Use these tips to avoid being the next victim.
Yesterday an unknown perpetrator started a massive spamming campaign against owner of domain names, which is continuing today.
The emails told recipients that a specific domain name they owned had been suspended, and asked them to click a link to download the complaint(s) against their domain names. Clicking the link downloaded a file, most likely packed with malware.
The perpetrator sent the emails to clients of numerous registrars, including eNom, Uniregistry, Dynadot, Moniker and many others. It seems that no one was spared. Based on the emails I’ve seen so far, it looks like they started at the beginning of the alphabet in terms of the domains, so people with domains starting with digits, A and B were hit first.
Why is this happening?
Whether it’s distributing malware or trying to get access to a domain name owner’s account to hijack a domain name, there are many incentives for people to phish among people listed in whois.
Yesterday’s attack was unsophisticated, as Epik founder Rob Monster pointed out. The perpetrator didn’t deduplicate the data, so people received multiple emails. That might be a red flag, but some people still clicked.
I’m not surprised people clicked on the bad link. There are a few reasons people will click and why scams like this have become prevalent.
1. New verification requirements in the 2013 RAA – Registrars now have to “verify” information in whois. Registrars have options for how to do this, but most accomplish it by sending an email to registrants asking them to click a link. That’s generally a bad practice, but the alternatives for registrars are more expensive. Now that customers have been trained to click on links in emails (rather than being instructed to go to the registrar’s site and log in), they are more likely to fall for phishing scams.
2. Some registrars aren’t following email best practices – When a registrar sends you an email, it should address you by name. It might also include an account number. It’s more difficult for criminals to merge this data in emails, and you should always look for an identifier in email. But not all registrars do this, so it’s not a red flag when you receive a phishing email.
3. Inexpensive whois downloads – Over the past couple years, a number of companies and fly-by-night operators have begun selling very cheap copies of whois data. This is part of the reason you receive lots of spam after registering a new domain name.
What you can do
Here are some things you can do to reduce the chances of falling prey to one of these emails:
1. Check for identifiers – Verify that any email sent to you purported to be from your registrar is addressed to your name. This can still be spoofed, but if it’s just addressed to “Dear Sir”, it’s likely a phishing email. If your registrar doesn’t include your name or account number in email communications, switch to a registrar with better security practices.
2. Turn on 2-factor authentication at your registrar – If you do fall prey to a phishing attack, this is another line of defense against domain name theft. If your registrar doesn’t offer 2-factor authentication, you should switch to a registrar with better security practices.
3. Verify links – Always hover over a link in email before clicking to verify it goes where you think it will. On a phone, you can usually press and hold a link to see the full URL.
4. Add whois privacy – Although there are reasons to not use privacy, these services will generally stop such emails from making it to your inbox.
5. Use a good browser and antivirus software – Most modern browsers will alert you if you’re visiting a page identified in a phishing attack, but it can take some time for sites to be flagged. You should also use antivirus software. In the current attack, this should stop you from opening the download file.