Thursday, October 30 2008

1. Read spam. 2. Click on link. 3. Profit?

[Update: …and the real Network Solutions sent out notices warning about the scam today, which suggests it was pretty well-distributed]

[Update: already another one today, to a completely different address, also not associated with any domain registrations. This one came from a German IP address that’s pretending to be Yahoo, with disguised links leading to a different Russia-based domain owned by the same “Shestakov Yuriy”, through yet another Chinese registrar. Long ago, I set up a special filter rule for anything coming from a .biz domain; I think it’s time to apply the same rule to any mention of the TLD, in email or browser windows]

This is one of the more transparent scam emails I’ve seen recently.

  1. It’s going to a randomly-scraped address that has no connection to any domain registration.
  2. It doesn’t mention any domains that the recipient owns.
  3. It claims that this unnamed domain’s registration has lapsed, and as the former owner, the recipient is entitled to a percentage of the sale price to someone else.
  4. It insists that the only way to claim the money is by clicking on the link (and, of course, filling in a great deal of personal information).
  5. The link is labeled “renew your domain”, and falsely claims to point to Network Solutions, with “.sys62.biz” (Russian “commerce” domain set up through a Chinese registrar) hidden in the HTML.
  6. There’s nothing in the link to identify an individual recipient; you won’t even be greeted by name if you’re dumb enough to click it.
  7. According to the headers, it allegedly originated on a machine in Australia that happens to have an IP address in Turkey.

I figure 5% of what they send out will slip past spam filters, 5% of the people who see it will click the link, and 1% of those will be stupid enough to enter the information necessary to have their identities stolen. If they sent out 100,000, that’s two identity thefts. And they probably sent out a lot more than 100,000.

From: "networksolutions.com Tech Support" 
To: <____@jgreely.com>
Subject: Your domain is expired today!
Date: Thu, 30 Oct 2008 15:35:57 +0200
 
Dear Network Solutions Customer,
 
We recently notified you that the registration period for your Network 
Solutions domain name had expired. As a benefit of having previously 
registered a domain name(s) with Network Solutions, you are eligible to 
receive a percentage of the net proceeds that were generated from the 
renewal and transfer of the domain name you chose not to renew. 
Since you have chosen not to renew the domain name listed below 
during the applicable grace period, we were successful in securing a 
backorder for this domain name on your behalf and it has been 
transferred to another party in accordance with the Service Agreement.
 
Renew your domain now - http://www.networksolutions.com.sys62.biz
 
You must click on the following link, enter your domain name, and 
confirm your contact information in order to claim these funds. If your 
contact information is not correct, you must enter Account Manager 
and make the appropriate changes prior to clicking "submit" from the 
confirmation screen. If you do not do this, you will be confirming 
inaccurate information and will not receive any payment. Checks will 
only be made payable and mailed to the Account Holder of record.
 
Sincerely,
 
Network Solutions® Customer Support