Lately I received several messages that ask me to pay for FasTrak usage. A look at the sender (a personal hotmail) and the weird FQDN (`com-q23r.sbs`) confirms my assumption.
Apple Message disables hyperlinks from unknown senders. Which is a good because many people might click on the link without a closer look. The ‘scammer workaround’ is described at the bottom of the message.
I get curious about who the scammer is. Below is some digging work.
thetollroads.com-q23r.sbs
is no longer a valid domain by the next day. Perhaps someone reported it and the domain registrar has taken it down. I found a more recent scam url which is still valid thetollroads.com-je76.cfd
, capturing the whois domain info below.
The domain registrar is NameSilo, LLC. The registrant purchased Privacy Guardian on the domain name. So we can’t find the owner info easily.
A lookup of the A record shows an IP address in Singapore.
% dig @8.8.8.8 thetollroads.com-je76.cfd
;; ANSWER SECTION:
thetollroads.com-je76.cfd. 3603 IN A 43.153.88.254
A Google search for the address “16 COLLYER QUAY, # 18–29, INCOME AT RAFFLES, SINGAPORE” shows ACEVILLE PTE.LTD:
Aceville Pte Ltd … Tencent Cloud is one of the leading cloud service providers in China and focused on developing cloud computing and artificial intelligence
This tallies with the abuse mailbox. So we know the scammer website is hosted in Tencent cloud.
I inspected the TLS certificate it uses:
% openssl s_client -connect thetollroads.com-je76.cfd:443 </dev/null 2>/dev/null | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:a0:d9:9f:ee:74:0b:52:f8:2c:21:6d:0b:ce:2f:97:b6:3f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Jan 13 13:19:43 2025 GMT
Not After : Apr 13 13:19:42 2025 GMT
Subject: CN = thetollroads.com-9og3.sbs
X509v3 Subject Alternative Name:
DNS:thetollroads.com-09bt.sbs, DNS:thetollroads.com-0ip3.cfd, DNS:thetollroads.com-0m3f.sbs, DNS:thetollroads.com-1n3k.sbs, DNS:thetollroads.com-2hq3.sbs, DNS:thetollroads.com-3ae6.sbs, DNS:thetollroads.com-3z7d.sbs, DNS:thetollroads.com-45l9.cfd, DNS:thetollroads.com-46m1.cfd, DNS:thetollroads.com-58qu.sbs, DNS:thetollroads.com-5go3.sbs, DNS:thetollroads.com-5n0t.sbs, DNS:thetollroads.com-5v3b.sbs, DNS:thetollroads.com-5ycg.cfd, DNS:thetollroads.com-6jqh.cfd, DNS:thetollroads.com-6mun.sbs, DNS:thetollroads.com-78s1.sbs, DNS:thetollroads.com-8e6g.sbs, DNS:thetollroads.com-8h2q.cfd, DNS:thetollroads.com-8qb6.sbs, DNS:thetollroads.com-8w4x.sbs, DNS:thetollroads.com-9li6.sbs, DNS:thetollroads.com-9og3.sbs, DNS:thetollroads.com-9qj3.sbs, DNS:thetollroads.com-ap57.sbs, DNS:thetollroads.com-b95g.sbs, DNS:thetollroads.com-cd8y.cfd, DNS:thetollroads.com-cql5.sbs, DNS:thetollroads.com-e5q4.cfd, DNS:thetollroads.com-f4ew.sbs, DNS:thetollroads.com-f8s4.sbs, DNS:thetollroads.com-gt79.cfd, DNS:thetollroads.com-h8xw.cfd, DNS:thetollroads.com-hh67.cfd, DNS:thetollroads.com-i2bv.sbs, DNS:thetollroads.com-j40q.sbs, DNS:thetollroads.com-je76.cfd, DNS:thetollroads.com-ji04.sbs, DNS:thetollroads.com-n99y.cfd, DNS:thetollroads.com-nkp5.sbs, DNS:thetollroads.com-p13q.sbs, DNS:thetollroads.com-pa05.sbs, DNS:thetollroads.com-pmk8.cfd, DNS:thetollroads.com-q23r.sbs, DNS:thetollroads.com-qod5.sbs, DNS:thetollroads.com-r9k8.sbs, DNS:thetollroads.com-s1t2.sbs, DNS:thetollroads.com-s208.sbs, DNS:thetollroads.com-s5y2.sbs, DNS:thetollroads.com-t0n8.sbs, DNS:thetollroads.com-u7ge.cfd, DNS:thetollroads.com-uv20.sbs, DNS:thetollroads.com-w9u6.sbs, DNS:thetollroads.com-y3u8.sbs, DNS:thetollroads.com-y3vf.cfd, DNS:thetollroads.com-yc84.sbs, DNS:thetollroads.com-z5vi.cfd, DNS:thetollroads.com-z8r4.sbs, DNS:thetollroads.com-ze6v.sbs
The certificate is issued by Let’s Encrypt as expected. The subject does not match the domain name (another red flag). All the scammer domains are listed as Subject Alternative Name (SAN).
In my sandbox, I tried poking at the scammer website to see how invested it is to pretend to be a FasTrak payment website. But the index page returned an error 500. Oh well, apparently not very invested. It’s getting late and I’ll resume against one of another message next time.