Welcome to WebmasterWorld Guest from 126.96.36.199
The emails are sent randomly to common (e.g. sales@, info@, admin@ etc), dictionary and to randomly-generated addresses, and so will mostly be received by people without enom accounts. However, the mails are quite well-crafted and might catch out the unwary.
The emails I've seen so far use randomised subjects like the below:
The sender is also randomly selected from a list including:
The emails vary from merely mentioning maintenance and including an account login link, to enticing clicks by saying that your domain has been suspended unless you login and verify data. Links will take you to a non-enom site such as enom.com[0-9]+.biz which will store your logon details for later exploitation.
It's quite well done, as there is a minimum of grammar and spelling errors, and overall is more subtle, and more consistent than most phishing attacks.
The messages themselves seem to be sent via an extremely large network of zombie PCs - I've seen many thousands sent to a single domain name. There are a few other footprints within the message headers, but I'll spare you the gory tech details ;)
Needless to say, if you have an enom account and have clicked on a link in such a message, and entered account details, you are mostly likely on a list of compromised accounts somewhere. I recommend that you immediately change your login details, and contact enom to let them know you think you have been the victim of a phishing attack.
I thought it was a very convincing email... until I moused over the the "enom.com links" in them:
PLEASE VERIFY YOUR CONTACT INFORMATION - [enom.com...]
and it was a enom.comXYZ.biz style domain.
[edited by: jatar_k at 4:29 pm (utc) on Oct. 29, 2008]
[edit reason] no email quotes thanks [/edit]
What is the reason for this? Assuming that my last post will be edited/removed, the registrar OnlineNIC responded and said that they had kindly asked the domain owner (of the phishing site) to resolve the problem within 24 hours, and that I should contact them again if I see the "bad issue" is going on later. One would think that these companies would have rapid response teams available to handle this abuse.
Sorry once again if I broke any TOS... I'm new here!
Enom have a warning on their homepage about this, now, incidentally, although they only mention the "inaccurate WHOIS" email.
Wonder whats the purpose of all this?
If someone clicks the link, and enters their login details, the attacker has their details, can then log into their account, steal domains (and send them where they wish) and use any funds within the account. That's 'phishing', basically.
Things always to watch for:
1) If they don't identify you by account #, username and/or domain, it's 99.9% sure that they are spam/phishing. Your real account holders always make some attempt in emails to signal that they know who you really are.
2) As werty pointed out, look not just at the visible link but also at the code underneath, either by waving the cursor over the link and looking at the real link in the window bar (if it's displayed, usually on the window's bottom bar), or by viewing the source code.
The cleverest phishers usually use the real domain name as a part of the URI, often as a subdomain, in this case: enom.com.#*$!.com ... so don't be fooled by the subdomain/host looking like the site they're mimicking just because we're used to reading left to right.
Checking for the primary domain pretty quickly puts any doubts to rest.
One question I have for the community is what suggestions do you have for spreading the message, we put a caution message on our blog, our home page, login page. Any suggestions or ideas?
Send an email to each and every customer you have, with detailed information about this latest phishing attack.
Just don't include any account login links ;)
The problem with the email approach is that you're asking customers to not trust emails...by email :)
Of course, it could be a plain text email without links, but it seems like the marketing departments of the most common phishing victims are not too happy with that as a suggestion.
IMO, part of the problem with phishing generally is that those most likely to be victims are also those least likely to be visiting a site where warnings might appear. Shutting down the phishing sites ASAP (and being first to be aware of the scam) is crucial - and that didn't seem to happen too well with this batch, as many of the sites I checked were still live.