Domain Renewal Phishing Scams

Update: I received another letter this year (May 2017). Seems iDNS Canada is still in business.

When I received a letter in the mail asking me to renew my domain name, I immediately recognized it as a scam.

The letter was designed to look like a bill, even including a return envelope for me to send payment to a company called iDNS Canada. I’d never heard of them before.

The letter starts with a notification that my domain name is expiring soon and I can take advantage of their “best savings” by switching my registrar to Internet Domain Name Services. The scammer is taking precautions to avoid legal trouble, but the entire letter is designed to be misleading. They even explain that I’m under “no obligation to pay” – bolding the words “this is not a bill.”

As with most social engineering scams, the use of personal information is what hooks victims into thinking a scam is credible. This letter included my domain name, accurate expiry date, and home address. All of this information is publicly available in my WHOIS records (which would’ve been private if I had purchased domain protection through my registrar – more on that later). All the scammer had to do is gather a list of domain owners’ information and plug those variables into a form letter.

It’s also worth noting that these kinds of “offline scams” prey on people who inherently distrust doing business on the internet. Some people consider offline communication to be more trustworthy. Everyone expects spam in their inbox, but not in their mailbox.

Registrar Scam

This is not a new scam, in fact, it’s been around for about fifteen years:

Domain slamming – (also known as unauthorized transfers or domain name registration scams) is a scam in which the offending domain name registrar attempts to trick domain owners into switching from their existing registrar to theirs, under the pretense that the customer is simply renewing their subscription to their current register. – Wikipedia

Someone spent time and money to put this campaign together. They paid postage. Color printing. That stuff is not cheap. They probably even paid for the list of users they targeted. It is clear they are making money. Despite all of their effort, there are still visible cracks in the pavement.

• They offer a website you can visit – www.idns.ae – the .ae TLD is for the United Arab Emirates – but when you visit the site it currently redirects to idns.to (.to is the TLD for Tonga). Phishy on both counts.
• Secondly, a registrar is never going to send you snail mail. Period.

If I was less familiar with phishing scams, maybe I would have mistaken this as legitimate. Even the name iDNS Canada sounds official to an unsuspecting victim.

What Happens to Victims?

When someone actually sends payment, there are several things that can happen. For one, the scammer now has your credit card information and can begin charging you outrageous fees whenever they like. They also can take control of your domain.

The prices for domain renewal are about 4x the normal price offered by other registrars. On top of this, they also require a “redemption fee” of $300 which they hide at the bottom of the pricing table:

• Domain Registry of Europe
• Domain Registry of America
• Domain Registry of Canada
• Domain Registry of Australia
• Domain Renewal Group
• Domain Renewal SA
• Internet Corporation Listing Service
• Internet Registry of Canada
• Asian Domain Registration Service
• Liberty Names of America
• Registration Services Inc.,
• Yellow Business.ca
• Domain Renewal Group

• idnsinc.at
• idnsinc.com
• idns.as
• idns.to
• DomainRegister.com.au
• DomainRenewalGroup.com
• droc.ca
• namejuice.com

Future Phishing

There are over a billion websites online today; many of them owned by people who lack a technical understanding of how the web works. These website owners make prime targets for social engineering and tech support scams. This is why it’s so important that the convenience of technology is tempered with education about the risks involved with having an online presence.

For example, if my WHOIS records were private, I would have never received this letter. Domain privacy is an optional yearly service you can pay for through your registrar to protect your WHOIS records. Many website owners don’t even know what WHOIS records are in the first place, and those folks are the most vulnerable to this type of spam campaign.

The phenomenon of phishing against website owners will only get worse over time:

• The gap between the user interface (what you see) and the underlying structure of the web (how it’s built) is becoming more expansive, allowing new website owners to remain ignorant of the internet’s true architecture.
• Personally, identifiable information is being bought, sold, traded, and shared at an exponential rate. In time we will see certainly more sophisticated scams making use of increased access to social engineering vulnerabilities.

Conclusion

People are naturally scared of what they don’t understand, and phishing scams are designed to play to the fear and trust.

Phishing is something we see all the time. Most often, we see it in a very amateurish form that is easy to detect. This letter is no exception.  Just take a look at your spam folder. The problem is that sophisticated, targeted phishing does exist. Social engineering is becoming more complex and effective. What if the scammer took a few extra steps? It’s not difficult to find out who is hosting a website and then copy all of their marketing material. Spoofing, lookups, and sharing techniques are growing more complex all the time. The truth is that black hats are not going away and they are getting smarter.

I feel confident that I can spot a phishing attempt because I’m hyper vigilant when it comes to verifying my sources before proceeding. I wouldn’t call it paranoid – I’m just prepared for a truly formidable phishing scam. With all this unprecedented access to personal information, it’s only a matter of time before they become commonplace.