Home / Blogs

Follow a Phishing Case in Real Time: postfinances.com / Swiss Post

It is just another phishing case. Why should I care? I happened to receive my own copy of the phishing email message. Most Internet users will just smile bitterly before deleting it.

I checked it to see why it had gone through the spam filters. It had no URL in the text but a reply-to address. So it needed a valid domain name, and had one: postfinances.com.

PostFinance (without trailing “s”) is the payment system of the Swiss Post. It has millions of users.

The domain postfinances.com had been registered a day before my receipt of the phishing email, through a Canadian registrar:

Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-dec-2012
Creation Date: 27-dec-2012
Expiration Date: 27-dec-2013

The domain holder (falsely) shown on the Whois is Vistaprint, an international online services company. There is an MX record pointing to:


The Phishing message itself is not convincing. The copy I received is written in bad machine-translated German. I suppose French and Italian versions have been sent too. It is the classic false alert about “account information update” targeting users of an electronic payment system. It asks the recipient to answer with account information and telephone number, promising that the support team will then contact the account holder by telephone.

Can we simply dismiss this as a clumsy attempt at phishing?

It is not that clumsy. The Swiss Post giro accounts are extremely popular. Almost everyone in Switzerland has a postal account. So any user with an email address ending in .ch is likely to have a postal account and to have electronic access to it. In this respect, the phishing perpetrators are smart.

Now the domain name. The real thing is http://www.postfinance.ch. The plural of the word “finance” is frequently used, especially in the sense of personal finance. Addresses ending in .com are frequent for large Swiss companies. So postfinances.com sounds very credible. In this respect, the phishing perpetrators are almost elegant.

Now the style of the email, the bad German, the almost humoristic notice on the bottom of the message:

“This message was sent using IMP, the Internet Messaging Program.”

That notice was left in English. Even that had a role: it filtered out the educated victims, leaving only the vulnerable people.

Is this something to laugh about?

There are enough vulnerable people. At any given time, there are millions of people in the process of learning about the Internet. Not all of them will have a good command of the language in which they received the Phishing message. Some of them may respond to the scammers, giving up their account information and telephone number. The perpetrators can then work by VOIP telephony, complete with fake caller ID, making the victim believe that there is urgency, that there is a problem, that the victim should connect to a web site whose address they dictate over the telephone. If the perpetrators do not speak German they can pretend that they work for an outsourced call center, a special security investigation company…you name it.

Here is where the ICANN problem starts.

I saw the Phishing email on December 28, one day after the domain registration of postfinances.com. I sent a Whois Data Problem complaint to http://wdprs.internic.net/.

(Note: compare the elegant domain name used by the bad guys—postfinances.com—to the cryptic domain name used by the good guys for problem reporting.)

The Whois problem reporting system is not only inadequate, it is a mere fig leaf. There is no real abuse reporting tool, there is no credible fast response infrastructure—even though ICANN’s budget is higher than that of Interpol.

I added a note to Whois Data Problem report, saying that this was a manifest case of phishing and that the domain should be suspended immediately. I copied the phishing email into the comment box, as further proof. The ICANN system sent me confirmation—without my explanatory comments. I am not sure if the registrar of the postfinances.com domain received my comments through the ICANN system.

When I came back to the office on January 2, 2013, the domain was unchanged. The next day I sent a problem report to the http://www.melani.admin.ch/index.html?lang=en—the Swiss government security response team. I even tried to call the person in charge of domain names at the Swiss Post. It is understandable that he is on vacation as this time of the year—just as it is understandable the phishing perpetrators selected this time of the year for their scam.

At the time of writing, the domain name is still unchanged, and the email sent to it still goes to mx.postfinances.com.cust.b.hostedemail.com.

How many people have suffered damage? How many more people will suffer damage if the domain remains active, along with the email forwarding? Difficult to say, but for some time the likelihood of harm grows with each day. Does it make sense for fraud inspectors to keep the abusive domain name alive to track the perpetrators? I doubt it.

The sad thing is that humble, hardworking people are particularly threatened by this sort of scam. Imagine a migrant worker, struggling in the local language, with no time to learn about Internet governance (or about the lack of it).

But it is worse.

Well-deserved consumer confidence in electronic commerce and payments is a necessity. Jobs and economic growth depend on it. Negligence in the combat of scams does enormous harm. The social cost of lost confidence is a million times more than the money stolen by the scammers.

Now let us take a closer look and compare it with ICANN news.

Two new gTLD applications stand out that could (or should) help with the anti-phishing challenge. One of them is “.bank”—I mean the community-based one applied for by the banks. The other is “.banque” (in French), applied for by French banks.

These are TLDs that can facilitate special processing by MTAs, email client software, spam filters, web browsers and search engines on the basis of published usage policies. They can allow machine-based compliance verification of policies. Those policies can formally be associated with TLDs whose role is easy to understand for all people. In other words, these TLDs have the power to establish the same link between technology and the human mind, just as standardized coins or paper currency do with systematic security features.

ATMs, banknote checking/counting machines and vending machines help us deal with the standardized currency. We recognize the same currency with our eyes and touch it with our hands. That is a great achievement. Or does anyone want to go back to randomly shaped lumps of metal?

Software combined with responsibly managed financial domain names can do the same. Or do we prefer to laugh at people who have trouble telling the difference between postfinance.ch and postfinances.com?

True, both the community-based .bank and the .banque application are a bit confused. But they are not more confused than ICANN as a whole. ICANN’s disorientation is the main reason why many of the gTLD applications are so unclear, or even full of errors and contradictions.

The .bank and .banque TLDs can be set up correctly. They can radically improve security and productivity of on-line financial transactions. It should have been done years ago.

But there is ICANN’s way—our way—of managing urgent tasks.

No reaction in 7 days to a report on a scam domain—that is NOT the worst problem. The problem is that no better reporting system is in place. (Yes, we have talked about domain abuse for 10 years.) The next problem is that new gTLD program, through which urgently needed security improvements should be possible, has been delayed for years. It has also been mismanaged. And now it is managed randomly, literally, by way of a Draw.

Is this all that we, the Internet experts, have to offer?

Filed Under


you'd have been better off submitting to one of the public phish url repositories Suresh Ramasubramanian  –  Jan 6, 2013 3:03 AM

Like phishtank say.  ICANN doesnt get into enforcement on individual domains - and the registrar of that domain - tucows - are quite proactive on abuse, plus its hosted on their servers, so they will respond.  Did you try to contact the registrar?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com