Fake domain name registration/extension notice leads to phishing attempt


MX Lab, http://www.mxlab.eu, started to intercept some fake domain registration/extension during the last few days, on a low volume, that clearly show that those are attempts to steal credit card information over an insecure HTTP connection.

The emails are sent from addresses like:

noreply@orderinformation4640.com
noreply@yourcompletedorder4002.com
noreply@yourreceipt2612.com
noreply@yourcompletedorder6221.com

The possible subjects are:

FWD: Attention: Domain Registration
FWD: Attn: Domain *****.com

The body of the email:

FWD: Attention: Domain Registration
Domain Name: *****.com

Bill To:
****** *****
******
*********

Invoice # AUG-2-362-1083560
Date 8/24/2016
Terms Net 15
Due Date 8/29/2016
P.O.#

SECURE ONLINE PAYMENT
Domain Name Date Range Price Term
sitotech.com 8/24/2016 – 8/24/2017 $75.00 1 Year
Dear ***********,

Don’t miss out on this offer which includes search engine submissions for ******.com for 12 months. There is no obligation to pay for this order unless you complete your payment by 8/29/2016. Our services provide submission and search engine ranking for domain owners. This offer for submission services is not required to renew your domain registration.

Failure to complete your search engine registration by 8/29/2016 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).

You are under no obligation to pay the amount stated above unless you accept this offer by 8/29/2016. This is a courtesy reminder for *******.com.

This offer for ******.com will expire on 8/29/2016. Act today!

For Domain Name:
*****.com

SECURE ONLINE PAYMENT

Screenshot of the email:

Our last intercepted sample leads to the web site hxxp://orderinformation4640.com/order/2-362-n82w-bko-5sc-e7a4.

Note that the domain used in the senders email address is also used in the insecure HTTP request. Following web form is present:

MX Lab recommends to double check all requests received by email for domain registrations and/or extensions of your current domain and not to send credit card details over an insecure HTTP request. When you receive such request and are unsure, contact your current domain registrar and check for the expiration date of your domain and only renew your domain through their control panel.

One thought on “Fake domain name registration/extension notice leads to phishing attempt

  1. info@avuk.net is the same. I have got a message today, same story. Take care it is a SCAM!

    IMPORTANT NOTICE
    Domain SEO Service Registration Corp.
    Notice#: 551349
    Date: 09/18/2016

    EXPIRATION OFFER NOTICE
    DOMAIN: xxxxxxxxxxxxxx
    Notification Purchase Offer

    EXPIRATION OFFER DATE: 09/26/2016
    To: xxxxxxxxxxxxxxxxxx
    xxxxxxxxxxx
    xxxxxxxxxxx
    xxxxxxxxxxx

    Domain Name:

    Registration SEO Period:

    Price:

    Term:
    xxxxxxxxxxxxx 10/10/2016 to 10/10/2017 $64.00 1 Year

    SECURE ONLINE PAYMENT
    Domain Name: xxxxxxxxxx
    Attn: xxxxxxxxxxxx
    This important expiration notification offer notifies you about the expiration offer notice of your domain registration for xxxxxxxxxxxx search engine optimization submission. The information in this expiration notification offer may contain confidential and/or legally privileged information from the notification processing department of the Domain SEO Service Registration to purchase our search engine traffic generator. We do not register or renew domain names. We are selling traffic generator software tools. This information is intended only for the use of the individual(s) named above.
    If you fail to complete your domain name registration xxxxxxxxxxxx search engine optimization service by the expiration date, may result in the cancellation of this search engine optimization domain name notification offer notice.
    PLEASE CLICK ON

    SECURE ONLINE PAYMENT
    TO COMPLETE YOUR PAYMENT.
    Failure to complete your seo domain name registration xxxxxxxxxxxxx search engine optimization service process may make it difficult for customers to find you on the web.
    CLICK UNDERNEATH FOR IMMEDIATE PAYMENT
    PROCESS PAYMENT FOR

    xxxxxxxxxxx

    SECURE ONLINE PAYMENT

    ACT IMMEDIATELY

    This domain seo registration for xxxxxxxxxxxx search engine service optimization notification offer will expire 09/26/2016.
    Instructions and Unsubscribe Instructions:
    You have received this message because you elected to receive special notification offers. If you no longer wish to receive our notifications, please unsubscribe here or mail us a written request to Domain SEO Service Registration Corp., Miami Beach, FL 33139. If you have multiple accounts with us, you must opt out for each one individually in order to stop receiving notifications notices. We are a search engine optimization company. We do not directly register or renew domain names. We are selling traffic generator software tools. This message is CAN-SPAM compliant. THIS IS NOT A BILL. THIS IS A NOTIFICATION OFFER. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS NOTIFICATION OFFER. This message, which contains promotional material strictly along the guidelines of the CAN-SPAM act of 2003. We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading. Please do not reply to this email, as we are not able to respond to messages sent to this address.

Comments are closed.