Domain Name Phishing is a scam that tricks the recipient into handing over the account login details. It usually involves the recipient being sent a genuine-looking email that asks them to log in to their Domain Registrar Account to check on suspicious activity, renew their domain, or verify their domain.
The email contains a link to the login page of their Domain Registrar which is a duplicate copy. The recipient then logs in to the fake site and gives up their login details to the attacker.
A slightly different form of domain phishing is where the recipient is tricked into downloading a file, such as a list of complaints or an invoice receipt. The downloaded file then installs malware which then collates confidential information from the recipient.
In this article, I will take a look at why people fall for Domain Phishing Scams and what you can do to protect yourself.
Finally, I will you through a Domain Name Verification Phishing Scam that I received myself. I’ll look at what made the email look suspicious, and how I verified that it was indeed a scam.
Why people fall for Domain Phishing Scams
1. Scammers are using sophisticated techniques:
Imaging clicking a link to your registrar, and upon landing, everything looks exactly as you remember it. Even the domain name in the browser bar is correct and has HTTPS.
Some scammers are using Unicode Characters like “A” and “O” that look identical on the screen, but their Unicode value is different. KrebsonSecurity wrote a detailed article on lookalike domains.
2. Our brains are wired to make it easy for scammers:
Our minds have two ways of thinking. Firstly, a fast, intuitive approach. Secondly, a slower analytical mode where reason dominates. These are the assertions stated by Karla Burnett, an engineer at mobile payments company, Stripe, at Black Hat 2017.
In the video, she states that when you are busy and have to review a high number of emails in a short space of time, it is not reasonable to use your analytical brain all the time. Because detecting a scam requires your slower analytical mode, you are vulnerable to making an error. It is this chance of a mistake the Domain Phishing Scam preys upon.
Phishing training at the moment is focused on getting people to look at URLs or hover over links, which require system two methods of thinking, not system one.
Such training is only useful once somebody is already suspicious of an email, not beforehand. You can’t train somebody’s system one to think an email is suspicious when it looks exactly like every other email they’ve received.
3. Certain Registrars may not be following email bests practices:
Some registrars send out emails with generic greetings, rather than addressing you by name. Because scammers tend to also send generic greetings, it may make it more likely that you will fall for it.
4. Companies sell WHOIS data:
Ever wondered why after registering a domain you are immediately bombarded with SPAM? Some registrars sell copies of their WHOIS data with basic information about your new domain, including registrant details.
5. Verification requirements for WHOIS:
As of 2013, the RAA requires registrars to verify information in WHOIS. Verification is usually requested by email and contains a link to start the verification process. This familiarity of clicking links in emails from registrars may make recipients of scam emails more used to clicking links in emails about their domain.
How to Avoid Domain Name Phishing Scams
There are some things we recommend:
1. Be wary of emails that:
- Come from Unrecognized Senders
- Ask you to confirm personal information, especially if the request is urgent.
- Are not personalized
- Try to intimidate or upset you by threatening you if you do not respond (i.e., your domain will go offline).
2. Communicate personal information via secure websites:
- Look for the green bar when logging into a site. In particular, look websites which have verified their company information (EV SSL). Enom, for example, is owned by Rightside Group Ltd, and this clearly shows on their secure pages.
- Do not communicate confidential information, or log into websites via email links. These could direct you to a malicious site that is built to look like a legitimate one.
- Do not communicate via telephone, unless you telephone them.
3. Do not Click Links in emails from unknown senders.
4. Beware of Links in emails that ask for personal information or to log into a website.
5. Secure your Domain Registrar account with two-factor authentification.
The scammer will not be able to log into your account, even if your domain Registrar login details are compromised. I can’t stress this one enough.
6. If in doubt, email your Registrar directly for verification.
If in doubt forward the email to the company it is purporting to be from and ask them to verify it is legitimate before auctioning.
7. Add WHOIS privacy
Most registrars now offer WHOIS privacy free of charge. Not only will you reduce the amount of spam received to your email address, but you will stop your registrant details being accessed by scammers.
8. Use an up-to-date Browser
Many modern browsers, such as Chrome, will alert you if you’re visiting a page identified in a phishing attack. It can take time for such pages to be flagged so you may want to use antivirus software as well.
9. Use a Email Spam Filter, such as SpamAssassin
Using a Spam Filter can help prevent Phishing Emails reaching your inbox. If you use cPanel or Plesk, then SpamAssassin is worth enabling. Otherwise, Gmail Spam filter does a reasonable job. No Spam Filter is perfect though, so don’t get complacent.
An example of a Domain Name Phishing Attack
I received an email from a company purporting to be from eNom. Enom is used by many web hosting companies to resell Domain Names, including Namecheap, although they have since started using their own Registry. The email asked me to verify my domain to prevent it from becoming inaccessible after three days.
You can see a copy of the email we received below:
From: eNom <email@example.com>
Subject: eNom — IMPORTANT! Verify your contact information for xxxxxxxxxxx.COM
Dear JONATHAN GRIFFIN, 03/07/2016 12:20:11 am
Your contact information XXXXXXXXXXXXXXXX@XXXX & +44.7901xxxxxx, has been set as the Registrant contact for a domain name registered through eNom.
Please click on the following link to verify your Contact Information
This notice is being sent due to the ICANN Validation to confirm the WHOIS information on your domain(s).
Please note that failure to verify the Registrant contact information will lead to deactivation of the respective domain name(s) if not completed within 3 days from the date of that action.
Once deactivated, the domain names will not function until the information is verified.
For any support with respect to your relationship with us you can always contact us directly using the following Information.
Sales Department firstname.lastname@example.org
Support Fax 425.974.4791
eNom Headquarters 5808 Lake Washington Blvd. NE, Ste. 300, Kirkland, WA 98033, USA
I can tell you that the email looked genuine on a quick look, although as I wasn’t expecting this email I looked a little more closely. There were a few things that didn’t look right:
- Firstly, the email was from a “tursagroup”, and the Enom domain had a suffix of “.ws”.
- Secondly, whenever I have been asked to review my domain contact details before I have never been asked to log into our account directly.
An example of a legitimate email is below:
This is your annual notice that all registered domain names must have accurate and updated contact information.
Please review the domain information below and verify its accuracy. If all information is up-to-date then no changes are necessary. Inaccurate or outdated information must be corrected by logging into your account.
While we do respect your privacy, we are required by ICANN, our regulating authority, to send these notices annually to all domain contacts. To learn more about this process and why it is required, please visit ICANN’s website: http://www.icann.org/whois/ wdrp-registrant-faq.htm
Please remember that under the terms of your registration agreement, providing false or inaccurate Whois (contact) information can be grounds for the cancellation of your domain name registration.
Domain Name Link
xxxxxxx.com View Contact Data
Created: Apr 09, 2014; Type: Registrant
Internet Corporation for Assigned Names and Numbers (ICANN)
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536 USA
Sincerely, Your domain registration provider
I decided to reach out to Namecheap (who I use for all my domains), who provided the following response to seeing the email:
Thank you for contacting Namecheap Support Team!
We would like to let you know that this email does not originate from eNom. We highly recommend you not opening the file and delete the phishing email.
Please accept our apologies for the inconveniences this email might have caused to you.
Should you have any questions, feel free to contact us again.
Regards, Marina Zh. Customer Support
That confirmed my suspicions and the email was then deleted.
An example of a Search Registration Email Scam
Many webmasters are currently receiving an email notice that their domain name visibility is at risk and requesting they purchase domain name search engine registration services.
The subject matter of the email is “Domain Notification for xxxx.com: This is your Final Notice of Domain Listing”. These emails are a scam, and should be ignored.
I have reproduced a copy of the spam email below:
Attention: Important Notice, DOMAIN SERVICE NOTICE Domain Name: xxxxx.com
ATT: JONATHAN GRIFFIN
REGISTRANT CONTACT: +44.xxxxxxxxxxx
Response Requested By
23 — November — 2015
PART I: REVIEW NOTICE
Attn: JONATHAN GRIFFIN
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.
Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.
Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.
This Notice for: tabblr.com will expire at 11:59PM EST, 23 — November — 2015 Act now!
Select Term and Package Here
Payment by Credit/Debit Card
Select the term using the link above by 23 — November — 2015
Search Engine Registration Packages
The email provides a link to another website offering Search Engine Registration services with price ranging from $47 to $297. You can see a screenshot of the packages below:
Google confirms these are a scam
John Mueller, webmaster trends analyst at Google, commented:
Spam from DomainRegList? Ignore scams like “Domain name search engine registration,” which nobody needs — your site shows up in search just fine without it.
Search engine registration services are not required at all. Google and other search engines automatically crawl the web and add sites to their index. There is no need to register your site with them for your site to show up in Google.
Jonathan Griffin Editor, SEO Consultant, & Developer.
Jonathan Griffin is The Webmaster's Editor & CEO, managing day-to-day editorial operations across all our publications. Jonathan writes about Development, Hosting, and SEO topics for The Webmaster and The Search Review with more than nine years of experience. Jonathan also manages his own SEO consultancy, offering SEO developer services. He is an expert on site-structure, strategy, Schema, AMP, and technical SEO. You can find Jonathan on Twitter as @thewebmastercom.