gov.uk paperwork

InformationFreedom
August 9, 2019

[Edit: Removed accusation of non UK hosting – thank you to Richard Mortimer & Philipp Edelmann for pointing out I had incorrectly looked up the domain “householdresponce.com” in place of  “householdresponse.com”.  Learn to spell…]

I live in England, the government keeps an Electoral Roll, a list of people registered to vote.  This list needs to be maintained, so once a year we are required to update the database.  To make sure we don’t forget we get sent a handy letter through the door looking like this:

Is it a scam?

Well that’s the first page anyway.   Correctly addressed to the “Current Occupier”.   So why am I posting about this?

Phishing emails land in our inbox all the time (hopefully only a few because our spam filters eat the rest).  These are unsolicited emails trying to trick us into doing something, usually they look like something official and warn us about something that we should take action about, for example an email that looks like it has come from your bank warning about suspicious activity in your account, they then ask you to follow a link to the ‘banks website’ where you can login and confirm if the activity is genuine – obviously taking you through a ‘man in the middle’ website that harvests your account credentials.

The government is justifiably concerned about this (as to are banks and other businesses that are impersonated in this way) and so run media campaigns to educate the public in the dangers of such scams and what to look out for.

So back to the “Household Enquiry” form…

How do I know that this is genuine?  Well I don’t.  I can’t easily verify the letter, I can’t be sure who sent it, It arrived through my letterbox unbidden, and even if I was expecting it wouldn’t the perfect time to send such a scam letter be at the same time genuine letters are being distributed?

All I can do read the letter carefully and apply the same rational tests that I would to any unsolicited (e)mail.

1) Does it claim to come from a source I would have dealings with (bulk mailing is so cheep that sending to huge numbers of people is still effective even if most of the recipients will know it is a scam because they wouldn’t have dealings with the alleged sender).  Yes it claims to have been sent by South Cambridge District Council and They are my county council and would send be this letter.

2) Do all the communication links point to the sender?  No.  Stop this is probably a scam.

 

Alarm bells should now be ringing – their preferred method of communication is for me to visits the website www.householdresponse.com/southcambs.  Sure they have gov.uk website mentioned and they claim to be south Cambridgeshire District Council and they have an email address elections@scambs.gov.uk  but all the fake emails claiming to come from my bank look like the come from my bank as well – the only thing that doesn’t is the link they want you to follow.  Just like this letter….

Ok Time for a bit of detective work

:~$whois householdresponse.com
 Domain Name: HOUSEHOLDRESPONSE.COM
 Registry Domain ID: 2036860356_DOMAIN_COM-VRSN
 Registrar WHOIS Server: whois.easyspace.com
 Registrar URL: http://www.easyspace.com
 Updated Date: 2018-05-23T05:56:38Z
 Creation Date: 2016-06-22T09:24:15Z
 Registry Expiry Date: 2020-06-22T09:24:15Z
 Registrar: EASYSPACE LIMITED
 Registrar IANA ID: 79
 Registrar Abuse Contact Email: abuse@easyspace.com
 Registrar Abuse Contact Phone: +44.3707555066
 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Name Server: NS1.NAMECITY.COM
 Name Server: NS2.NAMECITY.COM
 DNSSEC: unsigned
 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-08-09T17:05:57Z <<<
<snip>

Really?  just a hosting companies details for a domain claiming to be from local government?

:~$nslookup householdresponse.com
<snip>
Name: householdresponse.com
Address: 62.25.101.164

:~$ whois 62.25.101.164
<snip>
% Information related to '62.25.64.0 - 62.25.255.255'

% Abuse contact for '62.25.64.0 - 62.25.255.255' is 'ipabuse@vodafone.co.uk'

inetnum: 62.25.64.0 - 62.25.255.255
netname: UK-VODAFONE-WORLDWIDE-20000329
country: GB
org: ORG-VL225-RIPE
admin-c: GNOC4-RIPE
tech-c: GNOC4-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: VODAFONE-WORLDWIDE-MNTNER
mnt-lower: VODAFONE-WORLDWIDE-MNTNER
mnt-domains: VODAFONE-WORLDWIDE-MNTNER
mnt-routes: VODAFONE-WORLDWIDE-MNTNER
created: 2017-10-18T09:50:20Z
last-modified: 2017-10-18T09:50:20Z
source: RIPE # Filtered

organisation: ORG-VL225-RIPE
org-name: Vodafone Limited
org-type: LIR
address: Vodafone House, The Connection
address: RG14 2FN
address: Newbury
address: UNITED KINGDOM
phone: +44 1635 33251
admin-c: GSOC-RIPE
tech-c: GSOC-RIPE
abuse-c: AR40377-RIPE
mnt-ref: CW-EUROPE-GSOC
mnt-by: RIPE-NCC-HM-MNT
mnt-by: CW-EUROPE-GSOC
created: 2017-05-11T14:35:11Z
last-modified: 2018-01-03T15:48:36Z
source: RIPE # Filtered

role: Cable and Wireless IP GNOC Munich
remarks: Cable&Wireless Worldwide Hostmaster
address: Smale House
address: London SE1
address: UK
admin-c: DOM12-RIPE
admin-c: DS3356-RIPE
admin-c: EJ343-RIPE
admin-c: FM1414-RIPE
admin-c: MB4
tech-c: AB14382-RIPE
tech-c: MG10145-RIPE
tech-c: DOM12-RIPE
tech-c: JO361-RIPE
tech-c: DS3356-RIPE
tech-c: SA79-RIPE
tech-c: EJ343-RIPE
tech-c: MB4
tech-c: FM1414-RIPE
abuse-mailbox: ipabuse@vodafone.co.uk
nic-hdl: GNOC4-RIPE
mnt-by: CW-EUROPE-GSOC
created: 2004-02-03T16:44:58Z
last-modified: 2017-05-25T12:03:34Z
source: RIPE # Filtered

% Information related to '62.25.64.0/18AS1273'

route: 62.25.64.0/18
descr: Vodafone Hosting
origin: AS1273
mnt-by: ENERGIS-MNT
created: 2019-02-28T08:50:03Z
last-modified: 2019-02-28T08:57:04Z
source: RIPE

% Information related to '62.25.64.0/18AS2529'

route: 62.25.64.0/18
descr: Energis UK
origin: AS2529
mnt-by: ENERGIS-MNT
created: 2014-03-26T16:21:40Z
last-modified: 2014-03-26T16:21:40Z
source: RIPE

Is this a scam…
I only wish it was :-(

A quick search of https://www.scambs.gov.uk/elections/electoral-registration-faqs/ and the very first thing on the webpage is a link to www.householdresponse.com/southcambs…

A phone call to the council, just to confirm that they haven’t been hacked and I am told yes this is for real.

OK lets look at the Privacy statement (on the same letter)

Right a link to a uk gov website… https://www.scambs.gov.uk/privacynotice

A Copy of this page as of 2019-08-09 because websites have a habit of changing can be found here
http://koipond.org.uk/photo/Screenshot_2019-08-09_CustomerPrivacyNotice.png

[Edit
I originally thought that this was being hosted outside the UK (on a US based server) which would be outside of GPDR.  I am still pissed off that this looks and feels ‘spammy’ and that the site is being hosted outside of a gov.uk based server, but this is not the righteous rage that I previously felt]

Summary Of Issue

  1. UK Government, District and Local Councils should be an exemplar of best practice.  Any correspondence from any part of UK government should only use websites within the subdomain gov.uk  (fraud prevention)

Actions taken

  • 2019-08-09
    • I spoke with South Cambridgeshire District Council and confirmed that this was genuine
    • Spoke with South Cambridgeshire District Council Electoral Services Team and made them aware of both issues (and sent follow up email)
    • Spoke with the ICO and asked for advice.  The will take up the issue if South Cambs do not resolve this within 20 working days.
    • Spoken again with ICO – even though I had mistakenly believed this was being hosted outside UK and this is not the case, they are still interested in pushing for a move to a .gov.uk domain