Business Moniker fake suspension notice (phish?)

[rowan]

Received this for a few of my domains. At first glance it actually looks quite legit. Note that it includes the domain name and also the registrar. A fair bit more sophisticated than the usual "your (bank you don't actually use) login is invalid" phish.

The link includes the victim domain in the URL. I haven't clicked through to see what happens.

==========


Dear Sir/Madam,

The following domain names have been suspended for violation of the Moniker Online Services LLC Abuse Policy:

Domain Name: <my domain>
Registrar: Moniker Online Services LLC
Registrant Name: Moniker Privacy Services

Multiple warnings were sent by Moniker Online Services LLC Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
Moniker Online Services LLC
Spam and Abuse Department
Abuse Department Hotline: 480-846-1648

[BlackCrayon]

its a huge phishing campaign. i've gotten hundreds of them.

[rowan]

By the way, Moniker has pulled this sort of shit before - threats of suspension etc - which is another reason I initially thought it was legit.

[AaronM]

Where did I set that timeline graphic.....

[sperbonzo]

There has been a bunch of domain phishing attempts flying around in the last month or so. I have had several, seemly from several different domain companies. Just staying sharp on the URLs and contact info in the emails, compared to the real companies, will keep you safe.





.

[rowan]

Quote:

Originally Posted by AaronM

Where did I set that timeline graphic.....

First time I've seen it. I scanned the first couple of pages before starting this thread.

[Vendot]

Quote:

Originally Posted by rowan

By the way, Moniker has pulled this sort of shit before - threats of suspension etc - which is another reason I initially thought it was legit.

Well you should avoid clicking links in emails and consider disabling links/images in emails too so you get text only and not html emails to your domain registrant/admin emails.

However, that's also another reason why you should consider TFA (Two Factor Authentication). The idea of TFA is to incorporate (a) something you know ie a password with (b) something you have ie a mobile phone or token or something else. Therefore someone with your username and password alone is not going to get into your account.

It's a standard feature at Namecheap (free of charge) but they also have a lot of other security features that would defeat phishing and other similar kinds of malady. For example, you are able to disable the "Forgot Password" options which means that if someone gains access to your email they also will not be able to send the login details to your email address.

[AaronM]

Quote:

Originally Posted by rowan

First time I've seen it. I scanned the first couple of pages before starting this thread.

It's currently the 2nd or 3rd thread of it's kind on the first page. No biggie..Just busting your balls a bit.

Better to have a few threads than not have it noticed at all.

[Paul&John]

https://gfy.com/fucking-around-and-pr...-namesilo.html

[DVTimes]

Warning over email | Wouj Webmaster Site

[Sly]

This isn't just Moniker. This scam is making the rounds through all the registrars. I've been getting them from eNom for two weeks now. They don't appear to have hit Go Daddy yet but I'm sure that will be cycling through pretty soon.

[jscott]

Mine were from ENOM etc

Hover over the link in the email and it links to some shady looking url, you can see from that, how shady this is.

[$money$]

I've got these in the mail before

[JFK]

Quote:

Originally Posted by AaronM

Where did I set that timeline graphic.....

[rowan]

Quote:

Originally Posted by Vendot

However, that's also another reason why you should consider TFA (Two Factor Authentication). The idea of TFA is to incorporate (a) something you know ie a password with (b) something you have ie a mobile phone or token or something else. Therefore someone with your username and password alone is not going to get into your account.

2FA is a good extra defence (I have it enabled at Namesilo), but it's not infallible. If the phish site acts as a man-in-the-middle proxy, relaying everything between you and the real site, then when you enter your user/password/2FA through the phish site, they are now logged in as you, and will remain logged in until the registrar site decides on another 2FA challenge. The only way I can think to defeat this would be IP-based restrictions, with the registrar requiring further authentication action if you attempt to log in from a previously unseen IP.

[j3rkules]

Quote:

Originally Posted by Paul&John

https://gfy.com/fucking-around-and-pr...-namesilo.html

[Vendot]

Quote:

Originally Posted by rowan

If the phish site acts as a man-in-the-middle proxy, relaying everything between you and the real site, then when you enter your user/password/2FA through the phish site

Sure thing but it makes it a lot more difficult and 2FA is only good for one login so its going to severely limit the damage if you access through a phish link.

Quote:

The only way I can think to defeat this would be IP-based restrictions, with the registrar requiring further authentication action if you attempt to log in from a previously unseen IP.

Good idea. The problem with GEO IP is that it's not very accurate. Once that is solved, you could also limit people by country and that would enhance security greatly.

[sandman!]

this has been going on for a week or more

[ErectMedia]

Quote:

Originally Posted by Sly

This isn't just Moniker. This scam is making the rounds through all the registrars. I've been getting them from eNom for two weeks now. They don't appear to have hit Go Daddy yet but I'm sure that will be cycling through pretty soon.

I've gotten at least 25-50 on GoDaddy domains over the last week or so, have slightly over 500 domains with them.

[rowan]

Quote:

Originally Posted by Vendot

Sure thing but it makes it a lot more difficult and 2FA is only good for one login so its going to severely limit the damage if you access through a phish link.

Depends on the site. It may be possible to prolong the session indefinitely (or at least for many hours) if you regularly refresh a page, or send an AJAX request.

Quote:

Originally Posted by Vendot

Good idea. The problem with GEO IP is that it's not very accurate. Once that is solved, you could also limit people by country and that would enhance security greatly.

GeoIP could be used to flag a possible hack attempt - if the last 100 logins are from the USA but the account is suddenly logging in from CN or RU there's probably something up - but I was suggesting something more simple: any new IP needs to be authenticated, perhaps via an email link, or better, something like SMS. Would get pretty annoying if you have a dynamic IP that regularly changes, or you're a hipster that likes to work out of cafes with free wifi.

Then again.... I guess people who fall for phishing aren't going to know or care about IP based security. Or 2FA, for that matter.

[Vendot]

Quote:

Originally Posted by rowan

GeoIP could be used to flag a possible hack attempt - if the last 100 logins are from the USA but the account is suddenly logging in from CN or RU there's probably something up

That's also a good point. If not to include where access comes from, then as you say, to "exclude places where access will not come from" or at least flag that.

So if I know with a high degree of certainty that I will never access from say China or Pakistan, I should be able to exclude access from any IP originating from CN, PK or any given set of countries. Of course, hackers can hide it but I guess it all helps.

Quote:

I was suggesting something more simple: any new IP needs to be authenticated, perhaps via an email link, or better, something like SMS.

With Namecheap 2FA you always have to confirm using the code you get in Phone or SMS so I don't see how this will add any extra benefit.

Quote:

Then again.... I guess people who fall for phishing aren't going to know or care about IP based security. Or 2FA, for that matter.

True but nor will they be likely to have anything worth stealing. Namecheap actually has some of the best account security tools in the name space but I'll suggest some of these ideas to them.

[rowan]

Quote:

Originally Posted by Vendot

With Namecheap 2FA you always have to confirm using the code you get in Phone or SMS so I don't see how this will add any extra benefit.

The idea is that the additional challenge (say, in the event of an alien IP) would require you to access the registrar site directly. The SMS could warn that the client should type in the URL directly, and/or check the verified company name in the address bar.

So it goes like this...

1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.
2) Registrar sees unknown & geographically disparate IP (the phish site) logging into that account, sends SMS to client with further instructions to further verify the login.
3) SMS warns of possible breach and advises client to load registrar site directly in order to complete login, which may then require them to change password, or confirm that the new IP on the other side of the world is actually legit.

[Adraco]

I have my domains at Fabulous and I have been getting those too.

One way to catch those are that they are sent to the domainprivacy email. Fabulous always communicate with me on my real email, via a forwarding email address, which is of course unique and only used for just Fabulous. It contains letters and numbers in a certain order, only Fabulous knows about this email to even exist and it would be highly unlikely for anyone else to guess the email. Thereby, once I receive an email addressed to that forwarding address, then I can quite safely assume it is real and everything else gets ignored.

But I found the same emails in my Gmail spam box, with the domain
http:// shakilkumar . com/abuse_report . php?domain.com

You can remove the ?domain.com and see, it will try to download a .pdf.scr file. Pretending to be the complaint in PDF format but in reality an executable .scr file. Of course I didn't download the file nor did I enter my own domain after the question mark.

[Vendot]

Quote:

Originally Posted by rowan

1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.

Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).

Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.

[rowan]

Quote:

Originally Posted by Vendot

Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).

Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.

You're not getting it.

If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session. There is only the 2FA challenge once, at login; every subsequent load will present some sort of session identifier, in the URL, or a cookie. Since you're going via the phish site, they can capture that session identifier, and now they own your session.

Then it's as simple as printing a "we were wrong, apologies for the inconvenience," with a fake logout button, to make the user go away (remember they're responding to a notice about their domain, not just routinely logging in to do something else.) Phish site still owns the active session and can do anything with your account that does not require another 2FA challenge.

[Vendot]

Quote:

Originally Posted by rowan

If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session.

Oh I see. Now I understand.

So if the domain site detects login from unusual IP location, that gets flagged and prompts domain site to force a second 2FA request and require a second verification via logging in through browser rather than email link. Is this what you are saying? I do think it addresses something which people should be strongly advised against doing anyway which is logging into their account via email link.

It needs work but its a good idea - I will also suggest this one.