Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Revisiting the excellent forums to share detail of a semi-targeted scam that could probably affect others here.  I nearly fell for it.

I’ve been vaguely aware that our main domain is due for renewal soon, but keep not getting around to sorting it.   Then I receive a reminder apparently from the registrar (the correct one) , naming the domain, and warning that it expires tomorrow.   Panic, I better pay that right now, I think?

No.  The domain actually has a few weeks left, just as I thought.   The scammer has simply taken detail from publicly available information for a domain nearing expiry, and correctly predicted the panicked response it might solicit.    The renewal link in the message was, of course, malicious, good job I didn’t click it.    Since my personal email is hidden, the scam was actually addressed to support@… but like many people, I’ve configured a catch-all that forwards to my personal email anyway.

[Alex Atkin UK]

Its not a new tactic, but definitely worth the reminder.

[kitz]

Targetting domain owners has been going on for years. There has been numerous types of entrapment with scammers getting more inventive .. hoping that domain owners fall for their trick.

A lot of information is held on public records such as RIPE and Nominet which actually aids scammers in looking more authentic by supplying them with valid information about the site.  eg valid email contact name and email address.  Until fairly recently, a large portion of .co.uk domains had their private information such as real name, home address, home phone no, all available for scammers to see in the Nominet database. 

Ive always felt that Nominet disclosed too much information about their co.uk domain owners and far too strict about what they classed as private and trading.  Its taken many years for Nominet to reverse their stance on what [private] information they made public,  but the problem here is that once information is released on the Internet, then you can never go back and scrub that info for good.  Thanks to Nominet scammers could access the full name of domain holders plus a valid email addresses.. together with postal address and phone no.  Having this info to hand helps the scammers look more authentic.

Hackers are also very aware that some domain owners use aliases for email addresses.  Such domains are easily identifiable by 'hackers' looking at the email addresses used in some of the large hacked databases such as dropbox, myspace, facebook etc.  If you have an email address for any of those large breaches in the format of dropbox@mydomain.com & facebook@mydomain.com then they can try their luck against many innocent (and un-hacked) websites.  It doesn't take them 2 mins to set up a script to pull out and identify what domain owners think are unique email address.   I suspect this method has been used against some members of this forum.  Whilst I havent had the unique name I use for this forum disclosed, I have had a couple of my so called unique aliases attempts against sites I know havent been hacked - inc one for my isp forum  where I supposed been watching porn from .

[kitz]

The latest "scam" trend for domain owners is fake website bug reporting.  I've been on the receiving end for a few what are called "beg bounty" attempts.  The first time you get one of these can be very worrying and they claim to be ethical hackers who have found a serious bug on your website.

They are deliberately targetting small-medium size website owners who wont have an IT dept.   I was going to write a post about it one day from the perspective of a domain holder, but it would have to be a long one to explain properly.   It involves DMARC which 80% of websites dont have set.   I did look into it about 5 years ago when I tried to  set SPF and DKIM and I asked my hots to be told its not something I should worry about as mail goes through their mail servers.

I dont have any mail lists anyhow and I dont even see where this area is something I could set up... bear in mind Im deliberately on a managed plan.   Theres a few other things I should mention at this point, but that is when things start getting more complex and lengthy. I'll just leave it as I have DKIM and SPF and remain part of the 80%, accept my limitations in what is a complex area. I don't have financial transactions, nor mailing lists.  Or more importantly don't ever send out emails with "click here" links.   Id like to think this type of scam is actually more down to people using click here and disclosing financial info yada yada.   

A couple of years ago Troy from "Have I been pwned" fame, warned that beg bounty for DMARC policies was about to explode - he wrote a fairly longe article about the security aspect side of things.  Some website owners are forking out hundreds of £ pounds to these so called ethical hackers,  only to find out that this isnt really a security flaw on the website.


As mentioned, the first one you get can be very worrying, but when I looked it even included the same typos as the one shown in Troys article..  Its just someone running automated scripts and hoping for a lucky break that you've scared the website owner with some vague information. 

As recommended I totally ignore these so called 'beg bounties' and dont enter into any type of conversation.  Its a shame really as it could end up where website owners ignore what really is a bug from a real white hat.

These guys can be persistent. For example from my mailbox:.

21/08/23

Hey Team any update? How long do I have to wait to hear from you for my reward?

19/06/23

Kindly update me about my reward, it's been quite a while since I sent you a vulnerability report. Please don't let my efforts be wasted

16/06/23

Should I expect a reply regarding my reward today?

14/06/23

Kindly let me know about my reward for the ethical disclosure of the vulnerability.

02/05/23

Kindly update me about my reward. I'm expecting a cash reward for reporting this bug ethically to you.

   

[Alex Atkin UK]

I love that last one given "ethical" reporting would be to do so regardless of any potential for reward.

The instant you start demanding monetary rewards you've clearly indicated that being ethical had nothing to do with your reasons.

[sevenlayermuddle]

I’ve had fake renewal notices before, but they’re usually obvious.

What got me about this one was the apparent authenticity.   Spoofed to imitate the actual registrar that I use. With that registrar’s convincing email headings and  full and correct postal address.  And perfectly well written. None of the usual spelling errors or grammatical failures.   Also the fact it arrived very close to the real expiry date.

As said, it got me for a moment.  Maybe I’m just not as sharp as the rest of you.

[Alex Atkin UK]

I've had them in the post too I believe.