Andrew Allemann wrote about a phishing email he received purporting to by from Dynadot, and I received a very similar email purporting to be from Enom. The email was caught by Gmail in the spam/junk filter, so it looks like some mail providers have been catching on to these phishing attempt.
By my own observations, it seems that domain registrar phishing attempts are on the rise. This particular attack looks like it is more along the lines of a spear phishing attempt since it mentioned a specific domain name that is owned by my company rather than being randomly sent.
When a hacker is able to obtain account login information due to a successful phishing attempt, they can easily steal domain names from the account. While most seasoned domain investors would not fall prey to this, I would imagine there are people who own just a few domain names that might.
The best thing to do to secure domain registrar accounts, in my opinion, is to have two factor authentication enabled. Many registrars offer it, and it’s very important to set up.
I have published the email below so you can see what it looks like:
(Subject: Domain [redacted.COM] Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:
Domain Name: [redacted.COM]
Registrar: ENOM, INC.
Registrant Name: DOMAIN ADMINISTRATORMultiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us by email at mailto:abuse@enom.com for additional information regarding this notification.
Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
WOW! Word for word.
Got several today supposedly from Fabulous.
They’re still coming in. (up to about ten now)
First hint was not addressing me directly by name.
“Dear Sir/Madam,
The following domain names have been suspended for violation of the FABULOUS.COM PTY LTD. Abuse Policy:
Domain Name: (redacted).com
Registrar: FABULOUS.COM PTY LTD.
Registrant Name: (redacted)
Multiple warnings were sent by FABULOUS.COM PTY LTD. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us by email at mailto:abuse@fabulous.com for additional information regarding this notification.
Sincerely,
FABULOUS.COM PTY LTD.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
This email has been protected by YAC (Yet Another Cleaner)
http://www.yac.mx”
>>>>>>>>
Always check details
>>>>>>>>
Return-Path:
Received: from nh503-vm12.bullet.mail.kks.yahoo.co.jp (nh503-vm12.bullet.mail.kks.yahoo.co.jp [183.79.56.198])
by mtaiw-mbe01.mx.aol.com (Internet Inbound) with ESMTP id 3B0B57000008B
for ; Mon, 26 Oct 2015 13:06:07 -0400 (EDT)
Received: from [183.79.100.140] by nh503.bullet.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
Received: from [183.79.100.133] by t503.bullet.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
Received: from [127.0.0.1] by omp502.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 719257.99704.bm@omp502.mail.kks.yahoo.co.jp
Message-ID:
Received: (qmail 36880 invoked by alias); 26 Oct 2015 17:06:06 -0000
Received: from unknown (HELO moladu) (103.195.3.42 with login)
by ybbsmtp509.mail.kks.yahoo.co.jp with SMTP; 26 Oct 2015 17:06:06 -0000
X-YMail-JAS: W4xVLBoVM1kmMn9HHHa__eVNVc2muAL5Y_nMHn4i09mXE7Nhqjpx5OUizGNqWUEW6oGIsLOlmmzu634Nw6Buwii6i99YXHxb8zQHu0kPqs75ftQ1fyjQLQl4thmink_fFd86IA–
X-Apparently-From:
X-YMail-OSG: FtFGi_kVM1mRwB7J8Rkd3BcbkaxkkpD78zOZhE2f5p15opu
1xfHxsnZEvWWfbZ101lJjUaRh9eT8K1vq0eukzuIBbjqCfS9VgdDQzlCJoSo
5N683S2tegNpA._8H04FAhnraTftn_arb53pwNVYZx9NtZvw_Jp_oauCKnMD
.Da0w5kZw86_TxpekBcWwZpmF5d6EdLM9BIxPvRBuXO5lT4F3PR9nN3PuGAc
URdxnP4Q2ZVbj6SNKJR8KJw0JPwpWH9uDmOOQxGL2tfJSTHM_XUBmh_mbcZJ
3iGrnGzpIAa5DHqmRtIpone7_Rq9XRcFeKhW6QzNN_yrOVDxFPu8nft8wBCq
BiIFgTqVhhhdxcVFK03PFJDsKykcQi578DCPoFcVQNczklTu0lhMSE0o7njU
MvK4KAuVp5aF0O9edUkCnW9Or8bIvh0S_MQPYBoV0an5M9wcDLLg1dH_ieaE
BPTZsjV.DK1c5d65X.JRm8u9otDxDlUMuYMulnTbIpNYiTE3m2sBujpg1Zfm
J2YtWvPwtgkbQa6BT5ml7CPFotxjchvMSU1B3Uuzvw.yQjzLY8o5wNPJcRqu
Or5YRzXU8gsEO
From: abuse@fabulous.com
To:
Subject: Domain REDACTED.com Suspension Notice
Date: Mon, 26 Oct 2015 16:05:59 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0015_00000150.00003916″
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
spf=pass (aol.com: the domain ybb.ne.jp reports 183.79.56.198 as a permitted sender.) smtp.mailfrom=ybb.ne.jp;
x-aol-sid: 3039ac1afea7562e5d7f34cd
X-AOL-IP: 183.79.56.198
X-AOL-SPF: domain : ybb.ne.jp SPF : pass
To: All Moniker.Com Customers,
You may have been receiving recent emails from abuse@moniker.com with the subject titled “Domain …. Suspension Notice”
These emails are NOT from our abuse team.
According to recent findings on Domain Name Wire several registrars including Moniker.com are being email spoofed
http://domainnamewire.com/2015/10/26/warning-domain-name-phishing-email-blast-going-on-right-now/
DO NOT CLICK ON ANY OF THE LINKS WITHIN THESE EMAILS.
Moniker Online Services LLC. will not send any notices regarding your domains without your account number present within the email. We do not send notices with links to download files regarding your domains.
If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address. If you are still in doubt, forward any emails you are unsure of to legal@moniker.com if it is a valid email we will notify you properly.
John McLaughlin
COO
Moniker.com, Inc.
Uniregistry has this issue as well. My inbox is getting flooded ATM
Dear Sir/Madam,
The following domain names have been suspended for violation of the UNIREGISTRAR CORP Abuse Policy:
Domain Name: XXXXXX
Registrar: UNIREGISTRAR CORP
Registrant Name: XXXX
Multiple warnings were sent by UNIREGISTRAR CORP Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us by email at mailto:abuse@uniregistry.com for additional information regarding this notification.
Sincerely,
UNIREGISTRAR CORP
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
The sender targeted domains starting with numbers, then moved onto letters; only received emails for “A”. It appears to be a method of pinging email addresses with clicks, as each domain is linked. I would not discount the possibility of phishing attempts.
I got several emails exactly like the one above from enom (supposedly) and while I am usually careful not to click on any links, I had something else on my mind all day an I ended up clicking on the link (Click here and download a copy of complaints we have received). However, when I click on the links it seems like the website where they have the php script seems to have been suspended (I see Hostgator suspended page). I assuming I did not end up downloading any virus to PC.
Can anyone confirm if any of these had any VIRUSUS or were they just hosting a php script to collect data. If these had viruses I have to do a clean install on my PC. If you have any additional info please post.
Thanks!
I can confirm the file has a virus. Webroot identifies it as a Trojan classifying it as Win32.LocalInfect.2
The link that is downloading the file in an email I got is coming from:
http://[url removed].com/……
I too received this same email. I do not use Enom as my registrar so that was a red flag to me, so I googled it before I opened anything, thank goodness this site is here to show it has to be a phishing email.
Dear Sir/Madam,
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:
Domain Name: xxx.COM
Registrar: ENOM, INC.
Registrant Name: xxx
Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-394-7905
Also, I called the number listed and it says. “You have reached a vacant number in Arizona”
Recently, we ve been seeing an increase of an e-mail phishing attempts pretending to be eNom and other domain registrars. So we thought we would make a public service announcement to warn our customers and others of the attack on-going across the Internet.