Featured Domains

TrueName by donuts. Make a name for yourself

Warning: domain name phishing email blast going on right now

Emails try to get you to download file.

A Domain Name Wire reader has received 4 phishing/malware attempts within the past hour, and web searches show that the scam is widespread.

Here’s a copy of one of the phishing emails:

From:
Date: Mon, Oct 26, 2015 at 5:04 PM
Subject: Domain [redacted] Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the DYNADOT LLC Abuse Policy:

Domain Name: [domain redacted]
Registrar: DYNADOT LLC
Registrant Name: [name matching whois]

Multiple warnings were sent by DYNADOT LLC Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here [LINK] and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@dynadot.com for additional information regarding this notification.

Sincerely,
DYNADOT LLC
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

Clicking the link in the second-to-last sentence attempts to download a file. The phone number is invalid.

Although all four emails the reader received spoofed Dynadot, apparently other registrars are also being spoofed.

Moniker just sent a notice out to customers reminding them that:

Moniker Online Services LLC. will not send any notices regarding your domains without your account number present within the email. We do not send notices with links to download files regarding your domains. If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address. If you are still in doubt, forward any emails you are unsure of to legal@moniker.com if it is a valid email we will notify you properly.

DomainAgents. What should you sell your domain for? Read our Domain Market Report Now. Sponsored.

Get Our Newsletter

Stay up-to-date with the latest analysis and news about the domain name industry by joining our mailing list.


No spam, unsubscribe anytime.

Reader Interactions

Comments

    Leave a Comment

  1. Rob Monster - Epik says

    Andrew – It appears to be widespread but not sophisticated, e.g. the mailer is spamming an address list that has not been de-duplicated which is why domainers are seeing multiple notices. The host of the phishing site is lanacion.com.ec which is hosted by Hostgator. We have notified Hostgator and are doing a customer notice today.

  2. James says

    Yep, just got one now from enom also –
    Return-Path:
    Received: from tensai03.tensai.com.uy (exim206.tensai.com.uy. [198.58.98.206])

  3. Joseph Peterson says

    It’s the same template email used (incredibly enough) for multiple registrars.

    I’ve seen 4 registrars so far – all in the last hour.

    • Joseph Peterson says

      “1”, “A”, “B” so far in my case. A dozen or 2 emails and counting. Probably many more to come.

  4. neo says

    This one caught me off guard also. I did download, however, the file did not open when I attempted to open it and could not. Message was something like the “file extension was not found”. I ran malware software and it did not detect any malware. Is there anything else to do to make sure?

  5. robertwsteele says

    Yeah; I just got one for one of my domains. Upon inspecting the download link, its pointed to another domain. That’s a really big red flag.

    • Andrew Allemann says

      Yes, you should ALWAYS hover over the link to see where it’s going. On mobile phones that’s not as easy, but you can usually press and hold the link to see the full URL.

  6. Mike says

    I am usually careful not to click on links but since these emails were for multiple enom domains that are unused I thought someone might have hijacked them or something and hosted elsewhere sending spam – I had also some other thing on my mind all day and next thing I know I ended up clicking on the links. I had one of them redirected to lanacion.com.eu which shows a hostgator.com suspended page at lanacion.com.eu/cgi-sys/suspendedpage.cgi this one has links to news, horoscope, etc, in the page and is linking to another domain fwdssp.com – I want to know if this is standard hostgator page or another attempt to download some malware. I tried calling hostgator but gave up after holding for almost an hour and also almost after 25 minutes on their chat (guess that goes to show one should run away from hostgator – impossible to get any support).

    and another to esdhost.com/cgi-sys/suspendedpage.cgi and another to metastats.com/abusereport.php showing a page not found.

    It looks like they were all suspended by their hosts before I got there and hopefully I did not download anything and they are showing standard “suspended page” scripts.

    If anyone can confirm that these were suspended domains and standard suspended pages, I would appreciate.

    Thanks!

  7. davidp says

    thanks for the mobile phone tip on checking out full url of any link —- did not know that and being tired let down my guard and clicked the link and fortunately got a “phishing” warrning page…. glad someone got on this to save the careless a lot of grief. also glad for this posting — the only one that came up on my google search for “mestats…etc”

  8. Mike says

    Dear Sir/Madam,

    The following domain names have been suspended for violation of the FABULOUS.COM PTY LTD. Abuse Policy:

    Domain Name:
    Registrar: FABULOUS.COM PTY LTD.
    Registrant Name: Domain Hostmaster, Customer ID :

    Multiple warnings were sent by FABULOUS.COM PTY LTD. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us for additional information regarding this notification.

    Sincerely,
    FABULOUS.COM PTY LTD.
    Spam and Abuse Department
    Abuse Department Hotline: 480-081-9487

    Getting lots and lots of them !!

  9. eoinlennon says

    Going on in Ireland and UK right now. got 2 so far.

    Dear Sir/Madam,

    The following domain names have been suspended for violation of the PDR Ltd. d/b/a PublicDomainRegistry.com Abuse Policy:

    Domain Name:
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrant Name:

    Multiple warnings were sent by PDR Ltd. d/b/a PublicDomainRegistry.com Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us for additional information regarding this notification.

    Sincerely,
    PDR Ltd. d/b/a PublicDomainRegistry.com
    Spam and Abuse Department
    Abuse Department Hotline: 480-394-8955

    • Andrew Allemann says

      It looks like they’re using random 480 phone numbers, perhaps changing them up to avoid spam filters. 480 is the area code for Phoenix and what GoDaddy phone numbers start with. They might have selected the number because it will be familiar to customers of the biggest registrar.

      • Stan says

        I live in a “480” part of Phoenix and the number included with mine was literally a block away in a residential area… Which I found suspect…

  10. Kathy says

    Got several today. Most were caught in the SPAM filter…except one. And I stupidly clicked on the link. Is there any damage for a mac from that link?

    http://aldc.com.au/abuse_report.php?

    It’s one of those as soon as I clicked I’m like damnit. Why did I do that?

    It downloaded a file which I attempted to open — which the mac couldn’t open. So, do I need to do anything? I did a complete scan with Trend Micro (including that file specifically) and nothing came back.

    The file has been deleted.

  11. James M says

    ENOM, INC is also being targeted Oct 26 2015 by “<http://mestats.com/abuse_report.php …" mestats fishing. The odd thing is that they are using public email on domain, but I think they just want to see who reads their spam.

    I was using the domain for less than 48 hours after having this domain been on godaddy for past 13 years or so…. then BAM!!!!

    fishing spam scam. (its never been used for email by me) sent from britain to USA via 109.111.192.8

    SCAM

  12. Mal says

    There up to G now, got one with Easyspace as registrar, thought it was a pile of pish so hovered over the link and didn’t click…I’m in Uk and Easyspace phone number is wrong, in fact the whole e mail looked like nothing they would send out….
    ———————————————————————-

    The following domain names have been suspended for violation of the Easyspace Ltd. Abuse Policy:

    Domain Name: XXXXXXXXX
    Registrar: Easyspace Ltd.
    RegistrantXXXXXXXX

    Multiple warnings were sent by Easyspace Ltd. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us for additional information regarding this notification.

    Sincerely,
    Easyspace Ltd.
    Spam and Abuse Department
    Abuse Department Hotline: 480-648-4748

  13. Joseph Peterson says

    This phishing incident gives us all a way to gauge cyber-security response time for the domain industry.

    How long will it be between the first phishing email and the moment the spam blast is shut down?

    Or will it run its course all the way through?

    They’re going through alphabetically. Up to “I” now. It’s possible they’ll begin a new alphabetical list after reaching “Z” within the first batch. Maybe they’ll loop indefinitely to account for new registrations, re-registrations, and transfers. So this can last for days and days.

    Here’s a challenge: Predict the point in the alphabet where this all stops. And when? Who will be the lucky guy who receives the alphabetically latest domain? What will that be? Zzzzzzzz…etc.com? Is our industry even equipped to stop such phishing blasts ever?

  14. Stan says

    I received one supposedly from a major registrar (mentioned by others above). This is very, very similar to half a dozen various other phishing emails I’ve received recently, the only difference is that the others were sent to me directly by someone I know who tried to entice me to click on the links. I am under the impression that this person has hired someone to try and hack my pc.

    Some of you may think I’m paranoid, but I’m no dummy. I know better than most how to connect the dots in these emails. I don’t want to go into detail to remain anonymous (in case the person stumbles upon this, as I haven’t yet decided how to retaliate!), but the similarities are too obvious to ignore. Needless to say, this person would be very interested in knowing what I’m working on.

    I just wanted to let others know that I strongly believe that there is a service provider out there willing to help people install spyware on a person’s computer of the buyer’s choice and I’d be interested to hear if anyone else feels someone they know is attacking them in this manner.

  15. MrSynth says

    I’ve been blessed enough to receive the same message, as well, an “L” with Domain.com. Still going 😉

  16. Shaun in UK says

    Just received one a few minutes ago for my domain beginning with “H” with registrar 1 & 1 Internet.

  17. Joseph Peterson says

    They didn’t make it all the way through the alphabet, as far as I could tell.

    But did they stop? Nope.

    Back at “0” as the first character. Apparently commencing a new batch.

  18. Louise says

    This topic is still going strong.

    There is more than one purpose an email blast like this could accomplish.

    It could be a theft attempt of the Major Registrar to separate the domain owner from the valuable domain being impersonated in the blast, in my case:

    “Moniker Online Services LLC”

    I just alerted DigiMedia founders Scott Day & Jay Chapman, via their website contact page, that com.org is being impersonated as a possible attempt to seize it over alleged, “abuse,” and that they should file an fbi complaint of attempted domain theft.

    I keep SAYING there is a syndicate within ICANN/VeriSign/Major Registrars, and that trumped up accusations of abuse is a tool to leverage the seizure of valuable domain names, by the Registrar, from the Registrant.

    Remember, Satoshi’s cm.com was redirected to, ns1.spamshutdown.com, over alleged spam emails, and spam is mentioned in the complaint against Network Solutions referenced by DomainNameWire.com:

    15. Upon information and belief, from 2002 until some time in 2013, Shimoshita used the Domain Name in connection with the sending of mass unsolicited commercial email spam.

  19. Steve says

    All the sites I have are with enom. Multiple sites, multiple emails for same sites…Enom states they are aware and working on it…

  20. Scott says

    Hi, I got one of these today and my sites are with 1&1. What’s interesting is that 1&1 contacted me on October 26th informing me that my web site email accounts were sending out spam…it has since been a two week nightmare trying to get any support for my virtual server environment. I and my IT people can’t access anything anymore and it seems to be getting worse. Frankly, I don’t know what to do….except not click on the link to this phishing scam. I’m sure it’s all related but 1&1 isn’t going to take the blame.

  21. BootLoop2Dope MC6809E says

    Ha… thank $INSERTDEITYHERE I know I use private domain registration for my domain (which you can go to by clicking my name…) and set up something in my 1&1 Control Panel that basically bounces that back. And 1&1 emails me a log weekly of who did.

    This is the text of the bounce I use (coarse language edited… I use it in my bounce):


    If you were trying to contact me regarding your spammy bulls**t, f**k off.

    If not, please accept my apologies. Contact information is on my website.

    This email will be the only one you will receive.

    Error 520
    I’m on Linux, bitch. I thought you GNU.

    1&1 Mail Server at perfora.net running on Ubuntu 14.04 LTS

    (The phrase below the error code–which I Googled for a “Unknown hard bounce smtp error”–is from “Epic Rap Battles of History: Steve Jobs vs Bill Gates” and a joke to tell the spammers I am not a mindless person…)

    It has blocked a LOT of blackhat SEO, and other emails.

    And yes, I did get a lot of that BS from “DynaDot” in my report log during that time. Neither my DNS nor domain is with them… so I ignored it.

Domain Name Wire | Domain Name News
%d bloggers like this: