An internet maze of several (some hidden) domain names across different registrars, with or without whois privacy, 2 countries, stolen credit card numbers and ICANN. And this only part of what this scam is about.
I got an email yesterday with the subject “clinicalagency.com EXPIRATION!”. The renewal price is very low at $3 for a .com that it is very tempting for people that don’t know much about domain names, registrars and renewals.
The email comes from “INTERNET DOMAIN REGISTRATION” and the email address: email@example.com. The domain name spells “domain” with 2 “i”s and 2 “n”s. But “domaiinnregistration.com” is not even registered.
The actually mistyped the email address as their scam website is located at domaiinregistration.com with 2 “i”s and 1 “n” in “domain”. The domain was registered at a Chinese registrar by someone from China on the 18th of September 2014 that doesn’t even make an effort to hide their whois details:
Registrant Name: liang wang
Registrant Organization: Wang Liang
Registrant Street: Shang Hai Shi Xu Hui Qu Tian Dong Lu 2887Hao
Registrant City: Shang Hai Shi
Registrant State/Province: SH
Registrant Postal Code: 200000
Registrant Country: cn
Registrant Phone: 02166586654
Registrant Fax: 02166586654
Registrant Email: firstname.lastname@example.org
Here is the text of the email message for the scam:
“INTERNET DOMAIN REGISTRATION CORPORATION
As a courtesy to the domain name holder the INTERNET DOMAIN REGISTRATION CORPORATION is hereby notifying you that this is your FINAL NOTICE to submit your renewal registration for: clinicalagency.com
Failure to complete your domain name renewal registration by the expiration date may result in CANCELLATION of your domain, therefore making it difficult for your customers to locate your website on the Internet.Attn: Digital Domains MEPEThis important FINAL NOTICE is to inform you to submit your renewal registration for the domain name clinicalagency.com with the INTERNET DOMAIN REGISTRATION CORPORATION by paying the outstanding renewal registration amount.Failure to complete your domain name renewal registration by 09/30/2014 may result in the cancellation of this domain.Your payment includes the domain renewal registration for clinicalagency.com for 1 year. It is your obligation to pay the amount stated above by 09/30/2014 for renewal of your registration for the domain name clinicalagency.com.
This notice serves as the last reminder for domain name clinicalagency.com.“
Their script is so bad that it can only parse domain names, emails and addresses but not expiration dates. Better luck next time scammers.
But it only gets better from here. If you visit domaiinregistration.com you arrive at a website that says “© 2014 Internet Corporation For Assigned Names and Numbers.” at the bottom and has an actual ICANN logo at the top. It also has some headlines from real ICANN news on the News & Media section.
On the homepage you are presented with 5 ways to pay for your domain name renewal. It’s kinda of funny that you don’t need an account with them and you don’t even tell you what domain name you are renewing! They just want your credit card details and you are done. That easy. When I first saw the email I thought that this was a “Registry Of America” type of scam but I was wrong. They are only trying to take your credit card number and are using the whois data to seem more credible.
The scam website domaiinregistration.com is pulling images and other files from the domain designlab.co. I checked the source files on domaiinregistration.com. Designlab.co was registered last November at Go Daddy and whois details are behind privacy. DESIGNLAB.CO has no website.
Designlab.co had no whois privacy back in June 2014 and this was the owner:
Registrant Name: Mizanur Rahman Registrant Address1: Kashim pur, Bagicha Bazar Registrant Address2: Bishwanath Registrant City: Sylhet Registrant State/Province: Sylhet Registrant Postal Code: 3130 Registrant Country: Bangladesh Registrant Country Code: BD Registrant Phone Number: +880.1714101291 Registrant Email: email@example.com
The same person owns the domain techfen.com that is registered with Namesilo. designlab.co is using the nameservers MEGHEWETT.BIZ that in turn uses the nameservers DNSOWL.COM. All 3 domains techfen.com, MEGHEWETT.BIZ and DNSOWL.COM are registered with Namesilo. You do the math.