recognize the same currency with our eyes and touch it with our hands. That is a great achievement. Or does anyone want to go back to randomly shaped lumps of metal?

Software combined with responsibly managed financial domain names can do the same. Or do we prefer to laugh at people who have trouble telling the difference between postfinance.ch and postfinances.com?

True, both the community-based .bank and the .banque application are a bit confused. But they are not more confused than ICANN as a whole. ICANN's disorientation is the main reason why many of the gTLD applications are so unclear, or even full of errors and contradictions.

The .bank and .banque TLDs can be set up correctly. They can radically improve security and productivity of on-line financial transactions. It should have been done years ago.

But there is ICANN's way — our way — of managing urgent tasks.

No reaction in 7 days to a report on a scam domain — that is NOT the worst problem. The problem is that no better reporting system is in place. (Yes, we have talked about domain abuse for 10 years.) The next problem is that new gTLD program, through which urgently needed security improvements should be possible, has been delayed for years. It has also been mismanaged. And now it is managed randomly, literally, by way of a Draw.

Is this all that we, the Internet experts, have to offer?

By Werner Staub

Related topics: Cybercrime, DNS, Domain Names, Registry Services, ICANN, Security, VoIP, Whois



you'd have been better off submitting to one of the public phish url repositories Suresh Ramasubramanian  –  Jan 05, 2013 8:03 PM PDT

Like phishtank say.  ICANN doesnt get into enforcement on individual domains - and the registrar of that domain - tucows - are quite proactive on abuse, plus its hosted on their servers, so they will respond.  Did you try to contact the registrar?

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure