[Edit: Removed accusation of non UK hosting – thank you to Richard Mortimer & Philipp Edelmann for pointing out I had incorrectly looked up the domain “householdresponce.com” in place of “householdresponse.com”. Learn to spell…]
I live in England, the government keeps an Electoral Roll, a list of people registered to vote. This list needs to be maintained, so once a year we are required to update the database. To make sure we don’t forget we get sent a handy letter through the door looking like this:
Well that’s the first page anyway. Correctly addressed to the “Current Occupier”. So why am I posting about this?
Phishing emails land in our inbox all the time (hopefully only a few because our spam filters eat the rest). These are unsolicited emails trying to trick us into doing something, usually they look like something official and warn us about something that we should take action about, for example an email that looks like it has come from your bank warning about suspicious activity in your account, they then ask you to follow a link to the ‘banks website’ where you can login and confirm if the activity is genuine – obviously taking you through a ‘man in the middle’ website that harvests your account credentials.
The government is justifiably concerned about this (as to are banks and other businesses that are impersonated in this way) and so run media campaigns to educate the public in the dangers of such scams and what to look out for.
So back to the “Household Enquiry” form…
How do I know that this is genuine? Well I don’t. I can’t easily verify the letter, I can’t be sure who sent it, It arrived through my letterbox unbidden, and even if I was expecting it wouldn’t the perfect time to send such a scam letter be at the same time genuine letters are being distributed?
All I can do read the letter carefully and apply the same rational tests that I would to any unsolicited (e)mail.
1) Does it claim to come from a source I would have dealings with (bulk mailing is so cheep that sending to huge numbers of people is still effective even if most of the recipients will know it is a scam because they wouldn’t have dealings with the alleged sender). Yes it claims to have been sent by South Cambridge District Council and They are my county council and would send be this letter.
2) Do all the communication links point to the sender? No. Stop this is probably a scam.
Alarm bells should now be ringing – their preferred method of communication is for me to visits the website www.householdresponse.com/southcambs. Sure they have gov.uk website mentioned and they claim to be south Cambridgeshire District Council and they have an email address email@example.com but all the fake emails claiming to come from my bank look like the come from my bank as well – the only thing that doesn’t is the link they want you to follow. Just like this letter….
Ok Time for a bit of detective work
:~$whois householdresponse.com Domain Name: HOUSEHOLDRESPONSE.COM Registry Domain ID: 2036860356_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.easyspace.com Registrar URL: http://www.easyspace.com Updated Date: 2018-05-23T05:56:38Z Creation Date: 2016-06-22T09:24:15Z Registry Expiry Date: 2020-06-22T09:24:15Z Registrar: EASYSPACE LIMITED Registrar IANA ID: 79 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +44.3707555066 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: NS1.NAMECITY.COM Name Server: NS2.NAMECITY.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2019-08-09T17:05:57Z <<< <snip>
Really? just a hosting companies details for a domain claiming to be from local government?
:~$nslookup householdresponse.com <snip> Name: householdresponse.com Address: 22.214.171.124 :~$ whois 126.96.36.199 <snip> % Information related to '188.8.131.52 - 184.108.40.206' % Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' inetnum: 22.214.171.124 - 126.96.36.199 netname: UK-VODAFONE-WORLDWIDE-20000329 country: GB org: ORG-VL225-RIPE admin-c: GNOC4-RIPE tech-c: GNOC4-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-by: VODAFONE-WORLDWIDE-MNTNER mnt-lower: VODAFONE-WORLDWIDE-MNTNER mnt-domains: VODAFONE-WORLDWIDE-MNTNER mnt-routes: VODAFONE-WORLDWIDE-MNTNER created: 2017-10-18T09:50:20Z last-modified: 2017-10-18T09:50:20Z source: RIPE # Filtered organisation: ORG-VL225-RIPE org-name: Vodafone Limited org-type: LIR address: Vodafone House, The Connection address: RG14 2FN address: Newbury address: UNITED KINGDOM phone: +44 1635 33251 admin-c: GSOC-RIPE tech-c: GSOC-RIPE abuse-c: AR40377-RIPE mnt-ref: CW-EUROPE-GSOC mnt-by: RIPE-NCC-HM-MNT mnt-by: CW-EUROPE-GSOC created: 2017-05-11T14:35:11Z last-modified: 2018-01-03T15:48:36Z source: RIPE # Filtered role: Cable and Wireless IP GNOC Munich remarks: Cable&Wireless Worldwide Hostmaster address: Smale House address: London SE1 address: UK admin-c: DOM12-RIPE admin-c: DS3356-RIPE admin-c: EJ343-RIPE admin-c: FM1414-RIPE admin-c: MB4 tech-c: AB14382-RIPE tech-c: MG10145-RIPE tech-c: DOM12-RIPE tech-c: JO361-RIPE tech-c: DS3356-RIPE tech-c: SA79-RIPE tech-c: EJ343-RIPE tech-c: MB4 tech-c: FM1414-RIPE abuse-mailbox: firstname.lastname@example.org nic-hdl: GNOC4-RIPE mnt-by: CW-EUROPE-GSOC created: 2004-02-03T16:44:58Z last-modified: 2017-05-25T12:03:34Z source: RIPE # Filtered % Information related to '188.8.131.52/18AS1273' route: 184.108.40.206/18 descr: Vodafone Hosting origin: AS1273 mnt-by: ENERGIS-MNT created: 2019-02-28T08:50:03Z last-modified: 2019-02-28T08:57:04Z source: RIPE % Information related to '220.127.116.11/18AS2529' route: 18.104.22.168/18 descr: Energis UK origin: AS2529 mnt-by: ENERGIS-MNT created: 2014-03-26T16:21:40Z last-modified: 2014-03-26T16:21:40Z source: RIPE
Is this a scam…
I only wish it was :-(
A quick search of https://www.scambs.gov.uk/elections/electoral-registration-faqs/ and the very first thing on the webpage is a link to www.householdresponse.com/southcambs…
A phone call to the council, just to confirm that they haven’t been hacked and I am told yes this is for real.
OK lets look at the Privacy statement (on the same letter)
Right a link to a uk gov website… https://www.scambs.gov.uk/privacynotice
A Copy of this page as of 2019-08-09 because websites have a habit of changing can be found here
I originally thought that this was being hosted outside the UK (on a US based server) which would be outside of GPDR. I am still pissed off that this looks and feels ‘spammy’ and that the site is being hosted outside of a gov.uk based server, but this is not the righteous rage that I previously felt]
Summary Of Issue
- UK Government, District and Local Councils should be an exemplar of best practice. Any correspondence from any part of UK government should only use websites within the subdomain gov.uk (fraud prevention)
- I spoke with South Cambridgeshire District Council and confirmed that this was genuine
- Spoke with South Cambridgeshire District Council Electoral Services Team and made them aware of both issues (and sent follow up email)
- Spoke with the ICO and asked for advice. The will take up the issue if South Cambs do not resolve this within 20 working days.
- Spoken again with ICO – even though I had mistakenly believed this was being hosted outside UK and this is not the case, they are still interested in pushing for a move to a .gov.uk domain