[SCAM ALERT 046] – Colonna Coffee

In 2009, Maxwell & Lesley opened the destination coffee shop Colonna & Small’s in Bath, UK. The shop was dedicated to showcasing the most exceptional coffees in a space built to engage a conversation around coffee.

During our PreCrime internet scout of September 29th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Colonna Coffee customers.

The Attack

Target:

Colonna Coffee customers.

Possible threats:

  • Credential harvesting and financial gain – After luring users to the site
  • they will be asked to expose their personal information (username, password, bank details).
  • Fake product – selling a replica of the original product and likely never sending the ordered product to the customer.
  • Malware – by infecting a victims devices with malicious software for various purposes.
Malicious site : 98ndtmpi[.]top / Legitimate site : colonnacoffee[.]com

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating Colonna Coffee.
  • Newly registered site – August 28 2022
  • SSL certificate expires after three months

Detection and Threat Analysis

The malicious domain, 98ndtmpi.top has been targeting Colonna Coffee (http://colonnacoffee.com/), an internationally recognised roastery launched in 2015. The malicious domain was created August 28 2022 and detected by bfore.ai 19 September 2022.

  • The malicious domain shows a replica of the original website. Several differences can be identified, most clearly at the checkout where the legitimate site has more payment options. Additionally, Bfore.ai analysts found that the payment link on the malicious site was failing, but started working on September 19 2022.
Malicious site
Legit site

Graph

VirusTotal Graph

  • The registered SSL certificates expire after three months and are issued by a non-trusted certificate issuer (Let’s Encrypt), indicating malicious intent.
  • The IP addresses have malicious traffic with .EXE, .HTML. and .APK malicious files.

WhoIs Record

Domain http://98ndtmpi.top/
Registrant Organisation Zhang Xiang Jun
Registrant Country Hei Long Jiang, China
Registrar Alibaba Cloud Computing Ltd
Registrar IANA ID 1599
Domain Creation and Expiration Created on 2022-08-28
Expires on 2023-08-28
Updated on 2022-08-28
Certificate Let’s Encrypt.

28-08-2022 → 26-11-2022

Valid for 3 months

Name Servers APRIL.NS.CLOUDFLARE.COM
VICENTE.NS.CLOUDFLARE.COM
MX record N/A
Last seen active 20 September 2022

IP address

IP 104.21.6.110

172.67.134.191

Address San Francisco, California, United States
ASN AS13335 Cloudflare, Inc.

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.