Enom Spear Phishing Email Received

Andrew Allemann wrote about a phishing email he received purporting to by from Dynadot, and I received a very similar email purporting to be from Enom. The email was caught by Gmail in the spam/junk filter, so it looks like some mail providers have been catching on to these phishing attempt.

By my own observations, it seems that domain registrar phishing attempts are on the rise. This particular attack looks like it is more along the lines of a spear phishing attempt since it mentioned a specific domain name that is owned by my company rather than being randomly sent.

When a hacker is able to obtain account login information due to a successful phishing attempt, they can easily steal domain names from the account. While most seasoned domain investors would not fall prey to this, I would imagine there are people who own just a few domain names that might.

The best thing to do to secure domain registrar accounts, in my opinion, is to have two factor authentication enabled. Many registrars offer it, and it’s very important to set up.

I have published the email below so you can see what it looks like:

(Subject: Domain [redacted.COM] Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: [redacted.COM]
Registrar: ENOM, INC.
Registrant Name: DOMAIN ADMINISTRATOR

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:abuse@enom.com for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

Elliot Silver
Elliot Silver
About The Author: Elliot Silver is an Internet entrepreneur and publisher of DomainInvesting.com. Elliot is also the founder and President of Top Notch Domains, LLC, a company that has closed eight figures in deals. Please read the DomainInvesting.com Terms of Use page for additional information about the publisher, website comment policy, disclosures, and conflicts of interest. Reach out to Elliot: Twitter | Facebook | LinkedIn

9 COMMENTS

  1. WOW! Word for word.

    Got several today supposedly from Fabulous.

    They’re still coming in. (up to about ten now)

    First hint was not addressing me directly by name.

    “Dear Sir/Madam,

    The following domain names have been suspended for violation of the FABULOUS.COM PTY LTD. Abuse Policy:

    Domain Name: (redacted).com
    Registrar: FABULOUS.COM PTY LTD.
    Registrant Name: (redacted)

    Multiple warnings were sent by FABULOUS.COM PTY LTD. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us by email at mailto:abuse@fabulous.com for additional information regarding this notification.

    Sincerely,
    FABULOUS.COM PTY LTD.
    Spam and Abuse Department
    Abuse Department Hotline: 480-124-0101

    This email has been protected by YAC (Yet Another Cleaner)
    http://www.yac.mx

    >>>>>>>>
    Always check details

    >>>>>>>>

    Return-Path:
    Received: from nh503-vm12.bullet.mail.kks.yahoo.co.jp (nh503-vm12.bullet.mail.kks.yahoo.co.jp [183.79.56.198])
    by mtaiw-mbe01.mx.aol.com (Internet Inbound) with ESMTP id 3B0B57000008B
    for ; Mon, 26 Oct 2015 13:06:07 -0400 (EDT)
    Received: from [183.79.100.140] by nh503.bullet.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
    Received: from [183.79.100.133] by t503.bullet.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
    Received: from [127.0.0.1] by omp502.mail.kks.yahoo.co.jp with NNFMP; 26 Oct 2015 17:06:06 -0000
    X-Yahoo-Newman-Property: ymail-3
    X-Yahoo-Newman-Id: 719257.99704.bm@omp502.mail.kks.yahoo.co.jp
    Message-ID:
    Received: (qmail 36880 invoked by alias); 26 Oct 2015 17:06:06 -0000
    Received: from unknown (HELO moladu) (103.195.3.42 with login)
    by ybbsmtp509.mail.kks.yahoo.co.jp with SMTP; 26 Oct 2015 17:06:06 -0000
    X-YMail-JAS: W4xVLBoVM1kmMn9HHHa__eVNVc2muAL5Y_nMHn4i09mXE7Nhqjpx5OUizGNqWUEW6oGIsLOlmmzu634Nw6Buwii6i99YXHxb8zQHu0kPqs75ftQ1fyjQLQl4thmink_fFd86IA–
    X-Apparently-From:
    X-YMail-OSG: FtFGi_kVM1mRwB7J8Rkd3BcbkaxkkpD78zOZhE2f5p15opu
    1xfHxsnZEvWWfbZ101lJjUaRh9eT8K1vq0eukzuIBbjqCfS9VgdDQzlCJoSo
    5N683S2tegNpA._8H04FAhnraTftn_arb53pwNVYZx9NtZvw_Jp_oauCKnMD
    .Da0w5kZw86_TxpekBcWwZpmF5d6EdLM9BIxPvRBuXO5lT4F3PR9nN3PuGAc
    URdxnP4Q2ZVbj6SNKJR8KJw0JPwpWH9uDmOOQxGL2tfJSTHM_XUBmh_mbcZJ
    3iGrnGzpIAa5DHqmRtIpone7_Rq9XRcFeKhW6QzNN_yrOVDxFPu8nft8wBCq
    BiIFgTqVhhhdxcVFK03PFJDsKykcQi578DCPoFcVQNczklTu0lhMSE0o7njU
    MvK4KAuVp5aF0O9edUkCnW9Or8bIvh0S_MQPYBoV0an5M9wcDLLg1dH_ieaE
    BPTZsjV.DK1c5d65X.JRm8u9otDxDlUMuYMulnTbIpNYiTE3m2sBujpg1Zfm
    J2YtWvPwtgkbQa6BT5ml7CPFotxjchvMSU1B3Uuzvw.yQjzLY8o5wNPJcRqu
    Or5YRzXU8gsEO
    From: abuse@fabulous.com
    To:
    Subject: Domain REDACTED.com Suspension Notice
    Date: Mon, 26 Oct 2015 16:05:59 -0700
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary=”—-=_NextPart_000_0015_00000150.00003916″
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Unsent: 1
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
    x-aol-global-disposition: G
    Authentication-Results: mx.aol.com;
    spf=pass (aol.com: the domain ybb.ne.jp reports 183.79.56.198 as a permitted sender.) smtp.mailfrom=ybb.ne.jp;
    x-aol-sid: 3039ac1afea7562e5d7f34cd
    X-AOL-IP: 183.79.56.198
    X-AOL-SPF: domain : ybb.ne.jp SPF : pass

  2. To: All Moniker.Com Customers,
    You may have been receiving recent emails from abuse@moniker.com with the subject titled “Domain …. Suspension Notice”

    These emails are NOT from our abuse team.

    According to recent findings on Domain Name Wire several registrars including Moniker.com are being email spoofed

    http://domainnamewire.com/2015/10/26/warning-domain-name-phishing-email-blast-going-on-right-now/

    DO NOT CLICK ON ANY OF THE LINKS WITHIN THESE EMAILS.

    Moniker Online Services LLC. will not send any notices regarding your domains without your account number present within the email. We do not send notices with links to download files regarding your domains.

    If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address. If you are still in doubt, forward any emails you are unsure of to legal@moniker.com if it is a valid email we will notify you properly.

    John McLaughlin
    COO
    Moniker.com, Inc.

  3. Uniregistry has this issue as well. My inbox is getting flooded ATM

    Dear Sir/Madam,

    The following domain names have been suspended for violation of the UNIREGISTRAR CORP Abuse Policy:

    Domain Name: XXXXXX
    Registrar: UNIREGISTRAR CORP
    Registrant Name: XXXX

    Multiple warnings were sent by UNIREGISTRAR CORP Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us by email at mailto:abuse@uniregistry.com for additional information regarding this notification.

    Sincerely,
    UNIREGISTRAR CORP
    Spam and Abuse Department
    Abuse Department Hotline: 480-124-0101

  4. The sender targeted domains starting with numbers, then moved onto letters; only received emails for “A”. It appears to be a method of pinging email addresses with clicks, as each domain is linked. I would not discount the possibility of phishing attempts.

  5. I got several emails exactly like the one above from enom (supposedly) and while I am usually careful not to click on any links, I had something else on my mind all day an I ended up clicking on the link (Click here and download a copy of complaints we have received). However, when I click on the links it seems like the website where they have the php script seems to have been suspended (I see Hostgator suspended page). I assuming I did not end up downloading any virus to PC.

    Can anyone confirm if any of these had any VIRUSUS or were they just hosting a php script to collect data. If these had viruses I have to do a clean install on my PC. If you have any additional info please post.

    Thanks!

  6. I can confirm the file has a virus. Webroot identifies it as a Trojan classifying it as Win32.LocalInfect.2

    The link that is downloading the file in an email I got is coming from:

    http://[url removed].com/……

  7. I too received this same email. I do not use Enom as my registrar so that was a red flag to me, so I googled it before I opened anything, thank goodness this site is here to show it has to be a phishing email.

    Dear Sir/Madam,

    The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

    Domain Name: xxx.COM
    Registrar: ENOM, INC.
    Registrant Name: xxx

    Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us for additional information regarding this notification.

    Sincerely,
    ENOM, INC.
    Spam and Abuse Department
    Abuse Department Hotline: 480-394-7905

  8. Recently, we ve been seeing an increase of an e-mail phishing attempts pretending to be eNom and other domain registrars. So we thought we would make a public service announcement to warn our customers and others of the attack on-going across the Internet.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Recent Posts

Slice Acquires Slice.com After 8 Years

0
Slice is a company that helps independent pizzerias with technology, marketing, and operations solutions. In fact, I have used Slice when ordering from our...

Afternic: Pending Sync

1
I hand registered 29 domain names at GoDaddy two days ago. I registered them in two swaths - 20 names and 9 names. Afternic...

Candy.com Acquired by Hilco Digital

8
In 2021, the Candy.com domain name was sold for an undisclosed sum in a deal brokered by Andrew Miller of Hilco Digital and Amanda...

Darpan Munjal Doing AMA on X

1
I have always appreciated how Atom.com CEO Darpan Munjal has been willing to share data freely. It's helpful to see what types of domain...

Results from One Month with Afternic Boost

20
Afternic began charging for its upgraded "Boost" features on September 4th. Instead of paying 15% commission for selling a domain name via Afternic with...