Attention Webmasters: Fake Domain Renewal Emails Spotted - gHacks Tech News

Attention Webmasters: Fake Domain Renewal Emails Spotted

I have a lot of domains. Well, a lot is relative but it is enough to lose the overview occasionally. While the majority is hosted at one popular provider (Godaddy), some are hosted at other domain registrars and web hosting companies. I get regular automated emails from those companies. They tell me that a domain name is expiring for instance.

Imagine my surprise when I received a new email today from a company that I never worked with before. The email was send by [email protected] and was send via secureserver.net, a Godaddy owned company IIRC.

It reads:

FWD: Attention: MARTINBRINKMANN.com Expiring Soon

Notice of Expiration

Domain Name: MARTINBRINKMANN.COM
Bill To: Invoice # 1304452910
Invoice Date May 3, 2011
Essen, NR Terms Net 14
45130 - US Due Date May 18, 2011
P.O. #
ONLINE SECURITY
Domain Name Registration Price Term
MARTINBRINKMANN.COM May 3, 2011 - May 3, 2012 $75.00 1 Year

Attention :

This solicitation is to inform you that it's time to send in your search engine registration for MARTINBRINKMANN.COM. DRS is a submission service and search engine ranking firm.

Failure to complete your search engine registration by May 18, 2011 may result in the cancellation of this offer (making it difficult for your customers to locate you using search engines on the web).

Your registration includes search engine submission for MARTINBRINKMANN.COM for 1 year. You are under no obligation to pay the amount stated above unless you accept this offer by May 18, 2011. This notice is not an invoice. It is a courtesy reminder to register MARTINBRINKMANN.COM for search engine listing so that your customers can locate you on the web.

This Offer for MARTINBRINKMANN.COM will expire on May 18, 2011. Act today!
For Domain Name:
MARTINBRINKMANN.COM
ONLINE SECURITY
unsubscribe

All links in the email pointed to http://domainrenereg.com/. A few aspects of that email were suspicious:

  • I was not addressed personally
  • The price for a one year renewal was way to high ($75)
  • The domain was set to expire on May 3, 2011 but I did not receive renewal emails before.
  • The domain was paid for until 2013 and not 2011

I was curious and visited the site anyway. I knew that I was protected from harm by NoScript, so no worries there. The page looked like this

invoice

Notice anything in particular? Right, there is no account login on the page. All you can do is to enter your credit card data on the first page. That page was obviously phishing for credit card information.

This is the first time that I have received such an email. It looks and feels very amateurish to me. Having said that, it is likely that the attackers will tune the emails in the future, for instance by only writing to domain owners whose domains are really expiring.

Use this as a word of caution. If you receive such emails submit them to your domain registrar so that their legal department can take care of it.

As a side note. I'm currently working on a domain management tool which webmasters and companies can use to manage all their domains and web properties. If you are interested to hear more about it let me know.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Daryl said on May 3, 2011 at 11:13 pm
      Reply

      Got one much the same as that myself for one of several/many domains I look after.

      It’s a pretty good job too as these things go. However, it stuck out for me too for much the same reason as you mention (a) not from one of the small number of companies who look after my domains (b) price.

      Undoubtedly it will catch out the unwary though.

    2. Andy said on May 3, 2011 at 11:54 pm
      Reply

      It’s an obvious phishing scam, especially when you read what it’s for – search engine registration – not domain name registration.

      1. Martin Brinkmann said on May 4, 2011 at 12:17 am
        Reply

        It is nevertheless linking domains to their rightful owners. But good eyes you got, that the money you pay for is not for the domain renewal.

    3. Rick said on May 4, 2011 at 5:04 am
      Reply

      If this is your first phishing on domain registration you have been lucky I guess. I get about one a month. The highest attempted registration fee I’ve run into is $125 / yr or a real discount of $200 for 2 yearrs :)

      Fortunately I have all of the domains on a host that provides the registration dates etc. with auto-renews, so I know whatever I get via email is not real.

    4. Patrick Duguay said on May 8, 2011 at 5:01 pm
      Reply

      I got this as well except that it has all my personal information connected to my account. Don’t know how they got this information.

      1. Martin Brinkmann said on May 8, 2011 at 5:20 pm
        Reply

        Probably from the whois information.

    5. DLouise said on May 10, 2011 at 8:14 pm
      Reply

      Yup…just received one of these today. The tip off? The over-inflated renewal amount!

      Was about to “reply” regarding the new rate, when it hit me, somethin’ ain’t right here. Their email address was fishy, looked it up, found it was associated with “cashparking.com”…you can read the “who-is” on this one.

      Thanks for your boards as well, for further info.
      DLR

    6. Kloxi said on May 14, 2011 at 8:51 pm
      Reply

      Yeah – I’ve just had this too. If they wanted my credit card details they could have been smart enough to guess approximately how much I expect to pay for “search engine registration”. NOT 75$! God bless the idiots of this world! Seriously though, we need to watch out for these guys getting smarter as has been pointed out. Hey – it wouldn’t be difficult!

    7. Amanda said on May 16, 2011 at 3:37 am
      Reply

      Hi – just had the same email. A number of things stood out that made it suspect. The subject line started with *Re: * for a start! Some poor sentence structure, along with the fact that my webhosting company was not listed anywhere made it easy to spot the fake, but I’m sure it would be successful with some. Very sneaky!
      FYI – I found this site just by googling the subject line – so great stuff!

      Cheers, A

    8. Mick Lauer said on May 16, 2011 at 4:54 pm
      Reply

      Thanks for the heads up. FBed it to all I know, and our company is notifying our clients.

      I found this article because a client of mine asked about their domain.

      Thanks again,

      M!ck
      Ricepirate

    9. jim bosche said on September 28, 2011 at 7:24 am
      Reply

      this is the website –
      http://comregistrat.com/order/1BM1apH8aBwzCc7Z_YC4lg%3D%3D

      here is the owner of the site – i am going to call the police in beverly hills to get this idiot.

      domain: comregistrat.com
      created: 14-Sep-2011
      last-changed: 15-Sep-2011
      registration-expiration: 14-Sep-2012

      nserver: ns1.cucpa.com 216.83.33.8
      nserver: ns2.cucpa.com 216.83.33.8

      status: CLIENT-TRANSFER-PROHIBITED

      registrant-firstname: T
      registrant-lastname: Jackson
      registrant-street1: PO Box 2818, Beverly Hills
      registrant-pcode: 90213
      registrant-state: CA
      registrant-city: Beverly Hills
      registrant-ccode: US
      registrant-phone: +1.3103675558
      registrant-email:

      admin-c-firstname: T
      admin-c-lastname: Jackson
      admin-c-street1: PO Box 2818, Beverly Hills
      admin-c-pcode: 90213
      admin-c-state: CA
      admin-c-city: Beverly Hills
      admin-c-ccode: US
      admin-c-phone: +1.3103675558
      admin-c-email:

      tech-c-firstname: T
      tech-c-lastname: Jackson
      tech-c-street1: PO Box 2818, Beverly Hills
      tech-c-pcode: 90213
      tech-c-state: CA
      tech-c-city: Beverly Hills
      tech-c-ccode: US
      tech-c-phone: +1.3103675558
      tech-c-email:

      bill-c-firstname: T
      bill-c-lastname: Jackson
      bill-c-street1: PO Box 2818, Beverly Hills
      bill-c-pcode: 90213
      bill-c-state: CA
      bill-c-city: Beverly Hills
      bill-c-ccode: US
      bill-c-phone: +1.3103675558
      bill-c-email:

    10. jim bosche said on December 7, 2011 at 11:35 pm
      Reply

      this is a bogus link for a scam
      http://sportbullet.com/b3d238/index.html
      it has been used as a phishing scam to get businesses to click, for fear that the BBB has a complaint on them. it poses as coming from the BBB, but it has nothing to do with the BBB or the BBB complaints. The BBB does not send complaints by email.

    Leave a Reply