Home / Blogs

Phishing Registrar Accounts: eNom is First Target

Gadi Evron

Criminals are now looking to use established domain names, via phishing targeted at domain registrars. This is possibly related to ICANN finally moving to stop the black hat registrars of the world.

According to the first report on the matter sent yesterday to Registrar Operations (reg-ops) mailing list, the attacks seem to be run by gang of child pornography spammers. The domain names in the .biz TLD are all using fast flux technology to make the attack more difficult to mitigate.

Ironically, the email spam claims that the user's domain, according to the subject, has "Inaccurate Whois information".

Until eNom and other registrars get their anti-phishing services in place, I believe it is the job of the Internet security operations community to help them out by taking down these attacks.

The Registrar Operations group (reg-ops) will be watching for these and mitigating them as fast as possible, in close cooperation with the registrars and the security community.

By Gadi Evron, Security Strategist
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Network Solutions just got it. Working on Gadi Evron  –  Oct 29, 2008 3:42 PM PDT

Network Solutions just got it. Working on it.

Moniker too. Anyone cares about black hat Gadi Evron  –  Oct 29, 2008 4:01 PM PDT

Moniker too. Anyone cares about black hat registrars?

the phisher's goals and methods in these attacks Greg Aaron  –  Oct 30, 2008 7:47 AM PDT

Registrars have been phishing targets since 2007, and so it is important for them to have plans to react when they become phishing targets.  Registrars have been phishing targets since 2007, and phishers usually do not use "black hat" registrars when registering domain names for their own use.  So it seems unlikely to me that this is related to ICANN's ongoing termination effort against EstDomains. 

In these attacks, the phishers' goal is to get access to a registrant's account via the registrar interface, and thereby gain the ability to purchase domains via the registrant account, control the DNS of the registrant's domains, etc.

Greg, my friend. Thank you for your Gadi Evron  –  Oct 30, 2008 8:01 AM PDT

Greg, my friend. Thank you for your comment. to further clarify your point:

Malicious activity-wise, the criminals often test their attacks before they fully unleash them. I believe that is also what happened here. Only in this case they also used the date of the ICANN information confirmation messages for their phishing spam run.

As to the why, theoretically, if a criminal uses a real domain name which for our example's purpose, is used for an ecommerce website--suspending it due to abusive activity is going to be more problematic than normal, to say the least.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign