Phishing perpetrators use single sign-on to ensnare victims.
Thieves frequently target domain names, whether it’s to hold a domain for ransom or because the domain itself is valuable.
Some thieves try to crack into the owner’s domain registrar account. Often, they try to get into the domain owner’s email account as the first step. By hacking into the email, they can not only reset registrar passwords but they can also make sure the victim doesn’t see the account change and transfer notices associated with the theft.
Which is why a type of phishing campaign that targets single sign-on is so scary.
Sucuri (which is owned by GoDaddy) explains how phishers are pretending to be popular sites but, instead of targeting credentials from the sites they pretend to be, they are trying to capture email credentials by showing single sign-on options.
Single sign-on is a popular way to sign into many services. Instead of remembering a username and password, you can just log in to a social media account or your Google account to validate your identity with the site.
This could be a devastatingly effective approach to steal domains: send someone to a fake registrar page and get them to enter their Google or Microsoft account credentials.
Currently, few domain name registrars offer single sign-on. GoDaddy does, but it limits it to Facebook and Amazon (see picture).
But the phishers don’t need a registrar to offer single sign-on in order for this campaign to work. As the Sucuri post notes, they can pretend to be a registrar and say that they now support single sign-on.
My advice is to not use single sign-on. Instead, create unique passwords and use local password software to sign into websites.
Joe Styler says
Great article for awareness. I think it is also wise to enable 2 factor at the various places that allow it like Google and Facebook and some email providers to add another layer of security to your accounts.
Undaunted says
I suggest domainers be careful revealing too much on forums like namepros where hackers and scammers disguise and try to find out what kind of domains people have and also asking how many names one has in their portfolio.I have stopped participating in exposing too much on namepros.
When i report a sale,i end it with no further details as I have provided enough.I got hacked but i was lucky i got my Godaddy rep on time to stop any movement of names but i lost my old hotmail after i got back all login info and my domains were safe.
Thank you for this article.Hope others can see this.
Stephen says
I agree – good article. I have thousands of domains across a few registrars. I had over 11,000 at one time. I don’t fall for phishing scams. I have been reporting them for years. You simply need to view the email source (sending IP and submit URL). Look up the IP at Arin.net.
Unfortunately many people will fall for this which is why I report them when I see them.
Dear Pramod says
I bought domain from http://www.prabhuhost.com ,is there anything that I can do to secure more .I have enabled 2 factor login
Ryan says
I agree with not using single sign on. And use long random unique passwords for each login stored in a password manager (not your browser’s password saving function). If you are really paranoid there are offline password managers but the good online ones encrypt everything on your computer/device using a key that is derived from your master password and is not known even to the service before syncing online. Also use two factor auth at least on your email and registrar but you really should everywhere that supports it. And avoid using SMS or call based two factor auth if you can as someone can use sim jacking to get that text or call. A hardware security key is best followed by an app like Google authenticator. Finally just don’t click links in email… I’d you get an email purporting to be from your registrar or your bank or whoever asking you to click a link to login to your account…dont. use a bookmark or type in their website manually. The link often times will show a legit domain when you look at in in the email but when you click it you end up at a close misspelling or other similar domain that may look right at quick glance but is not the real domain.
khanimranm says
Domain registrars have to give additional layers of protection to prevent domain from being stolen.
Suggestions for domain registrars.
a) Ask domain users to provide two different emails. Domain transfer alert should go on both the emails
b) By default do not provide immediate domain transfer approval option in the control panel. Activate this feature only for those user who request at your customer support with credentials.
c) Make it compulsory for at least one day lock period for domain transfers.
d) Domain transfer request should also require entering OTP message sent on the phone.
e) When user changes email address, the change should not be immediate and take more than one day. Change Approval request link should go to old email. Also, alert has to go to the phone number .
By taking these measure, the domain registrars can offer more security to their customers and prevent domain loss even if the primary email is compromised.
Brandon Abbey says
You should also watch out for scams like this escrow-trade.com