Criminal is spoofing ICANN.
Hacking individual domain name registrar accounts is so old-school. Why not gain access to an entire registrar or registry?
The Internet Corporation for Assigned Names and Numbers (ICANN) issued an alert that someone is running a phishing scam impersonating ICANN. The emails (so far) come from sales (at) icann.org. The perpetrator is sending them to contracted parties.
ICANN recently sent an email to some contracted parties from accounting (at) erp.icann.org, which it says is a valid email.
Of course, if someone can spoof the sales address then they can probably spoof the other one or typos of it.
ICANN.org has a DMARC record but not a published DMARC quarantine/reject policy.
Rubens Kuhl says
Both icann.org and erp.icann.org have published SPF records that would prevent receipt of those fake notices, so they did their job.
Mobilisti says
With a VPS, every one can send email on behalf.
Its the reciver decision and obligation to verify the email safety.
Michael Dinnella says
It’s amazing that aren’t p=reject (dmarc policy).