Phishing Registrar Accounts: eNom is First Target

Home / Blogs

Phishing Registrar Accounts: eNom is First Target

	By Gadi Evron Security Strategist
	October 29, 2008 Views: 11,414 Comments: 4

Criminals are now looking to use established domain names, via phishing targeted at domain registrars. This is possibly related to ICANN finally moving to stop the black hat registrars of the world.

According to the first report on the matter sent yesterday to Registrar Operations (reg-ops) mailing list, the attacks seem to be run by gang of child pornography spammers. The domain names in the .biz TLD are all using fast flux technology to make the attack more difficult to mitigate.

Ironically, the email spam claims that the user’s domain, according to the subject, has “Inaccurate Whois information”.

Until eNom and other registrars get their anti-phishing services in place, I believe it is the job of the Internet security operations community to help them out by taking down these attacks.

The Registrar Operations group (reg-ops) will be watching for these and mitigating them as fast as possible, in close cooperation with the registrars and the security community.

By Gadi Evron, Security Strategist

Filed Under

Comments

Network Solutions just got it. Working on Gadi Evron – Oct 29, 2008 10:42 PM

Network Solutions just got it. Working on it.

# 1 Reply | Link | Report Problems

Moniker too. Anyone cares about black hat Gadi Evron – Oct 29, 2008 11:01 PM

Moniker too. Anyone cares about black hat registrars?

# 2 Reply | Link | Report Problems

the phisher's goals and methods in these attacks Greg Aaron – Oct 30, 2008 2:47 PM

Registrars have been phishing targets since 2007, and so it is important for them to have plans to react when they become phishing targets. Registrars have been phishing targets since 2007, and phishers usually do not use “black hat” registrars when registering domain names for their own use. So it seems unlikely to me that this is related to ICANN’s ongoing termination effort against EstDomains.

In these attacks, the phishers’ goal is to get access to a registrant’s account via the registrar interface, and thereby gain the ability to purchase domains via the registrant account, control the DNS of the registrant’s domains, etc.

# 3 Reply | Link | Report Problems

Greg, my friend. Thank you for your Gadi Evron – Oct 30, 2008 3:01 PM

Greg, my friend. Thank you for your comment. to further clarify your point:

Malicious activity-wise, the criminals often test their attacks before they fully unleash them. I believe that is also what happened here. Only in this case they also used the date of the ICANN information confirmation messages for their phishing spam run.

As to the why, theoretically, if a criminal uses a real domain name which for our example’s purpose, is used for an ecommerce website—suspending it due to abusive activity is going to be more problematic than normal, to say the least.

# 4 Reply | Link | Report Problems

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet