It appears efforts have been redoubled, in the last few days, by would-be cyber criminals to get to your personal information.  That or there’s suddenly a whole new group of them who really aren’t very good at it.  See below for a recent example.  It’s both poorly done and obviously a fake.  Although it appears well timed, considering the numbers of holiday packages that did not get delivered as scheduled.

Start with the from “uh222843@vs10.ukrdomen.com”, upon looking up this domain name we find it’s registered in the Ukraine to a Ukrainian hosting company at ukrdomen.com,  making vs10.ukrdomen.com a sub-domain to the main domain.  Is this in and of itself suspicious?  It should be!  First it claims to be Costco, but doesn’t have a Costco email address and is also sending from a sub-domain and worse a sub-domain from an area of the world known for being a breeding ground for cyber threats.

Interestingly it follows up that email address with “on behalf of Costco <manager@hificity.com.ua>”.  In this case this is not a sub-domain, it’s still a top level domain, but it carries a country code, .UA,  at the end.  .UA is the country code for the Ukraine, making it more than clear that this email is not from the American company Costco.  Looking up this domain we learned it is also hosted at the same Ukrainian hosting company.

The last bit of interest comes from the information about the so-called order you placed with Costco.  The particular person who provided us this email had not placed any holiday orders with Costco, so rather than a targeted attack it appears these guys have just cast a wide net hoping to ensnare anyone who did do business with Costco recently.

As far as the location of the form they want you to fill out, that’s located at the domain claudia-oechsner.de, this is a German domain country code.  Looking up this domain name does not provide much information other than it’s IP address is 81.169.145.164, which makes it an IP address allocated by RIPE in Europe.  Beyond that it appears the domain name owner has paid the extra to keep the details of the registration private or the authorities in conjunction RIPE and the hosting company may be in the process of taking the site down.  There is also the chance that claudia-oechsner.de was a website that was hacked and the owner of the domain may have nothing to do with the scheme.  Especially as Claudia Oechsner does appear to be a real person and this may have just been her personal website, that did not carry enough security to keep it from being hacked and exploited.

Hopefully no one is falling for emails that are clearly out for your money / identity.  If you are ever in doubt about the source of an email, it is ALWAYS better to call the company than to click on any link contained in an email!!!

[whohit]FaleCostco[/whohit]