homepage Welcome to WebmasterWorld Guest from 54.211.190.232
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Domain Names
Forum Library, Charter, Moderators: buckworks & webwork

Domain Names Forum

    
Heads up: eNom phishing emails
Be wary of convincing-looking emails purportedly sent from eNom
Receptional Andy




msg:3775343
 9:20 pm on Oct 28, 2008 (gmt 0)

Just a heads up that I'm seeing an extremely large-scale phishing attack against enom underway at the moment.

The emails are sent randomly to common (e.g. sales@, info@, admin@ etc), dictionary and to randomly-generated addresses, and so will mostly be received by people without enom accounts. However, the mails are quite well-crafted and might catch out the unwary.

The emails I've seen so far use randomised subjects like the below:

  • Attention: Inaccurate whois information.
  • Inaccurate whois information.
  • Inaccurate whois information. [IncidentID:33631]
  • Maintenance
  • Maintenance at eNom
  • Maintenance at eNom - attention
  • Maintenance at eNom - warning
  • Maintenance at eNom.com
  • Maintenance at eNom.com - attention!
  • Maintenance at eNom.com - warning!
  • Problem: Inaccurate whois information.
  • Warning: Inaccurate whois information.
  • Your domain must be deleted today!

The sender is also randomly selected from a list including:

  • support@enom.com
  • info@enom.com
  • info2@enom.com
  • customercare@enom.com
  • tech@enom.com

The emails vary from merely mentioning maintenance and including an account login link, to enticing clicks by saying that your domain has been suspended unless you login and verify data. Links will take you to a non-enom site such as enom.com[0-9]+.biz which will store your logon details for later exploitation.

It's quite well done, as there is a minimum of grammar and spelling errors, and overall is more subtle, and more consistent than most phishing attacks.

The messages themselves seem to be sent via an extremely large network of zombie PCs - I've seen many thousands sent to a single domain name. There are a few other footprints within the message headers, but I'll spare you the gory tech details ;)

Needless to say, if you have an enom account and have clicked on a link in such a message, and entered account details, you are mostly likely on a list of compromised accounts somewhere. I recommend that you immediately change your login details, and contact enom to let them know you think you have been the victim of a phishing attack.

 

werty




msg:3775358
 9:50 pm on Oct 28, 2008 (gmt 0)

I just got one of these a minute ago, and came here to see if it was posted yet.

I thought it was a very convincing email... until I moused over the the "enom.com links" in them:

PLEASE VERIFY YOUR CONTACT INFORMATION - [enom.com...]

and it was a enom.comXYZ.biz style domain.

Laker




msg:3775382
 10:28 pm on Oct 28, 2008 (gmt 0)

Yup -- I received one of those today ("Maintenance") ... sent to a spam-trap address.

It was generated from/via Poland.

Thanks, Receptional Andy, for the heads-up!

Matt Mickiewicz




msg:3775386
 10:38 pm on Oct 28, 2008 (gmt 0)

Thanks - I saw these come through to our domain admin email address as well.

conor




msg:3775615
 9:58 am on Oct 29, 2008 (gmt 0)

Just received one too - looked convincing ( for a second!)

weeks




msg:3775710
 12:53 pm on Oct 29, 2008 (gmt 0)

Thanks to WW and Andy for the heads up!

Space2Burn




msg:3775906
 4:13 pm on Oct 29, 2008 (gmt 0)

We got one of these as well and followed the domain to the registrar onlinenic.com -- after much digging we found a support email address. I just got the following response. Fairly weak.

[edited by: jatar_k at 4:29 pm (utc) on Oct. 29, 2008]
[edit reason] no email quotes thanks [/edit]

Space2Burn




msg:3775987
 5:24 pm on Oct 29, 2008 (gmt 0)

Check this out. The domain owner has been kindly asked to correct the "bad issue".

<no email quotes>

[edited by: buckworks at 5:42 pm (utc) on Oct. 29, 2008]
[edit reason] No email quotes [/edit]

Space2Burn




msg:3775999
 5:37 pm on Oct 29, 2008 (gmt 0)

Apologies - I just saw this on my previous post:

[edited by: jatar_k at 4:29 pm (utc) on Oct. 29, 2008]
[edit reason] no email quotes thanks [/edit]

What is the reason for this? Assuming that my last post will be edited/removed, the registrar OnlineNIC responded and said that they had kindly asked the domain owner (of the phishing site) to resolve the problem within 24 hours, and that I should contact them again if I see the "bad issue" is going on later. One would think that these companies would have rapid response teams available to handle this abuse.

Sorry once again if I broke any TOS... I'm new here!

Space2Burn




msg:3776005
 5:40 pm on Oct 29, 2008 (gmt 0)

Has anyone else contacted eNom regarding this? We issued a ticket a while ago but haven't heard back. If anyone gets taken by this, the results could be catastrophic for their business. :(

buckworks




msg:3776010
 5:44 pm on Oct 29, 2008 (gmt 0)

Space2Burn,

Please check #9. in our terms of service.

"Email excerpts of ANY type or length are not allowed on WebmasterWorld. There are no exceptions to this rule."

It's for legal reasons ...

That said, welcome to WebmasterWorld!

Space2Burn




msg:3776060
 6:05 pm on Oct 29, 2008 (gmt 0)

Fair enough. Thanks! I've used this forum as a resource for years, so it's about time I became a member.

[edited by: Space2Burn at 6:52 pm (utc) on Oct. 29, 2008]

Receptional Andy




msg:3776155
 7:55 pm on Oct 29, 2008 (gmt 0)

What's quite unusual about this attack is that it's been well-planned - they have a whole slew of domain names to use, and have clearly picked hosting that is unlikely to be immediately switched off quickly. Often with phishing, the sites have been switched off by the time most people receive emails, but that's not the case here.

Enom have a warning on their homepage about this, now, incidentally, although they only mention the "inaccurate WHOIS" email.

getxb




msg:3776182
 8:28 pm on Oct 29, 2008 (gmt 0)

Got - Inaccurate whois information. [IncidentID:33631] - in the unlucky draw.

Wonder whats the purpose of all this?

hal12b




msg:3776187
 8:32 pm on Oct 29, 2008 (gmt 0)

Funny. I got the same crap hours ago. You gotta love spam!

Receptional Andy




msg:3776196
 8:38 pm on Oct 29, 2008 (gmt 0)

Wonder whats the purpose of all this?

If someone clicks the link, and enters their login details, the attacker has their details, can then log into their account, steal domains (and send them where they wish) and use any funds within the account. That's 'phishing', basically.

natim




msg:3776288
 10:30 pm on Oct 29, 2008 (gmt 0)

Guys started getting bombarded today with same from Network Solutions. I got the enom ones yesterday so they are spoofing both enom and network solutions at this point, i am sure more to come.

caveman




msg:3776348
 12:44 am on Oct 30, 2008 (gmt 0)

The most massive barrage I've ever seen from a single entity. Unusually good at getting through various spam filters too.

Things always to watch for:

1) If they don't identify you by account #, username and/or domain, it's 99.9% sure that they are spam/phishing. Your real account holders always make some attempt in emails to signal that they know who you really are.

2) As werty pointed out, look not just at the visible link but also at the code underneath, either by waving the cursor over the link and looking at the real link in the window bar (if it's displayed, usually on the window's bottom bar), or by viewing the source code.

The cleverest phishers usually use the real domain name as a part of the URI, often as a subdomain, in this case: enom.com.#*$!.com ... so don't be fooled by the subdomain/host looking like the site they're mimicking just because we're used to reading left to right.

Checking for the primary domain pretty quickly puts any doubts to rest.

shman




msg:3776940
 6:09 pm on Oct 30, 2008 (gmt 0)

Good advice Caveman. I think it is important for anyone who may have clicked the link to change their security info in their accounts. I presume most people in this community are savvy so will be OK. work for Network Solutions and we are trying all the ways to educate customers about Phishing.

One question I have for the community is what suggestions do you have for spreading the message, we put a caution message on our blog, our home page, login page. Any suggestions or ideas?

Laker




msg:3776973
 6:36 pm on Oct 30, 2008 (gmt 0)

Any suggestions or ideas?

Send an email to each and every customer you have, with detailed information about this latest phishing attack.

Receptional Andy




msg:3776977
 6:41 pm on Oct 30, 2008 (gmt 0)

Send an email to each and every customer you have, with detailed information about this latest phishing attack.

Just don't include any account login links ;)

The problem with the email approach is that you're asking customers to not trust emails...by email :)

Of course, it could be a plain text email without links, but it seems like the marketing departments of the most common phishing victims are not too happy with that as a suggestion.

IMO, part of the problem with phishing generally is that those most likely to be victims are also those least likely to be visiting a site where warnings might appear. Shutting down the phishing sites ASAP (and being first to be aware of the scam) is crucial - and that didn't seem to happen too well with this batch, as many of the sites I checked were still live.

shman




msg:3777023
 7:17 pm on Oct 30, 2008 (gmt 0)

Thanks Laker and Andy, Will pass on the feedback. I know the operations guys are working very closely with the Registries ,ISPs etc to detect any new phishing domains from which these attacks are coming and shut them down.

werty




msg:3777049
 8:10 pm on Oct 30, 2008 (gmt 0)

Just to update, I got Network Solutions one today as well.

Subject of: "Attention: Inaccurate whois information."

cfx211




msg:3777177
 12:03 am on Oct 31, 2008 (gmt 0)

I saw a Network Solutions one show up today also. I would be wary of any registrar emails for the time being.

shman




msg:3777585
 4:50 pm on Oct 31, 2008 (gmt 0)

Hi Laker and Andy,

We are sending the emails to our customers today to warn them of the phishing attacks. Thanks for your input.

Shashi

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Domain Names
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved