Domain Phishing Attacks

[-Shay-]

We received notification from our hosting company this morning that a large scale domain phishing attack has been going on targeting people who have registered domains in their name. The fraudulent emails make claims such as "your domain is suspended" or claim a violation of registration terms. I have personally also seen one that claims we should "let our domain expire" because we do not have a legal right to hold the domain.

I'm not going to post examples of these emails for personal reasons. Be aware that these type of scams are out there and use common sense before calling any of the numbers, replying to the email, or clicking any links. In fact, it is probably wise to simply ignore these types of emails. If you're uncertain whether your hosting or registrar is sending out - close the email and contact them (hosting, registrar, etc) directly using a known good support number.

[Roulette Zeitung]

Thank you for reporting this information, Shay!

One has to assume high criminal energy these days regarding hosting companies.

Current example:

---

What happened?

A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.
Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?
We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.
In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.
We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.
We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.


What do you need to do?

As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
DO NOT USE YOUR PREVIOUS PASSWORD.
PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.
We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.


We are sorry

At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.
At 000webhost our top priority remains the same - to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together.
Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.


Sincerely,
000webhost CEO,
Arnas Stuopelis

---

Leopold

[universal4]

This has been going on for a while now and has been on the increase for about a week.

The emails are using artwork and trademark names such as TUCOWS, Verisign, Open SRS, GoDaddy and others. They look very official and often even the links will look official (except have false href's)

My guess is many unsuspecting and trusting people will fall victim to this since the emails look very professional.

Rick
Universal4

[blackriver]

I have received email from my Safenames (I have few domains there).

Here is a sample of what the phishing e-mail may look like.

====================================
SAMPLE OF PHISHING E-MAIL

Subject: Domain [YOURDOMAIN.COM] Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the Safenames Ltd Abuse Policy:

Domain Name: [YOURDOMAIN.COM]
Registrar: Safenames Ltd
Registrant Name: [YOUR REGISTRANT NAME]

Multiple warnings were sent by Safenames Ltd Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@safenames.net for additional information regarding this notification.

Sincerely,
Safenames Ltd
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

[TravG]

Yes I received one and it took me a minute to realize it was fake. It was a good fake for sure. Mine had an attachment they wanted you to open but luckily I didnt. Im very hesitant to open any attachment these days unless i know for sure who it is from.

[mojo]

I have received email from my Safenames (I have few domains there).

I got this as well from another host. Same schpeel. Delete.

[Doolally]

I'm getting the same and other similar emails too. I mainly use 1&1 for hosting.

[universal4]

It never hurts to remind our peers here about this kind of stuff, and certainly the last few batches I saw looked pretty close to authentic...

The real sad part is the less tech savvy or less domain name savvy (however you might want to phrase it) can be hurt in this mess.

It is situations like this that will eventually force Registrars to drop the whole anonymous or domain privacy.

Without domain privacy, the scammers could not hide behind privacy where their emails and websites running the scams.

Law enforcement, and in this case INTERNIC and other top level domain organizations could stop the scams fairly quickly, but since they are hiding behind privacy they will scam a lot of money and likely some choice domain names.

Rick
Universal4

[AndyBonus]

I have had a load of these too. The first thing I did was check with my domain register to make sure nothing had been compromised, and that they had not sent out any such emails.

[-Shay-]

It never hurts to remind our peers here about this kind of stuff, and certainly the last few batches I saw looked pretty close to authentic...

The real sad part is the less tech savvy or less domain name savvy (however you might want to phrase it) can be hurt in this mess.

It is situations like this that will eventually force Registrars to drop the whole anonymous or domain privacy.

Without domain privacy, the scammers could not hide behind privacy where their emails and websites running the scams.

Law enforcement, and in this case INTERNIC and other top level domain organizations could stop the scams fairly quickly, but since they are hiding behind privacy they will scam a lot of money and likely some choice domain names.

Rick
Universal4

I am not sure that this gets solved by dropping domain privacy. In the cases I've personally seen, the so called "sender" and "reply to" were our hosting company. They are getting names and email addresses by way of the whois registry.

[celena]

I also received an email this morning from my hoster.

[-Shay-]

I have had a load of these too. The first thing I did was check with my domain register to make sure nothing had been compromised, and that they had not sent out any such emails.

If there is a (terms) problem with my hosting or my domain name - my expectation is that I receive notification from hosting or registrar via their control panel (when I'm logged in) as an "immediate" means of communication. I put zero stock in email notifications of this nature.

[universal4]

Shay it would NOT completely fix the issue by removing domain privacy, but the scammers have to use an email and/or a website to pull off the scam.

If privacy is removed from those the registrars can no longer hide the criminals.

ISP's also need to become a little more proactive and turn off ip space when proof is provided, many are actually getting better at this concerning ddos attacks, but there are also quite a few that hide from ARIN, APNIC, etc...etc using fake contact info.

By the way, the remova of domain privacy os being discussed and this recent increase in scamming being so widespread will likley help push it through.

Rick
Universal4

[-Shay-]

Shay it would NOT completely fix the issue by removing domain privacy, but the scammers have to use an email and/or a website to pull off the scam.

If privacy is removed from those the registrars can no longer hide the criminals.

ISP's also need to become a little more proactive and turn off ip space when proof is provided, many are actually getting better at this concerning ddos attacks, but there are also quite a few that hide from ARIN, APNIC, etc...etc using fake contact info.

By the way, the remova of domain privacy os being discussed and this recent increase in scamming being so widespread will likley help push it through.

Rick
Universal4

I'm really confused here about this domain privacy thing as it relates to this topic. In our case, the scammer obtains email address through our whois info and they send an email seeming to be from our hosting provider. My belief is that if we had domain privacy, we'd never have been contacted. In no scenario do we (or would we) know who is sending out these scamming emails.

[universal4]

Just because you have domain privacy does not mean the emails are not sent.

The rules for domain privacy are very clear, it MUST be a valid email address.

If Internic, ARIN or any other top level isp contacts you about problems or legal issues with the domain, you MUST respond.

If the email bounces and a "invalid whois contact" report is filed, you could lose the domain.

Based upon this, anyone who does in fact use domain privacy can and should monitor that email address, whether it be in a domain panel at the registrar, or forwarded or whatever.

The domain privacy just adds an extra layer to dig through to find or contact the owner of the domain.

Rick
Universal4

[-Shay-]

Just because you have domain privacy does not mean the emails are not sent.

The rules for domain privacy are very clear, it MUST be a valid email address.

If Internic, ARIN or any other top level isp contacts you about problems or legal issues with the domain, you MUST respond.

If the email bounces and a "invalid whois contact" report is filed, you could lose the domain.

Based upon this, anyone who does in fact use domain privacy can and should monitor that email address, whether it be in a domain panel at the registrar, or forwarded or whatever.

The domain privacy just adds an extra layer to dig through to find or contact the owner of the domain.

Rick
Universal4

Understood... so my question is how would it protect me in this instance if domain privacy did not exist? My feeling is that I would get even more unsolicited scam emails than I already get.

[universal4]

Well that is a trade off, do we allow the scammers and criminals to continue to hide, or do we make it easier to get to the bottom of the real issues?

Spam and ddos attacks as well as such scams as the domain hijacking etc.

I have studied a number of the domain scam emails, and so far have seen they are coming dozens of subnets and countries so the scammers are likely just buying mailings from botnets and other spammer operations.

Rick
Universal4

[-Shay-]

So you're saying that if we step out in the open - then the true identity of the scammers will also be revealed?

[universal4]

In some case that could happen.

They would no longer be able to have real emails of people complaining, as well as law enforcement etc. filtered through a registrar's email server that is designed to hide them.

If a scammers sends out a million mails and 10,000 people complain in a single day, the ISP is certainly going to want to talk to them.

This will need to be combined with a more proactive approach by the isp's, but if they do not do so, they will face an ever increasing amount of incoming traffic eventually over-riding their costs and reducing their ROI.

The system as it is designed does not have as many flaws as some think, but the fact that INTERNIC as well as ARIN etc have been slacking off on following some of their own policies is part of the problem.

If domain owners as well as isp's were forced to keep their P.O.C. accurate I do think things could improve over time, as it stands now email as form of doing business is heading down the path of being closer to worthless due to abuse. (I often see isp' POC that have statement attached that ARIN or others have not been able to contact the abuse or tech contact for sometimes years)

If ARIN turned off their routing of said ip space for an hour, they would be on the phone with ARIN begging to get their contacts updated.

If those behind the ip space of the scammers as well as their dns providers took real action against complaints, turning off domains when necessary, they would be in contact with their providers to clear up invalid contact info quickly, eventually leading to a reduction of the scammers being able to hide.

The domain phishing is just another extension of the over-all problem.

This would also force more of the scammers to operate from countries that refuse to take action. OK, can you say null routing or blocking subnets?

The single reason that many hackers never stop trying to compromise other servers is because they know the subnet they are on has been blocked by higher percentages of the larger isp's and email providers.

There may well be some flaws in what I propose also, but the way it is today is NOT working and domain privacy is a large part of giving hackers and scammers additional protection and methods of hiding.

Rick
Universal4