I want to share a warning with you regarding a spear phishing email I received that claimed to be from eNom and even used a “eNom” branded ccTLD domain name to carry out this scam. I consider it spearphishing rather than phishing because it contained information specific to the domain name that was mentioned, and these types of targeted phishing campaigns can be more confusing for recipients.
From what I know, phishing emails are the likely culprit for the majority of domain name thefts. Once a thief has access to a registrar account, he can change account details and begin the process of stealing domain names without the owner’s knowledge. It is important to remember that this type of email can target domain name owners at other registrars. Thieves can also use any domain name that looks official, so shutting this down is not as easy as turning off the domain name that is being used to carry out this campaign.
To best protect domain registrar accounts, it is important to turn on two factor authentication (2FA), which is offered by many domain registrars. eNom uses Google Authenticator as well as a two question account validation login for security. Other registrars use different methods of 2FA.
If you do find yourself a victim of domain theft, attorney Stevan Lieberman wrote a helpful article on how to recover a stolen domain name.
Here is the email I received with some details removed:
Subject: eNom – IMPORTANT! Verify your contact information for DOMAININVESTING.COM
Body:
Dear DOMAIN ADMINISTRATOR, 03/06/2016 09:15:32 pmYour contact information [Redacted] & [Redacted] , has been set as the Registrant contact for a domain name registered through eNom.
Please click on the following link to verify your Contact Informationhttp://enom.ws/recordings/locale/login/
This notice is being sent due to the ICANN Validation to confirm the WHOIS information on your domain(s).
Please note that failure to verify the Registrant contact information will lead to deactivation of the respective domain name(s) if not completed within 3 days from the date of that action.
Once deactivated, the domain names will not function until the information is verified.Domain: DOMAININVESTING.COM
Support:
For any support with respect to your relationship with us you can always contact us directly using the following Information.Sales Department sales@enomsupport.com
Support Fax 425.974.4791
eNom Headquarters 5808 Lake Washington Blvd. NE, Ste. 300, Kirkland, WA 98033, USA
http://enom.com
http://enomsupport.com
I received the same email.
I checked the enom.ws domain linked in the email. It was registered yesterday (2016-03-06)…
That ICANN policy requiring registrars to validate contact information – since it was implemented 2 years ago, what has it accomplished other than bringing down active websites and opening the door to phishing attacks?
Nothing really.
Admin Name: Saeed Kamel
Admin Organization:
Admin Street: 97 Ahmed Esmat st
Admin City: Cairo
Admin State/Province: Cairo
Admin Postal Code: 11311
Admin Country: EG
Admin Phone: +20.1147051965
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: SaeedKamel2025@gmail.com
You could forward it to abuse@godaddy.com