Use these tips to avoid being the next victim.
Yesterday an unknown perpetrator started a massive spamming campaign against owner of domain names, which is continuing today.
The emails told recipients that a specific domain name they owned had been suspended, and asked them to click a link to download the complaint(s) against their domain names. Clicking the link downloaded a file, most likely packed with malware.
The perpetrator sent the emails to clients of numerous registrars, including eNom, Uniregistry, Dynadot, Moniker and many others. It seems that no one was spared. Based on the emails I’ve seen so far, it looks like they started at the beginning of the alphabet in terms of the domains, so people with domains starting with digits, A and B were hit first.
Why is this happening?
Whether it’s distributing malware or trying to get access to a domain name owner’s account to hijack a domain name, there are many incentives for people to phish among people listed in whois.
Yesterday’s attack was unsophisticated, as Epik founder Rob Monster pointed out. The perpetrator didn’t deduplicate the data, so people received multiple emails. That might be a red flag, but some people still clicked.
I’m not surprised people clicked on the bad link. There are a few reasons people will click and why scams like this have become prevalent.
1. New verification requirements in the 2013 RAA – Registrars now have to “verify” information in whois. Registrars have options for how to do this, but most accomplish it by sending an email to registrants asking them to click a link. That’s generally a bad practice, but the alternatives for registrars are more expensive. Now that customers have been trained to click on links in emails (rather than being instructed to go to the registrar’s site and log in), they are more likely to fall for phishing scams.
2. Some registrars aren’t following email best practices – When a registrar sends you an email, it should address you by name. It might also include an account number. It’s more difficult for criminals to merge this data in emails, and you should always look for an identifier in email. But not all registrars do this, so it’s not a red flag when you receive a phishing email.
3. Inexpensive whois downloads – Over the past couple years, a number of companies and fly-by-night operators have begun selling very cheap copies of whois data. This is part of the reason you receive lots of spam after registering a new domain name.
What you can do
Here are some things you can do to reduce the chances of falling prey to one of these emails:
1. Check for identifiers – Verify that any email sent to you purported to be from your registrar is addressed to your name. This can still be spoofed, but if it’s just addressed to “Dear Sir”, it’s likely a phishing email. If your registrar doesn’t include your name or account number in email communications, switch to a registrar with better security practices.
2. Turn on 2-factor authentication at your registrar – If you do fall prey to a phishing attack, this is another line of defense against domain name theft. If your registrar doesn’t offer 2-factor authentication, you should switch to a registrar with better security practices.
3. Verify links – Always hover over a link in email before clicking to verify it goes where you think it will. On a phone, you can usually press and hold a link to see the full URL.
4. Add whois privacy – Although there are reasons to not use privacy, these services will generally stop such emails from making it to your inbox.
5. Use a good browser and antivirus software – Most modern browsers will alert you if you’re visiting a page identified in a phishing attack, but it can take some time for sites to be flagged. You should also use antivirus software. In the current attack, this should stop you from opening the download file.
Joseph Peterson says
The responsibility for much of consumers’ susceptibility to these attacks can be traced to policies imposed on registrars as well as to registrar email habits. Cyber security could be improved with better policies at both levels.
Joris DD says
Agreed. Policies such as those imposed by the 2013 RAA certainly contributed to this issue. ICANN chose to ignore all warnings.
And things will only get worse if they decide to ban whois privacy/proxy services.
Acro says
The file being served by those links is a double-extension file, posing as a PDF. It was sophisticated enough to generate the filename on the fly, to match the alleged suspension’s notice.
The file was a .SCR that is typically an executable screensaver for Windows, but instead it delivers malware payload.
Sample filename: example.com_copy_of_complaints.pdf.scr
See my notices: http://domaingang.com/domain-crime/domain-security-lessons-learned-from-yesterdays-phishing-emails/
Joe Styler says
I wrote an article last week which was published today that has some best practices for protecting your domains. 2 factor is high on my list of things to use to keep your domain name portfolio safe. Thanks for covering this for people. If anyone is interested my article is here, http://x.co/staysafe
fizz says
>>4. Add whois privacy<<
Received my first phishing email today and it was for a domain using Fabulous.com's free whois privacy.
Ron says
Yes, privacy will help give you insight it is spam, i have been hit on 3 different registars now, expected it, and it was obvious for me.
In the next weeks there will be victims though, is it the chinese doing this, all mine were for 4l.com type names.
Jon says
1) Regarding privacy, some WhoIs lookup tools are really good about masking even the privacy email – copying and pasting the protected email address won’t actually paste those values. My registrar’s whoIs tool, on the other hand, allows for copying and pasting, which likely allows for easier spamming. I also noticed an increased amount of spam after I switched from my old registrar to new one.
2) Email providers need to do a better job with spam filtering and catching those who send such spam. Yes, people may find it in a spam box and still click on the link, but it will be a lot fewer than if it comes into an inbox. Even better, don’t deliver these messages once they are marked as dangerous!
Andrew Allemann says
Whois privacy services should filter phishing emails at the email server. Even if someone harvests the address, the privacy service should stop it.