Skip to main content

The Domain Reminder "Scam"

Introduction

You may know that I often follow-up on scamming emails, in order to investigate the true motive for their attempt. So here I would like to outline a scam which looks fairly passive but tricks the user in its usage of wording.

The Scam

First the scamming company search DNS records and locate a domain which is near to timing-out and gain the email address of the registered person.

Next they draft an official looking email which looks like it knows lots of details about the domain and account holder, and which warns them about a domain which is expiring:



But the wording is strange here, and there's nothing illegal in what they are offering. In quickly reading the email, it seems that they are warning you that your domain is expiring on 28 June 2017, and that it will be cancelled. But read more closely ... it is their offer of the SEO registration that will be cancelled on 28 June 2017! This is the same date as the domain is actually going to time-out, so they seem to be trying to trick the user into thinking that they need to pay for this service in order not to lose their domain.

As I search my emails, I see so many emails like this, and which has been triggered by a domain expiring and with a different company email address:



Once you click, you're led to the payment page (it has probably been designed to reflect the GoDaddy colours):



The Registration

The company is registered to:

1000 Fifth Street Suite 200 – G9 MIAMI BEACH, FL 33139
 
For the payment they create a new sub-domain for one of their sites and pass in the details of the domain name and expiry date in the URL:

"httpz:www.profsimscom.shippropertyg.org/?d=profsims.com&p=07-10-2017

For this they have created a subdomain of shipproperty.org and when we do a Whois on that, we trace it to China:

$ whois shippropertyg.org
Domain Name: SHIPPROPERTYG.ORG
Registry Domain ID: D402200000002595912-LROR
Registrar WHOIS Server:
Registrar URL: http://www.55hl.com
Updated Date: 2017-06-02T01:54:13Z
Creation Date: 2017-06-01T23:27:43Z
Registry Expiry Date: 2018-06-01T23:27:43Z
Registrar Registration Expiration Date:
Registrar: Jiangsu Bangning Science and technology Co. Ltd.
Registrar IANA ID: 1469
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registry Registrant ID: C193737765-LROR
Registrant Name: BingWang
Registrant Organization: Wang Bing
Registrant Street: Cui Xiang Jie Dao 1256Hao
Registrant City: Zhu Hai
Registrant State/Province: Guang Dong
Registrant Postal Code: 519000
Registrant Country: CN
Registrant Phone: +86.075620696654
Registrant Phone Ext:
Registrant Fax: +86.075620696654
Registrant Fax Ext:
Registrant Email: wynne112@mail.com
Registry Admin ID: C193737766-LROR
Admin Name: BingWang
Admin Organization:
Admin Street: Cui Xiang Jie Dao 1256Hao
Admin City: Zhu Hai
Admin State/Province: Guang Dong
Admin Postal Code: 519000
Admin Country: CN
Admin Phone: +86.075620696654
Admin Phone Ext:
Admin Fax: +86.075620696654
Admin Fax Ext:
Admin Email: wynne112@mail.com
Registry Tech ID: C193737767-LROR
Tech Name: BingWang
Tech Organization:
Tech Street: Cui Xiang Jie Dao 1256Hao
Tech City: Zhu Hai
Tech State/Province: Guang Dong
Tech Postal Code: 519000
Tech Country: CN
Tech Phone: +86.075620696654
Tech Phone Ext:
Tech Fax: +86.075620696654
Tech Fax Ext:
Tech Email: wynne112@mail.com
Name Server: F1G1NS1.DNSPOD.NET
Name Server: F1G1NS2.DNSPOD.NET
DNSSEC: unsigned

and all of the links I see send themselves to these sites which are registered in China and non-US countries, so one must wonder about the Miami registration of the company. Other sites include "londonseo.org":

"httz://www.cloud4informationcom.londoneseo.org%?d=cloud4information.com&p=06-29-2017

The Payment

The additional risk is when we do click on the payment, there is no SSL connection for the actual entry of the details:



Even though it says that SSL is used ... it is not! Users should never enter payment details without seeing a green padlock and where HTTPS is used:



At the bottom of the page the user is tricked into thinking that everything is secure:


but it is not using SSL and security.fhtpay.com doesn't even exist!

Conclusions

There are so many risks in this scam, especially in the way they put pressure on you to pay for something that looks official. The advice from GoDaddy is:




Comments

Post a Comment

Popular posts from this blog

Getting Ready for the All Clear for Backdoors?

Introduction As GDPR heads towards an increasing application of encryption, the US may move towards legislating for a backdoor on crypto - named "responsible encryption". The justification revolves around cases such as for Syed Rizwan Farook who open killed 14 people in San Bernardino. Within the investigation, the FBI put considerable pressure on Apple to open the phone, but they refused. After this, the US government pushed through a court order to force Apple to produce a new operating system which could be unlocked, and again Apple refused and said that it was "a threat to individual liberty". Many now see strong encryption as the key weapon in a battle between perfect encryption and a Big Brother society, and where civil liberties are the ultimate target. And so to soften the tone of the debate, the term exceptional access was coined. Clear While President Obama dismissed the application of backdoors into crypto, it is now being pushed forward within the ...
Post a Comment
Read more

Twitter Password Reset and Media Panic Stories

  Introduction The Twitter data breach showcases the possible up-and-coming storm from the media on data breaches, especially that it still struggles to understand some of the technical elements involved in a breach. With the Facebook/Cambridge Analytica story making the news headlines, the media now know that they have a technically-related topic that the general public are interested in. And so Twitter is the most recent major Cloud Service Provider who has hit the headlines: So many in the media this was pushed as a major story, but it was just a typical story of someone making a mistake and which was quickly righted. The chances of any related data breach is minimal as it was only an internal processing mistake. For most companies the error would go unreported external, but in the days of the media chasing for cover-ups and evidence of bad practice, Twitter did the right thing and reported it. The media, of course, go for shock headlines, and which can panic users (and...
Post a Comment
Read more