Moniker fake suspension notice (phish?)

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • rowan
    Too lazy to set a custom title
    • Mar 2002
    • 17393

    #1

    Business Moniker fake suspension notice (phish?)

    Received this for a few of my domains. At first glance it actually looks quite legit. Note that it includes the domain name and also the registrar. A fair bit more sophisticated than the usual "your (bank you don't actually use) login is invalid" phish.

    The link includes the victim domain in the URL. I haven't clicked through to see what happens.

    ==========


    Dear Sir/Madam,

    The following domain names have been suspended for violation of the Moniker Online Services LLC Abuse Policy:

    Domain Name: <my domain>
    Registrar: Moniker Online Services LLC
    Registrant Name: Moniker Privacy Services

    Multiple warnings were sent by Moniker Online Services LLC Spam and Abuse Department to give you an opportunity to address the complaints we have received.

    We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

    We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

    Click here and download a copy of complaints we have received.

    Please contact us for additional information regarding this notification.

    Sincerely,
    Moniker Online Services LLC
    Spam and Abuse Department
    Abuse Department Hotline: 480-846-1648
  • BlackCrayon
    Too lazy to set a custom title
    • Jun 2003
    • 19634

    #2
    its a huge phishing campaign. i've gotten hundreds of them.
    you don't know you're wearing a leash if you sit by the peg all day..

    Comment

    • rowan
      Too lazy to set a custom title
      • Mar 2002
      • 17393

      #3
      By the way, Moniker has pulled this sort of shit before - threats of suspension etc - which is another reason I initially thought it was legit.

      Comment

      • AaronM
        GFY Royality ;)
        • Oct 2001
        • 46923

        #4
        Where did I set that timeline graphic.....

        Comment

        • sperbonzo
          I'd rather be on my boat.
          • May 2003
          • 9750

          #5
          There has been a bunch of domain phishing attempts flying around in the last month or so. I have had several, seemly from several different domain companies. Just staying sharp on the URLs and contact info in the emails, compared to the real companies, will keep you safe.





          .
          Michael Sperber / Acella Financial LLC/ Online Payment Processing

          [email protected] / http://Acellafinancial.com/

          ICQ 177961090 / Tel +1 909 NET BILL / Skype msperber

          Comment

          • rowan
            Too lazy to set a custom title
            • Mar 2002
            • 17393

            #6
            Originally posted by AaronM
            Where did I set that timeline graphic.....
            First time I've seen it. I scanned the first couple of pages before starting this thread.

            Comment

            • Vendot
              Confirmed User
              • May 2002
              • 3376

              #7
              Originally posted by rowan
              By the way, Moniker has pulled this sort of shit before - threats of suspension etc - which is another reason I initially thought it was legit.
              Well you should avoid clicking links in emails and consider disabling links/images in emails too so you get text only and not html emails to your domain registrant/admin emails.

              However, that's also another reason why you should consider TFA (Two Factor Authentication). The idea of TFA is to incorporate (a) something you know ie a password with (b) something you have ie a mobile phone or token or something else. Therefore someone with your username and password alone is not going to get into your account.

              It's a standard feature at Namecheap (free of charge) but they also have a lot of other security features that would defeat phishing and other similar kinds of malady. For example, you are able to disable the "Forgot Password" options which means that if someone gains access to your email they also will not be able to send the login details to your email address.
              "In a Time of Universal Deceit, Telling the Truth is a Revolutionary Act." - George Orwell

              Comment

              • AaronM
                GFY Royality ;)
                • Oct 2001
                • 46923

                #8
                Originally posted by rowan
                First time I've seen it. I scanned the first couple of pages before starting this thread.
                It's currently the 2nd or 3rd thread of it's kind on the first page. No biggie..Just busting your balls a bit.

                Better to have a few threads than not have it noticed at all.

                Comment

                • Paul&John
                  Confirmed User
                  • Aug 2005
                  • 8643

                  #9
                  http://gfy.com/fucking-around-and-pr...-namesilo.html
                  Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo!
                  Anal Webcams | Kinky Trans Cams Live | Hotwife XXX Tube | Get your Proxies here

                  Comment

                  • DVTimes
                    xxx
                    • Jun 2003
                    • 31658

                    #10
                    Warning over email | Wouj Webmaster Site
                    XXX

                    Comment

                    • Sly
                      Let's do some business!
                      • Sep 2004
                      • 31376

                      #11
                      This isn't just Moniker. This scam is making the rounds through all the registrars. I've been getting them from eNom for two weeks now. They don't appear to have hit Go Daddy yet but I'm sure that will be cycling through pretty soon.
                      Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted

                      Windows VPS now available
                      Great for TSS, Nifty Stats, remote work, virtual assistants, etc.
                      Click here for more details.

                      Comment

                      • jscott
                        jscizzle
                        • Feb 2001
                        • 25412

                        #12
                        Mine were from ENOM etc

                        Hover over the link in the email and it links to some shady looking url, you can see from that, how shady this is.
                        “If you think tough men are dangerous, wait until you see what weak men are capable of.”
                        —Jordan B. Peterson

                        Listen to Pomp tell why is Bitcoin important

                        Comment

                        • $money$
                          So Fucking Banned
                          • Nov 2015
                          • 1416

                          #13
                          I've got these in the mail before

                          Comment

                          • JFK
                            FUBAR the ORIGINATOR
                            • Jan 2002
                            • 67373

                            #14
                            Originally posted by AaronM
                            Where did I set that timeline graphic.....

                            FUBAR Webmasters - The FUBAR Times - FUBAR Webmasters Mobile - FUBARTV.XXX
                            For promo opps contact jfk at fubarwebmasters dot com

                            Comment

                            • rowan
                              Too lazy to set a custom title
                              • Mar 2002
                              • 17393

                              #15
                              Originally posted by Vendot
                              However, that's also another reason why you should consider TFA (Two Factor Authentication). The idea of TFA is to incorporate (a) something you know ie a password with (b) something you have ie a mobile phone or token or something else. Therefore someone with your username and password alone is not going to get into your account.
                              2FA is a good extra defence (I have it enabled at Namesilo), but it's not infallible. If the phish site acts as a man-in-the-middle proxy, relaying everything between you and the real site, then when you enter your user/password/2FA through the phish site, they are now logged in as you, and will remain logged in until the registrar site decides on another 2FA challenge. The only way I can think to defeat this would be IP-based restrictions, with the registrar requiring further authentication action if you attempt to log in from a previously unseen IP.

                              Comment

                              • j3rkules
                                VIP
                                • Jul 2013
                                • 22111

                                #16

                                Comment

                                • Vendot
                                  Confirmed User
                                  • May 2002
                                  • 3376

                                  #17
                                  Originally posted by rowan
                                  If the phish site acts as a man-in-the-middle proxy, relaying everything between you and the real site, then when you enter your user/password/2FA through the phish site
                                  Sure thing but it makes it a lot more difficult and 2FA is only good for one login so its going to severely limit the damage if you access through a phish link.

                                  The only way I can think to defeat this would be IP-based restrictions, with the registrar requiring further authentication action if you attempt to log in from a previously unseen IP.
                                  Good idea. The problem with GEO IP is that it's not very accurate. Once that is solved, you could also limit people by country and that would enhance security greatly.
                                  "In a Time of Universal Deceit, Telling the Truth is a Revolutionary Act." - George Orwell

                                  Comment

                                  • sandman!
                                    Icq: 14420613
                                    • Mar 2001
                                    • 15431

                                    #18
                                    this has been going on for a week or more
                                    Need WebHosting ? Email me for some great deals [email protected]

                                    Comment

                                    • ErectMedia
                                      Confirmed Chicago Pimp
                                      • Aug 2004
                                      • 7100

                                      #19
                                      Originally posted by Sly
                                      This isn't just Moniker. This scam is making the rounds through all the registrars. I've been getting them from eNom for two weeks now. They don't appear to have hit Go Daddy yet but I'm sure that will be cycling through pretty soon.
                                      I've gotten at least 25-50 on GoDaddy domains over the last week or so, have slightly over 500 domains with them.

                                      Comment

                                      • rowan
                                        Too lazy to set a custom title
                                        • Mar 2002
                                        • 17393

                                        #20
                                        Originally posted by Vendot
                                        Sure thing but it makes it a lot more difficult and 2FA is only good for one login so its going to severely limit the damage if you access through a phish link.
                                        Depends on the site. It may be possible to prolong the session indefinitely (or at least for many hours) if you regularly refresh a page, or send an AJAX request.

                                        Originally posted by Vendot
                                        Good idea. The problem with GEO IP is that it's not very accurate. Once that is solved, you could also limit people by country and that would enhance security greatly.
                                        GeoIP could be used to flag a possible hack attempt - if the last 100 logins are from the USA but the account is suddenly logging in from CN or RU there's probably something up - but I was suggesting something more simple: any new IP needs to be authenticated, perhaps via an email link, or better, something like SMS. Would get pretty annoying if you have a dynamic IP that regularly changes, or you're a hipster that likes to work out of cafes with free wifi.

                                        Then again.... I guess people who fall for phishing aren't going to know or care about IP based security. Or 2FA, for that matter.

                                        Comment

                                        • Vendot
                                          Confirmed User
                                          • May 2002
                                          • 3376

                                          #21
                                          Originally posted by rowan
                                          GeoIP could be used to flag a possible hack attempt - if the last 100 logins are from the USA but the account is suddenly logging in from CN or RU there's probably something up
                                          That's also a good point. If not to include where access comes from, then as you say, to "exclude places where access will not come from" or at least flag that.

                                          So if I know with a high degree of certainty that I will never access from say China or Pakistan, I should be able to exclude access from any IP originating from CN, PK or any given set of countries. Of course, hackers can hide it but I guess it all helps.

                                          I was suggesting something more simple: any new IP needs to be authenticated, perhaps via an email link, or better, something like SMS.
                                          With Namecheap 2FA you always have to confirm using the code you get in Phone or SMS so I don't see how this will add any extra benefit.

                                          Then again.... I guess people who fall for phishing aren't going to know or care about IP based security. Or 2FA, for that matter.
                                          True but nor will they be likely to have anything worth stealing. Namecheap actually has some of the best account security tools in the name space but I'll suggest some of these ideas to them.
                                          "In a Time of Universal Deceit, Telling the Truth is a Revolutionary Act." - George Orwell

                                          Comment

                                          • rowan
                                            Too lazy to set a custom title
                                            • Mar 2002
                                            • 17393

                                            #22
                                            Originally posted by Vendot
                                            With Namecheap 2FA you always have to confirm using the code you get in Phone or SMS so I don't see how this will add any extra benefit.
                                            The idea is that the additional challenge (say, in the event of an alien IP) would require you to access the registrar site directly. The SMS could warn that the client should type in the URL directly, and/or check the verified company name in the address bar.

                                            So it goes like this...

                                            1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.
                                            2) Registrar sees unknown & geographically disparate IP (the phish site) logging into that account, sends SMS to client with further instructions to further verify the login.
                                            3) SMS warns of possible breach and advises client to load registrar site directly in order to complete login, which may then require them to change password, or confirm that the new IP on the other side of the world is actually legit.

                                            Comment

                                            • Adraco
                                              Confirmed User
                                              • May 2009
                                              • 3745

                                              #23
                                              I have my domains at Fabulous and I have been getting those too.

                                              One way to catch those are that they are sent to the domainprivacy email. Fabulous always communicate with me on my real email, via a forwarding email address, which is of course unique and only used for just Fabulous. It contains letters and numbers in a certain order, only Fabulous knows about this email to even exist and it would be highly unlikely for anyone else to guess the email. Thereby, once I receive an email addressed to that forwarding address, then I can quite safely assume it is real and everything else gets ignored.

                                              But I found the same emails in my Gmail spam box, with the domain
                                              http:// shakilkumar . com/abuse_report . php?domain.com

                                              You can remove the ?domain.com and see, it will try to download a .pdf.scr file. Pretending to be the complaint in PDF format but in reality an executable .scr file. Of course I didn't download the file nor did I enter my own domain after the question mark.
                                              ----------------------------------------------------------------------------------
                                              The truth is not affected by the beliefs, or doubts, of the majority.

                                              Comment

                                              • Vendot
                                                Confirmed User
                                                • May 2002
                                                • 3376

                                                #24
                                                Originally posted by rowan
                                                1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.
                                                Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).

                                                Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.
                                                "In a Time of Universal Deceit, Telling the Truth is a Revolutionary Act." - George Orwell

                                                Comment

                                                • rowan
                                                  Too lazy to set a custom title
                                                  • Mar 2002
                                                  • 17393

                                                  #25
                                                  Originally posted by Vendot
                                                  Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).

                                                  Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.
                                                  You're not getting it.

                                                  If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session. There is only the 2FA challenge once, at login; every subsequent load will present some sort of session identifier, in the URL, or a cookie. Since you're going via the phish site, they can capture that session identifier, and now they own your session.

                                                  Then it's as simple as printing a "we were wrong, apologies for the inconvenience," with a fake logout button, to make the user go away (remember they're responding to a notice about their domain, not just routinely logging in to do something else.) Phish site still owns the active session and can do anything with your account that does not require another 2FA challenge.

                                                  Comment

                                                  • Vendot
                                                    Confirmed User
                                                    • May 2002
                                                    • 3376

                                                    #26
                                                    Originally posted by rowan
                                                    If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session.
                                                    Oh I see. Now I understand.

                                                    So if the domain site detects login from unusual IP location, that gets flagged and prompts domain site to force a second 2FA request and require a second verification via logging in through browser rather than email link. Is this what you are saying? I do think it addresses something which people should be strongly advised against doing anyway which is logging into their account via email link.

                                                    It needs work but its a good idea - I will also suggest this one.
                                                    "In a Time of Universal Deceit, Telling the Truth is a Revolutionary Act." - George Orwell

                                                    Comment

                                                    Working...