Heads up: eNom phishing emails

I just got one of these a minute ago, and came here to see if it was posted yet.

I thought it was a very convincing email... until I moused over the the "enom.com links" in them:

PLEASE VERIFY YOUR CONTACT INFORMATION - [enom.com...]

and it was a enom.comXYZ.biz style domain.

Yup -- I received one of those today ("Maintenance") ... sent to a spam-trap address.

It was generated from/via Poland.

Thanks, Receptional Andy, for the heads-up!

Thanks - I saw these come through to our domain admin email address as well.

Just received one too - looked convincing ( for a second!)

Thanks to WW and Andy for the heads up!

We got one of these as well and followed the domain to the registrar onlinenic.com -- after much digging we found a support email address. I just got the following response. Fairly weak.

[edited by: jatar_k at 4:29 pm (utc) on Oct. 29, 2008]
[edit reason] no email quotes thanks [/edit]

Check this out. The domain owner has been kindly asked to correct the "bad issue".

<no email quotes>

[edited by: buckworks at 5:42 pm (utc) on Oct. 29, 2008]
[edit reason] No email quotes [/edit]

Apologies - I just saw this on my previous post:

[edited by: jatar_k at 4:29 pm (utc) on Oct. 29, 2008]
[edit reason] no email quotes thanks [/edit]

What is the reason for this? Assuming that my last post will be edited/removed, the registrar OnlineNIC responded and said that they had kindly asked the domain owner (of the phishing site) to resolve the problem within 24 hours, and that I should contact them again if I see the "bad issue" is going on later. One would think that these companies would have rapid response teams available to handle this abuse.

Sorry once again if I broke any TOS... I'm new here!

Has anyone else contacted eNom regarding this? We issued a ticket a while ago but haven't heard back. If anyone gets taken by this, the results could be catastrophic for their business. :(

Space2Burn,

Please check #9. in our terms of service.

"Email excerpts of ANY type or length are not allowed on WebmasterWorld. There are no exceptions to this rule."

It's for legal reasons ...

That said, welcome to WebmasterWorld!

Fair enough. Thanks! I've used this forum as a resource for years, so it's about time I became a member.

[edited by: Space2Burn at 6:52 pm (utc) on Oct. 29, 2008]

What's quite unusual about this attack is that it's been well-planned - they have a whole slew of domain names to use, and have clearly picked hosting that is unlikely to be immediately switched off quickly. Often with phishing, the sites have been switched off by the time most people receive emails, but that's not the case here.

Enom have a warning on their homepage about this, now, incidentally, although they only mention the "inaccurate WHOIS" email.

Got - Inaccurate whois information. [IncidentID:33631] - in the unlucky draw.

Wonder whats the purpose of all this?

Funny. I got the same crap hours ago. You gotta love spam!

Wonder whats the purpose of all this?

If someone clicks the link, and enters their login details, the attacker has their details, can then log into their account, steal domains (and send them where they wish) and use any funds within the account. That's 'phishing', basically.

Guys started getting bombarded today with same from Network Solutions. I got the enom ones yesterday so they are spoofing both enom and network solutions at this point, i am sure more to come.

The most massive barrage I've ever seen from a single entity. Unusually good at getting through various spam filters too.

Things always to watch for:

1) If they don't identify you by account #, username and/or domain, it's 99.9% sure that they are spam/phishing. Your real account holders always make some attempt in emails to signal that they know who you really are.

2) As werty pointed out, look not just at the visible link but also at the code underneath, either by waving the cursor over the link and looking at the real link in the window bar (if it's displayed, usually on the window's bottom bar), or by viewing the source code.

The cleverest phishers usually use the real domain name as a part of the URI, often as a subdomain, in this case: enom.com.#*$!.com ... so don't be fooled by the subdomain/host looking like the site they're mimicking just because we're used to reading left to right.

Checking for the primary domain pretty quickly puts any doubts to rest.

Good advice Caveman. I think it is important for anyone who may have clicked the link to change their security info in their accounts. I presume most people in this community are savvy so will be OK. work for Network Solutions and we are trying all the ways to educate customers about Phishing.

One question I have for the community is what suggestions do you have for spreading the message, we put a caution message on our blog, our home page, login page. Any suggestions or ideas?

Any suggestions or ideas?

Send an email to each and every customer you have, with detailed information about this latest phishing attack.

Send an email to each and every customer you have, with detailed information about this latest phishing attack.

Just don't include any account login links ;)

The problem with the email approach is that you're asking customers to not trust emails...by email :)

Of course, it could be a plain text email without links, but it seems like the marketing departments of the most common phishing victims are not too happy with that as a suggestion.

IMO, part of the problem with phishing generally is that those most likely to be victims are also those least likely to be visiting a site where warnings might appear. Shutting down the phishing sites ASAP (and being first to be aware of the scam) is crucial - and that didn't seem to happen too well with this batch, as many of the sites I checked were still live.

Thanks Laker and Andy, Will pass on the feedback. I know the operations guys are working very closely with the Registries ,ISPs etc to detect any new phishing domains from which these attacks are coming and shut them down.

Just to update, I got Network Solutions one today as well.

Subject of: "Attention: Inaccurate whois information."

I saw a Network Solutions one show up today also. I would be wary of any registrar emails for the time being.

Hi Laker and Andy,

We are sending the emails to our customers today to warn them of the phishing attacks. Thanks for your input.

Shashi