Emails try to get you to download file.
A Domain Name Wire reader has received 4 phishing/malware attempts within the past hour, and web searches show that the scam is widespread.
Here’s a copy of one of the phishing emails:
From:
Date: Mon, Oct 26, 2015 at 5:04 PM
Subject: Domain [redacted] Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the DYNADOT LLC Abuse Policy:
Domain Name: [domain redacted]
Registrar: DYNADOT LLC
Registrant Name: [name matching whois]
Multiple warnings were sent by DYNADOT LLC Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here [LINK] and download a copy of complaints we have received.
Please contact us by email at mailto:abuse@dynadot.com for additional information regarding this notification.
Sincerely,
DYNADOT LLC
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
Clicking the link in the second-to-last sentence attempts to download a file. The phone number is invalid.
Although all four emails the reader received spoofed Dynadot, apparently other registrars are also being spoofed.
Moniker just sent a notice out to customers reminding them that:
Moniker Online Services LLC. will not send any notices regarding your domains without your account number present within the email. We do not send notices with links to download files regarding your domains. If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address. If you are still in doubt, forward any emails you are unsure of to legal@moniker.com if it is a valid email we will notify you properly.
Andrew – It appears to be widespread but not sophisticated, e.g. the mailer is spamming an address list that has not been de-duplicated which is why domainers are seeing multiple notices. The host of the phishing site is lanacion.com.ec which is hosted by Hostgator. We have notified Hostgator and are doing a customer notice today.
Thanks Rob. They’re also using the domain name mestats.com, which is forwarding to grandscenter.ru
Received over 50 of them in the past hour.
Which registrar do you use?
Received them from Dynadot and Web.com so far.
got one for a domain I have at Enom. Look slike it came from China
Return-Path:
Received: from stu.xjtu.edu.cn
X-EQAUTHUSER: zhhliu@stu.xjtu.edu.cn
Yep, just got one now from enom also –
Return-Path:
Received: from tensai03.tensai.com.uy (exim206.tensai.com.uy. [198.58.98.206])
It’s the same template email used (incredibly enough) for multiple registrars.
I’ve seen 4 registrars so far – all in the last hour.
Received one from “abuse@web.com” today.
Got one “from” abuse@uniregistry.com. My domain name contains numbers and the word “fortune” in it, so I immediately assumed somebody in China was phishing for it.
I’ve gotten quite a few this past hour, the sender’s information is masked with a real address from the registrar.
I alerted Namebright immediately, they are aware.
Make sure you have 2 step authorization enabled and rotate passwords occasionally. Someone may have gained access without your knowledge.
https://twitter.com/DanSanchez/status/658692033167667201
Fabulous, Uniregistry, eNom.
Time to cut china loose railroadingamerica.com
My hunch is everyone who received emails so far was contacted at numeric domains or beginning with the letter “A” ?
“1”, “A”, “B” so far in my case. A dozen or 2 emails and counting. Probably many more to come.
This one caught me off guard also. I did download, however, the file did not open when I attempted to open it and could not. Message was something like the “file extension was not found”. I ran malware software and it did not detect any malware. Is there anything else to do to make sure?
yes, run a virus s=can ASAP! Try “Avast”…it is free and good.
Yeah; I just got one for one of my domains. Upon inspecting the download link, its pointed to another domain. That’s a really big red flag.
Yes, you should ALWAYS hover over the link to see where it’s going. On mobile phones that’s not as easy, but you can usually press and hold the link to see the full URL.
Curious, I noticed the last 2 days ALL of my domains have had traffic even the newer reg’s. Possible it’s related? Names are parked/for sale at DNS.
I am usually careful not to click on links but since these emails were for multiple enom domains that are unused I thought someone might have hijacked them or something and hosted elsewhere sending spam – I had also some other thing on my mind all day and next thing I know I ended up clicking on the links. I had one of them redirected to lanacion.com.eu which shows a hostgator.com suspended page at lanacion.com.eu/cgi-sys/suspendedpage.cgi this one has links to news, horoscope, etc, in the page and is linking to another domain fwdssp.com – I want to know if this is standard hostgator page or another attempt to download some malware. I tried calling hostgator but gave up after holding for almost an hour and also almost after 25 minutes on their chat (guess that goes to show one should run away from hostgator – impossible to get any support).
and another to esdhost.com/cgi-sys/suspendedpage.cgi and another to metastats.com/abusereport.php showing a page not found.
It looks like they were all suspended by their hosts before I got there and hopefully I did not download anything and they are showing standard “suspended page” scripts.
If anyone can confirm that these were suspended domains and standard suspended pages, I would appreciate.
Thanks!
Did anyone receive these emails as if they came from GoDaddy?
I saw a comment from one person saying they got one as if from GoDaddy
Thanks.
Yes, they’ve impersonated GoDaddy along with about a dozen other registrars. Same template every time, from what I’ve seen.
I have not seen any from us yet. I would love it if anyone who has one saying it is us can forward it to me as an attachment. jstyler at godaddy.com I let our security team know about it already but having an email example would be even better.
@Joe Styler,
You’ll get an email from me in 60 seconds.
Thank you Sir
Got one for a dreamhost domain.
thanks for the mobile phone tip on checking out full url of any link —- did not know that and being tired let down my guard and clicked the link and fortunately got a “phishing” warrning page…. glad someone got on this to save the careless a lot of grief. also glad for this posting — the only one that came up on my google search for “mestats…etc”
You’re welcome…with more and more people using mobile devices for the web, I hope browser makers make it easier to view the URL being clicked.
The emails continue, now onto “E” domains.
Interestingly, I personally haven’t received a single one addressed to me. I use Uniregistry, eNom and GoDaddy.
Dear Sir/Madam,
The following domain names have been suspended for violation of the FABULOUS.COM PTY LTD. Abuse Policy:
Domain Name:
Registrar: FABULOUS.COM PTY LTD.
Registrant Name: Domain Hostmaster, Customer ID :
Multiple warnings were sent by FABULOUS.COM PTY LTD. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
FABULOUS.COM PTY LTD.
Spam and Abuse Department
Abuse Department Hotline: 480-081-9487
Getting lots and lots of them !!
Going on in Ireland and UK right now. got 2 so far.
Dear Sir/Madam,
The following domain names have been suspended for violation of the PDR Ltd. d/b/a PublicDomainRegistry.com Abuse Policy:
Domain Name:
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Name:
Multiple warnings were sent by PDR Ltd. d/b/a PublicDomainRegistry.com Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
PDR Ltd. d/b/a PublicDomainRegistry.com
Spam and Abuse Department
Abuse Department Hotline: 480-394-8955
It looks like they’re using random 480 phone numbers, perhaps changing them up to avoid spam filters. 480 is the area code for Phoenix and what GoDaddy phone numbers start with. They might have selected the number because it will be familiar to customers of the biggest registrar.
I live in a “480” part of Phoenix and the number included with mine was literally a block away in a residential area… Which I found suspect…
Got several today. Most were caught in the SPAM filter…except one. And I stupidly clicked on the link. Is there any damage for a mac from that link?
http://aldc.com.au/abuse_report.php?
It’s one of those as soon as I clicked I’m like damnit. Why did I do that?
It downloaded a file which I attempted to open — which the mac couldn’t open. So, do I need to do anything? I did a complete scan with Trend Micro (including that file specifically) and nothing came back.
The file has been deleted.
ENOM, INC is also being targeted Oct 26 2015 by “<http://mestats.com/abuse_report.php …" mestats fishing. The odd thing is that they are using public email on domain, but I think they just want to see who reads their spam.
I was using the domain for less than 48 hours after having this domain been on godaddy for past 13 years or so…. then BAM!!!!
fishing spam scam. (its never been used for email by me) sent from britain to USA via 109.111.192.8
SCAM
There up to G now, got one with Easyspace as registrar, thought it was a pile of pish so hovered over the link and didn’t click…I’m in Uk and Easyspace phone number is wrong, in fact the whole e mail looked like nothing they would send out….
———————————————————————-
The following domain names have been suspended for violation of the Easyspace Ltd. Abuse Policy:
Domain Name: XXXXXXXXX
Registrar: Easyspace Ltd.
RegistrantXXXXXXXX
Multiple warnings were sent by Easyspace Ltd. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
Easyspace Ltd.
Spam and Abuse Department
Abuse Department Hotline: 480-648-4748
This phishing incident gives us all a way to gauge cyber-security response time for the domain industry.
How long will it be between the first phishing email and the moment the spam blast is shut down?
Or will it run its course all the way through?
They’re going through alphabetically. Up to “I” now. It’s possible they’ll begin a new alphabetical list after reaching “Z” within the first batch. Maybe they’ll loop indefinitely to account for new registrations, re-registrations, and transfers. So this can last for days and days.
Here’s a challenge: Predict the point in the alphabet where this all stops. And when? Who will be the lucky guy who receives the alphabetically latest domain? What will that be? Zzzzzzzz…etc.com? Is our industry even equipped to stop such phishing blasts ever?
I received one supposedly from a major registrar (mentioned by others above). This is very, very similar to half a dozen various other phishing emails I’ve received recently, the only difference is that the others were sent to me directly by someone I know who tried to entice me to click on the links. I am under the impression that this person has hired someone to try and hack my pc.
Some of you may think I’m paranoid, but I’m no dummy. I know better than most how to connect the dots in these emails. I don’t want to go into detail to remain anonymous (in case the person stumbles upon this, as I haven’t yet decided how to retaliate!), but the similarities are too obvious to ignore. Needless to say, this person would be very interested in knowing what I’m working on.
I just wanted to let others know that I strongly believe that there is a service provider out there willing to help people install spyware on a person’s computer of the buyer’s choice and I’d be interested to hear if anyone else feels someone they know is attacking them in this manner.
I’ve been blessed enough to receive the same message, as well, an “L” with Domain.com. Still going 😉
Still coming in at a rate of 10-20 per hour!
Just received one a few minutes ago for my domain beginning with “H” with registrar 1 & 1 Internet.
I’m curious, are there people out there with a lot of domain names that have NOT received this spam?
Starting letter “k” only one so far purportedly from Dreamhost
They didn’t make it all the way through the alphabet, as far as I could tell.
But did they stop? Nope.
Back at “0” as the first character. Apparently commencing a new batch.
I finally found some of these messages in my spam folder. Thought I managed to get left off the list.
We’re all invited to this party.
This topic is still going strong.
There is more than one purpose an email blast like this could accomplish.
It could be a theft attempt of the Major Registrar to separate the domain owner from the valuable domain being impersonated in the blast, in my case:
“Moniker Online Services LLC”
I just alerted DigiMedia founders Scott Day & Jay Chapman, via their website contact page, that com.org is being impersonated as a possible attempt to seize it over alleged, “abuse,” and that they should file an fbi complaint of attempted domain theft.
I keep SAYING there is a syndicate within ICANN/VeriSign/Major Registrars, and that trumped up accusations of abuse is a tool to leverage the seizure of valuable domain names, by the Registrar, from the Registrant.
Remember, Satoshi’s cm.com was redirected to, ns1.spamshutdown.com, over alleged spam emails, and spam is mentioned in the complaint against Network Solutions referenced by DomainNameWire.com:
All the sites I have are with enom. Multiple sites, multiple emails for same sites…Enom states they are aware and working on it…
There’s not much they can do at this point …
Hi, I got one of these today and my sites are with 1&1. What’s interesting is that 1&1 contacted me on October 26th informing me that my web site email accounts were sending out spam…it has since been a two week nightmare trying to get any support for my virtual server environment. I and my IT people can’t access anything anymore and it seems to be getting worse. Frankly, I don’t know what to do….except not click on the link to this phishing scam. I’m sure it’s all related but 1&1 isn’t going to take the blame.
I received notification today, and the junk email account made me uncomfortable
Ha… thank $INSERTDEITYHERE I know I use private domain registration for my domain (which you can go to by clicking my name…) and set up something in my 1&1 Control Panel that basically bounces that back. And 1&1 emails me a log weekly of who did.
This is the text of the bounce I use (coarse language edited… I use it in my bounce):
—
If you were trying to contact me regarding your spammy bulls**t, f**k off.
If not, please accept my apologies. Contact information is on my website.
This email will be the only one you will receive.
Error 520
I’m on Linux, bitch. I thought you GNU.
1&1 Mail Server at perfora.net running on Ubuntu 14.04 LTS
—
(The phrase below the error code–which I Googled for a “Unknown hard bounce smtp error”–is from “Epic Rap Battles of History: Steve Jobs vs Bill Gates” and a joke to tell the spammers I am not a mindless person…)
It has blocked a LOT of blackhat SEO, and other emails.
And yes, I did get a lot of that BS from “DynaDot” in my report log during that time. Neither my DNS nor domain is with them… so I ignored it.
Thanks for warning Andrew.